Vulnerability Guides•May 16, 2026•5 min read
Understanding Subdomain Takeover and How to Prevent It
A deep dive into subdomain takeovers: how dangling DNS records lead to brand hijacking, and the automated solutions to prevent it.
What is a Subdomain Takeover?
A subdomain takeover occurs when an attacker gains control over a subdomain of a target organization (e.g., support.yourcompany.com).
This usually happens due to dangling DNS records.
The Anatomy of the Attack
- A company creates a CNAME record pointing
blog.company.comto a third-party service, like a GitHub Pages site (company.github.io). - Time passes, and the company decides to stop using GitHub Pages. They delete the repository.
- Crucially, they forget to delete the DNS record.
- The DNS record still points to
company.github.io. - An attacker notices this, creates a new repository on GitHub, and claims the
company.github.ioname. - The attacker now controls the content displayed at
blog.company.com.
The Impact
Subdomain takeovers are devastating for brand reputation. Attackers can use the hijacked subdomain to host phishing pages, steal cookies, bypass CORS policies, or distribute malware—all under the guise of your legitimate domain.
Prevention
- DNS Hygiene: Regularly audit your DNS records. Whenever you decommission a third-party service, delete the associated DNS records immediately.
- Automated Monitoring: Use an attack surface management tool like Exarlo to continuously monitor your subdomains for dangling CNAME records and alert you before an attacker claims them.
Find your vulnerabilities before attackers do.
Our automated $149 security audit maps your public attack surface and checks for misconfigurations, outdated components, and missing security headers.
Get Your Security Audit