Subdomain Takeover: what it is and how to prevent it
A subdomain takeover occurs when a subdomain's DNS record still points to a third-party service that has been deprovisioned — leaving a 'dangling' record an attacker can claim. The result: an attacker serves content from a domain your users trust.
How a takeover happens
Teams frequently point subdomains at external services with a CNAME — a marketing site, a docs host, a cloud bucket. When that service is later cancelled or deleted, the subdomain's DNS record often stays behind, still pointing at the now-unclaimed resource.
Because many providers let anyone claim an unused resource name, an attacker who finds the dangling record can register that resource and serve their own content from your subdomain — useful for phishing, cookie theft and bypassing same-origin trust.
Why it's dangerous
The subdomain still carries your brand and, often, user trust and session scope. Attackers use takeovers to host convincing phishing, capture credentials, or abuse OAuth and cookie boundaries that trust your domain.
How to find and prevent it
Discover: continuously enumerate your subdomains and resolve them. Takeover risk lives in the subdomains you have forgotten.
Detect dangling records: flag CNAMEs and A records that point at deprovisioned or unclaimed third-party services.
Remediate: remove stale DNS records as part of decommissioning any external service, and monitor continuously so new dangling records are caught quickly.
FAQ
Enumerate your subdomains, resolve each, and look for records pointing at unclaimed third-party services. SICenter's free subdomain finder surfaces dangling records as part of the scan.
Decommissioning an external service (a host, bucket or app) without removing the DNS record that points to it. The record 'dangles' at a resource anyone can now claim.