Attack Surface 7 min read

Subdomain Takeover Scanner Guide

Use this guide to understand subdomain takeover, interpret CNAME findings, and remove stale DNS safely.

Run Subdomain Takeover Scanner

Overview

Subdomain takeover happens when DNS still points at a decommissioned third-party service that someone else can claim. The attacker inherits traffic and trust tied to your hostname.

High-risk pattern

  • Stale CNAME: A subdomain still points at GitHub Pages, Heroku, S3, Shopify, or similar services.
  • Unclaimed resource: The upstream provider returns a known not-found or unclaimed fingerprint.
  • Public impact: Visitors and cookies scoped to your subdomain can be exposed to attacker-controlled content.

Common provider targets

ProviderExample targetWhy it matters
GitHub Pagesusername.github.ioMarketing and docs subdomains are often forgotten
Herokuapp.herokuapp.comOld staging apps are common leftovers
Amazon S3bucket.s3.amazonaws.comStatic asset buckets are easy to decommission incompletely

Remediation workflow

Remove dangling DNS
Delete the stale CNAME or reclaim the upstream resource, then re-run the scanner to confirm the fingerprint no longer matches.

Recommended Remediation Flow

  1. Delete stale records Remove DNS entries for decommissioned services immediately.
  2. Add offboarding checks Include DNS cleanup in vendor and campaign teardown runbooks.
  3. Re-test after changes Run the scanner again once DNS changes propagate.

Troubleshooting Common Issues

CNAME exists but no takeover match

The upstream resource may still be owned by your team.

  • Verify the SaaS account is still active.
  • Review whether the subdomain is intentionally in use.
  • Keep monitoring during decommissioning windows.

Validation Checklist

Post-fix validation

  • No unclaimed-service fingerprints match live responses.
  • DNS offboarding is part of vendor teardown.
  • High-value subdomains are inventoried regularly.

FAQ

Is takeover the same as subdomain discovery?

No.

  • Discovery finds hosts.
  • Takeover scanning checks whether those hosts can be claimed by an attacker.
  • Use both during attack-surface reviews.

Related Security Tools

Subdomain Takeover Scanner

Detect dangling CNAME takeover fingerprints.

Subdomain Discovery

Discover public subdomains from DNS and sources.

DNS Record Lookup

Inspect CNAME and other DNS records.

Need to check dangling DNS?

Run the takeover scanner after vendor offboarding or subdomain inventory work, then remove any stale CNAME records immediately.

Run Subdomain Takeover ScannerCreate Account For Broader Workflow