MyDomainRisk
Get started free
HomeGuidesWhat Is Subdomain Takeover?

What Is Subdomain Takeover and How to Prevent It

Subdomain takeover is a vulnerability where an attacker claims a third-party resource that one of your subdomains points to — allowing them to host content under your domain. It's more common than most organisations realise, and mydomainrisk.com checks for it automatically on every scan.

How subdomain takeover works

When you set up a subdomain like app.yourdomain.com to point to a third-party service (GitHub Pages, Heroku, Netlify, Vercel, Shopify, etc.), you create a CNAME record:

app.yourdomain.com  CNAME  yourapp.netlify.app

If you later delete the resource on Netlify but forget to remove the CNAME record, the subdomain becomes "dangling" — it points to a hostname that no one owns. An attacker can then claim yourapp.netlify.app on Netlify and serve whatever content they like under app.yourdomain.com — including phishing pages, malware, or content designed to steal cookies set on your root domain.

Which services are vulnerable

mydomainrisk.com checks for dangling CNAMEs across 25 services, including:

GitHub Pages, Heroku, Netlify, Vercel, Azure App Service, Azure Blob Storage, Shopify, Fastly, Pantheon, Ghost, Tumblr, Zendesk, Freshdesk, HubSpot, Intercom, Surge.sh, Bitbucket Pages, Amazon S3, and more.

Each service has a known "unclaimed" error string that confirms the resource is available for takeover.

How to find vulnerable subdomains on your domain

mydomainrisk.com automatically:

  1. Enumerates your subdomains via Certificate Transparency logs
  2. Resolves CNAME chains for each subdomain
  3. Checks if the CNAME target matches a known vulnerable service fingerprint
  4. HTTP-fetches the target to confirm the unclaimed error string is present
  5. Reports any confirmed vulnerable subdomains with the service name and CNAME target

How to fix a subdomain takeover vulnerability

Option 1 (recommended): Remove the dangling CNAME

If you no longer use the service the subdomain points to, simply delete the CNAME record from your DNS. This eliminates the attack surface entirely.

Option 2: Re-claim the resource

If you still need the subdomain, re-create the resource on the third-party service (e.g. re-deploy the Netlify site, re-create the Heroku app) to re-claim the hostname.

Verify it's fixed

Scan your domain at mydomainrisk.com — the subdomain takeover check will re-run against your current CT log subdomains and show no vulnerable subdomains if the CNAME has been removed or the resource re-claimed.

Check your subdomains for takeover vulnerabilities

MyDomainRisk checks all CT log subdomains for dangling CNAMEs across 25 services — free, no account required.

Scan your domain free →