April 20, 2025

How Subdomain Takeovers Happen

A subdomain takeover occurs when a DNS record points to a third-party service (like GitHub Pages, Heroku, or AWS S3) that has been deleted or expired, but the DNS CNAME remains. An attacker can then claim the resource and serve content under your domain.

The Attack Chain

  1. Company creates blog.example.com pointing to company.github.io.
  2. Company migrates the blog but forgets to remove the CNAME record.
  3. Attacker notices the dangling CNAME and registers company.github.io.
  4. Attacker now controls blog.example.com and can serve phishing pages or steal cookies.

Prevention

  • Maintain an inventory of all DNS records and their intended targets.
  • Before deleting a cloud resource, always remove its DNS entry first.
  • Use automated scanning tools that flag dangling CNAMEs.
  • Monitor certificate transparency logs for unexpected subdomains.