What we check
We scan for dangling subdomains that could be hijacked
We continuously scan your DNS records for subdomains that point to external services (like GitHub Pages, AWS S3, Heroku, etc.) where the target resource has been deleted or never claimed. Attackers can claim these resources and serve malicious content on your domain.
Security Impact
Why subdomain takeover prevention is critical
Attackers can serve malicious content
When subdomains are vulnerable to takeover, attackers can create phishing pages, serve malware, or steal cookies and credentials—all under your trusted domain.
Cookie theft and session hijacking
Subdomains share cookies with your main domain. Attackers who control a subdomain can steal session cookies and impersonate your users.
Brand reputation damage
When attackers misuse your subdomain for phishing or malware, it damages trust in your brand. Customers blame you for security incidents on your domain.
Difficult to detect manually
Subdomain takeover vulnerabilities are invisible until exploited. Manual scanning across hundreds of DNS records is impractical.
Implementation
How to prevent subdomain takeover
With Httpeace
Httpeace continuously scans your DNS for dangling subdomains:
- Add your domain to Httpeace
- We automatically scan DNS records for subdomain takeover vulnerabilities
- Get instant alerts when dangling CNAMEs are detected
- See which external services are at risk in your dashboard
Without Httpeace
Manual subdomain takeover detection requires extensive DNS auditing and technical knowledge:
# List all DNS records dig ANY yourdomain.com # Check each CNAME record dig CNAME subdomain.yourdomain.com # Test if target exists (GitHub Pages example) curl -I https://subdomain.yourdomain.com # Look for 404 or "There isn't a GitHub Pages site here" # Check AWS S3 bucket curl -I https://subdomain.yourdomain.com # Look for "NoSuchBucket" error # Use subdomain enumeration tools subfinder -d yourdomain.com amass enum -d yourdomain.com # Test each subdomain for takeover # This requires knowing patterns for dozens of services
You'll need to:
- Manually enumerate all subdomains (including historical ones)
- Check every CNAME record to see where it points
- Know the takeover patterns for GitHub Pages, AWS S3, Heroku, Azure, Vercel, Netlify, Shopify, Tumblr, Squarespace, Bitbucket, and dozens of other services
- Test each subdomain to see if the target resource still exists
- Understand different error messages indicating takeoverability
- Maintain an inventory of which subdomains point to which external services
- Remember to check before deleting any external resources
- Run scans regularly as DNS changes and services get decommissioned
- Set up monitoring to catch when new dangling records appear
- Coordinate with development teams to ensure they don't create vulnerabilities
- Use specialized tools like subjack, subover, or can-i-take-over-xyz
- Keep up-to-date with new services and their takeover fingerprints
Subdomain takeover detection is complex and requires constant vigilance. The attack surface grows with every subdomain, and vulnerabilities can appear when team members delete resources without removing DNS records.
FAQ
Frequently asked questions
What is subdomain takeover?
Subdomain takeover happens when a DNS record points to an external service (like GitHub Pages or AWS S3) that no longer exists or was never claimed. Attackers can claim that service and serve content on your subdomain, inheriting your domain's trust and cookies.
How do attackers exploit subdomain takeover?
Attackers scan for subdomains with dangling DNS records. When they find one pointing to an unclaimed resource, they claim it (like creating a GitHub repo with that name). They can then serve phishing pages, malware, or steal cookies from your domain.
How often does Httpeace scan for subdomain takeover?
We scan your DNS records daily for patterns associated with subdomain takeover vulnerabilities. We check for dangling CNAMEs pointing to popular services and alert you when we detect potential vulnerabilities.
What services are commonly affected?
GitHub Pages, AWS S3, Heroku, Azure, Vercel, Netlify, Shopify, Tumblr, WordPress.com, and many other hosting platforms. Any service that allows custom domains can potentially be exploited for subdomain takeover if DNS records aren't cleaned up properly.
Can subdomain takeover be prevented?
Yes! The key is removing DNS records before deleting external resources. Maintain an inventory of your subdomains, regularly audit DNS records, and use monitoring tools like Httpeace to catch dangling records before attackers do.
Related checks
Other checks in this category
SSL Certificate Expiry
Prevent browser warnings by monitoring certificate expiration dates.
SSL Certificate Validity
Ensure encrypted connections are trusted by validating certificate chains.
HSTS Header
Force HTTPS to prevent downgrade attacks and man-in-the-middle attacks.
Content Security Policy
Block XSS attacks and code injection with CSP headers.
Peace of mind for your domains.
Start monitoring today and prevent outages, hacks, and costly mistakes.