Subdomain Takeover Risk: A Practical Playbook
https://vulnify.app/blog/subdomain-takeover-risk-playbook

Subdomain takeover happens when DNS still points at a service you no longer control. Learn how attackers abuse dangling CNAMEs and how to find them before someone else claims your subdomain.

Subdomain takeover is one of those vulnerabilities that sounds exotic until you see it on a production marketing domain. The root cause is usually mundane: a CNAME still points at GitHub Pages, Heroku, Azure, or another SaaS endpoint, but the tenant behind that endpoint was deleted. An attacker claims the orphaned target and serves content on campaign.yourbrand.com . Your users trust the subdomain because it is yours. This playbook explains how takeover works, where dangling records come from, and how to find them with low-noise tooling before launch, after vendor offboarding, and during periodic attack-surface reviews. How Takeover Actually Happens Most takeovers follow the same pattern. Your DNS publishes CNAME promo.example.com → old-service.example.net . The SaaS account that owned old-service is gone, but DNS never changed. The provider shows a "not found" or "claim this name" page. The attacker creates a new account, verifies the name, and publishes phishing or malware under your subdomain. Impact includes cookie scope confusion (if parent cookies are too broad), phishing that bypasses email filters, and abuse of brand trust. It is not theoretical: bug bounty programs and incident reports regularly pay for dangling CNAMEs on major domains. Where Dangling Records Come From Common sources include retired marketing microsites, A/B test hosts, acquired-company DNS imports, CDN or WAF cutovers left half-finished, and contractor-managed DNS that nobody audited after a project ended. SaaS offboarding is a repeat offender: the team deletes the S3 bucket or Heroku app but not the CNAME. Inventory Before You Scan You cannot fix what you have not listed. Start with passive subdomain discovery to collect hostnames from public sources without aggressive brute force. Compare results to your internal CMDB or registrar DNS export. Unknown hosts are either legacy debt or shadow IT. Finding Vulnerable CNAME Chains The subdomain takeover scanner focuses on CNAME targets associated with claimable services and verifies live HTTP responses that indicate an unclaimed resource. It is designed for defenders: evidence-first output you can attach to tickets, not blind exploitation. Run it on your apex domain after: Retiring a campaign subdomain Switching CDN or hosting vendors Merging DNS zones from an acquisition Any incident where an unknown subdomain appeared in logs Remediation Playbook When you confirm risk, pick one path and document it: Remove the CNAME if the subdomain is unused. Delete the record and confirm nothing legitimate still resolves. Reclaim the target if the subdomain is still required. Recreate the SaaS tenant or point DNS at infrastructure you control. Replace with A/AAAA only when you operate the destination directly; do not point at shared SaaS names you might abandon again. Monitor with scheduled rediscovery after major marketing or infrastructure changes. Our fix guide for orphaned subdomains walks through DNS cleanup and verification steps in more detail. Prevention Habits Pair DNS changes with offboarding checklists: "delete app" and "delete CNAME" must be the same ticket. Use short TTLs during migrations so mistakes are reversible. Restrict who can create public subdomains in SaaS consoles tied to your domain. Takeover risk also intersects with broader common website security mistakes like exposed admin paths on forgotten hosts. Clean DNS and scan those hosts if they still resolve. Next Steps Run passive discovery, follow with the takeover scanner, fix dangling CNAMEs, and rescan to confirm closure. For ongoing exposure tracking, combine this playbook with vulnerability scanning best practices and scheduled checks from the Vulnify dashboard . Frequently Asked Questions What is subdomain takeover? Subdomain takeover happens when a DNS record (usually a CNAME) points to a third-party service you no longer control, and an attacker registers that name on the provider to host content on your subdomain. How do I find dangling CNAME records? Start with passive subdomain discovery to list hosts, then run a subdomain takeover scanner on your apex domain to match CNAME targets against unclaimed SaaS fingerprints. Is subdomain takeover still common in 2026? Yes. Marketing subdomains, legacy campaign hosts, and half-finished cloud migrations still leave dangling records. Automated scanners and bug bounty reports find them regularly. Does a WAF stop subdomain takeover? No. Takeover is a DNS and hosting ownership problem. A WAF on your main site does not protect orphaned subdomains that still resolve elsewhere. Related Guides Email Blacklists and DNSBL: A Defender Playbook CAA Records Explained for Site Owners Pre-Launch Security Checklist (8 Free Checks) WAF and CDN Detection: What It Means for Your Scans