Subdomain takeover — how to find dangling CNAMEs before attackers do

// published 2026-04-17

Subdomain takeover is one of those bugs that sits quiet for years, then costs you a security incident overnight. The pattern: you spin up a marketing site on Heroku as campaign-2022.yourbrand.com, the campaign ends, the dyno gets deleted — but the CNAME in DNS still points to campaign-2022.herokuapp.com. Anyone can now claim that Heroku app name and serve whatever they want from your subdomain, HTTPS included.

Why it's exploitable

Modern SaaS platforms (Heroku, S3, GitHub Pages, Vercel, Netlify, Shopify, Azure, Fastly, Ghost, and 20+ others) let anyone claim an unused app/bucket/site name. If your DNS still CNAMEs at an un-claimed target, the attacker claims it and inherits your subdomain. From there they can:

• Serve phishing pages that look like your brand (with a valid cert from Let's Encrypt, since DNS validation passes).
• Steal session cookies if your main domain shares cookies across subdomains (Domain=.yourbrand.com).
• Send phishing email from @subdomain.yourbrand.com if SPF/DKIM allow it.

How to scan for it

Two steps: enumerate subdomains, then check each CNAME target for a known-vulnerable signature.

Enumeration: Certificate Transparency logs reveal every hostname that ever got a TLS cert — far more reliable than wordlist-based brute force. See our CT log subdomain discovery post for the deep dive.

Takeover detection: for each subdomain, resolve the CNAME, compare it against a fingerprint list (Heroku, AWS S3, GitHub Pages, Vercel, Netlify, Shopify, Azure, Fastly, Ghost, Pantheon, Tumblr, Readme, Intercom, Helpjuice, Surge, WordPress — the 16 we fingerprint). If the target is in the fingerprint list AND the HTTP response matches the unclaimed-app signature, you have a takeover.

Do it automatically with the Subdomain Takeover Checker — paste a root domain, get a colour-coded report per subdomain. Red = takeoverable, green = legit SaaS in use, grey = uncategorised CNAMEs that may still be risky.

How to fix (and prevent)

1. For each red result: delete or re-point the DNS record immediately. Then go claim the SaaS app name before somebody else does (even if you don't plan to use it — just to prevent the takeover window).
2. Set a cleanup policy for subdomains: any CNAME created for a temporary service must have a ticket/owner and a delete-when date. Nothing kills a security team's Monday like a 4-year-old marketing CNAME.
3. Audit recurring: run the takeover checker on your root domain once a month. Regression catches things you forgot.
4. Restrict cookie scope: don't set Domain=.yourbrand.com on session cookies unless you absolutely need cross-subdomain sharing. Default to host-only.

If you add a domain to DomBrains monitoring, the CT Log Subdomain Finder is run on it daily. When a new cert is issued for a subdomain you haven't seen before, we alert you — so you catch a shadow-IT spinup before it becomes a takeover next year.