🚀 A CloudSEK se torna a primeira empresa de segurança cibernética de origem indiana a receber investimentos da Estado dos EUA fundo
Leia mais
A subdomain takeover is an attack where someone gains control of a subdomain because its DNS record points to a third-party service that was removed or never claimed. The attacker registers that service and serves their own content from a subdomain that users trust.
The flaw behind it, a dangling DNS record, is widespread: security researchers at Certitude identified more than 1,000 organizations with subdomains vulnerable to takeover in a single 2023 study, and described it as the tip of the iceberg.
This guide explains what subdomain takeover is, how it happens, the DNS record types and services at risk, how to detect it, the damage it causes, how to prevent it, and what to do if a subdomain is already taken over.
A subdomain takeover is the unauthorized control of a subdomain that occurs when its DNS record still points to a deprovisioned or unclaimed third-party service. The subdomain continues to resolve, but because nothing legitimate answers at the destination, an attacker who claims that service controls what the subdomain serves.
The root cause is a dangling DNS record. A dangling DNS record is a DNS entry, most often a CNAME, that points to an external resource that no longer exists or was never set up. The record keeps directing visitors to a service endpoint, yet the endpoint sits empty and claimable. An attacker who registers the same resource name at the provider steps into that empty endpoint.
The danger comes from inherited trust. The hijacked subdomain belongs to the real domain, so it carries the organization's brand, often a valid TLS certificate, and sometimes cookies scoped to the parent domain. Visitors and security tools treat it as legitimate, which makes it a powerful base for fraud. Any organization that uses cloud or third-party hosting through CNAME, A, or NS delegation can be exposed.
A subdomain takeover happens when the lifecycle of a subdomain and its hosting service falls out of sync. A subdomain is created, a DNS record points it to a third-party service, and the service hosts the content. The vulnerability opens when one half of that chain changes without the other. Two scenarios produce it.

The deprovisioning gap is the most common. A team decommissions a service, such as a marketing site on a cloud platform, but leaves the DNS record in place. The record now dangles, pointing to an endpoint anyone can claim. An attacker registers the same resource name at the provider and immediately controls the subdomain.
The provisioning gap runs in the opposite direction. A DNS record is created and pointed at a service before the host is actually claimed. If the provider does not verify ownership, an attacker who is faster claims that resource first and serves content the moment the record goes live.
Common root causes include mergers and acquisitions, where inherited DNS zones are poorly inventoried, weak asset management that loses track of subdomains, and coordination gaps between teams that own DNS and teams that own services. These same blind spots make broader attack surface management difficult, because an organization cannot protect assets it has not tracked.
Three DNS record types create subdomain takeover risk, each in a different way.

Takeover risk concentrates in third-party services where a resource name can be claimed by anyone. The community-maintained can-i-take-over-xyz project catalogs which providers are exploitable and how. The categories below are the most frequently affected.
Whether a service is exploitable depends on one factor: whether the provider verifies domain ownership before letting someone claim a resource name. Providers that skip that check leave their customers' dangling records open to takeover.
Detecting subdomain takeover follows three phases, moving from broad discovery to confirmed validation. The same methodology that defenders use is the one attackers run, so completing it first is what closes the gap.
One-time scans only capture a moment in time, so detection works best as a continuous process. Monitoring newly created subdomains and forgotten infrastructure catches records as they become dangling, and watching Certificate Transparency logs for certificates issued to a subdomain can reveal a takeover that has already occurred.
A hijacked subdomain inherits the trust of the parent domain, which turns it into a platform for six main forms of harm.

Preventing subdomain takeover is a matter of disciplined DNS and service lifecycle management. The following six measures close the gaps that attackers rely on.
If a subdomain has already been taken over, a structured response contains the damage and prevents recurrence. Work through the five steps in order.
Subdomain takeover is fundamentally an external attack surface problem, which is the category CloudSEK BeVigil is built for. The platform fingerprints an organization's internet-facing assets, automatically discovering domains, subdomains, SSL certificates, and DNS records, then scans them for misconfigurations. Its DNS scanner specifically flags subdomain takeovers, alongside related exposures such as SPF and DMARC issues and private IP disclosures, surfacing the exact dangling records an attacker would find through enumeration.
The value lies in running that discovery continuously rather than once. External assets change constantly as teams spin up and retire services, so a subdomain that becomes dangling after a service is decommissioned is flagged as the exposure emerges, not months later in an audit. Treating dangling records as part of ongoing misconfiguration monitoring closes the window that the attack depends on.
A dangling DNS record is a DNS entry, usually a CNAME, that points to a third-party resource that no longer exists or was never claimed. The record still resolves, but the destination is empty, which makes it claimable by an attacker.
It is widespread. A 2023 study found more than 1,000 organizations with vulnerable subdomains, and in 2020, researchers identified over 670 Microsoft subdomains at risk. Any organization using cloud hosting with unmanaged DNS records can be affected.
No. Only subdomains with a dangling DNS record pointing to a claimable third-party service are exploitable. A subdomain pointing to an active, owned service or a verified provider is not vulnerable to takeover.
Subdomain takeover claims a single subdomain through a dangling DNS record at a hosting provider. Domain hijacking seizes an entire domain, usually by compromising the registrar account or transferring ownership, affecting every subdomain at once.
Enumerate every subdomain, check whether each points to a deprovisioned or unclaimed service, and validate the finding manually. Continuous external attack surface monitoring automates this and flags dangling records as they appear.
Yes. Claiming and controlling a subdomain you do not own is unauthorized access under computer-misuse laws in most jurisdictions, even when done to demonstrate the flaw. Security researchers operate only under bug-bounty or disclosure agreements.
