← All guides
Subdomain Takeover: The Dangling DNS Risk
A subdomain takeover occurs when one of your subdomains has a DNS record — usually a CNAME — pointing to a third-party service (an S3 bucket, a Pages site, a Heroku app) that no longer exists. An attacker can register that resource and serve their own content from your subdomain.
Why it is dangerous
Content on your real subdomain inherits your brand trust and can host phishing, steal cookies scoped to the parent domain, or pass domain-validation checks. It is a common and high-impact finding.
How to prevent it
When you decommission a service, remove the DNS record that pointed to it in the same change. Periodically audit CNAMEs for targets that no longer resolve or return a "no such resource" page.