What is Subdomain Takeover?

Subdomain takeover exploits dangling DNS records - CNAME entries that point to external services which no longer exist. When the external resource is deprovisioned but the DNS record persists, an attacker can register the orphaned resource and serve content on the victim’s subdomain.

How it happens

  1. An organisation creates a CNAME: promo.example.com → your-org.github.io
  2. The GitHub Pages site is deleted, but the CNAME remains
  3. An attacker creates a GitHub Pages site at your-org.github.io
  4. promo.example.com now serves the attacker’s content

Commonly vulnerable services

AWS S3, GitHub Pages, Heroku, Azure Web Apps, Shopify, Fastly, and Zendesk are among the services most frequently involved in subdomain takeover. Each has a characteristic error response that indicates vulnerability - such as “NoSuchBucket” for S3 or “There isn’t a GitHub Pages site here.”

Prevention

Remove DNS records when decommissioning external services. Audit CNAME records regularly. Use EASM tools like SurfaceLoop to continuously monitor for dangling DNS records.

Map your attack surface - first scan free