Subdomain Takeover Scanner

Subdomain takeover occurs when a subdomain points to a third-party service (via a CNAME record) that has been deprovisioned or unclaimed. An attacker can register the resource on the third-party platform and serve content under your domain name.

How it works

1. Your organization creates blog.example.com pointing to a hosted service (e.g., example.herokuapp.com) via a CNAME record.
2. The service is later discontinued, but the DNS CNAME record is never removed.
3. An attacker claims example.herokuapp.com on Heroku and now controls the content served at blog.example.com.

Common vulnerable services

• AWS S3 — Deleted S3 bucket names can be re-registered.
• GitHub Pages — Removed repository or unconfigured custom domain.
• Heroku — Deleted apps leave CNAMEs dangling.
• Azure — Deprovisioned resources with remaining DNS records.
• Netlify / Vercel — Removed projects with stale DNS entries.

Why it matters for email security

If a mail-related subdomain (e.g., mail.example.com) is taken over, an attacker may be able to send emails that appear to originate from your domain. Without a strict DMARC subdomain policy (sp=reject), these emails could pass authentication checks and reach inboxes.

How to Remediate Dangling DNS

1. Identify the record — Use this scanner or your DNS provider's management console to find CNAME records pointing to services that no longer respond.
2. Verify the service is truly decommissioned — Confirm with the team that originally set up the service. Sometimes records point to services managed by other departments.
3. Remove the DNS record — Delete the dangling CNAME, A, or AAAA record from your DNS zone.
4. Set subdomain DMARC policy — Ensure your DMARC record includes sp=reject to prevent spoofing from subdomains you don't use for email. Learn about DMARC enforcement policies.
5. Monitor continuously — New dangling records appear as services are decommissioned over time. Periodic scanning or continuous monitoring catches them before attackers do.

Frequently Asked Questions

What is a dangling DNS record?

A dangling DNS record is a CNAME, A, or AAAA record that points to a resource that no longer exists or is no longer controlled by the domain owner. Common examples include CNAME records pointing to deleted cloud buckets, removed Heroku apps, or deprovisioned Azure resources.

How does subdomain takeover work?

When a DNS record points to an unclaimed resource on a cloud platform, an attacker can register that resource and gain control of the subdomain. The DNS record acts as a bridge — it tells browsers and mail servers that the subdomain resolves to the attacker's newly claimed resource.

Can subdomain takeover lead to email spoofing?

Yes. If an attacker takes over a mail-related subdomain and the parent domain doesn't have sp=reject in its DMARC policy, they may be able to send authenticated email from that subdomain. This is why DMARC configuration and dangling DNS detection work together.

How many subdomains does this free scan check?

The free scan checks 12 common subdomains (www, mail, ftp, staging, dev, blog, etc.). Organizations typically have dozens or hundreds of subdomains — full monitoring covers all discovered subdomains with automated daily scanning. View pricing.

What's the difference between dangling DNS and subdomain takeover?

Dangling DNS is the vulnerability — a DNS record pointing to a non-existent resource. Subdomain takeover is the attack — an adversary claiming that resource to control the subdomain. Not all dangling records are immediately exploitable, but all represent risk that should be remediated.