Subdomain Takeover
Claiming a subdomain pointed at an abandoned third-party service (an unclaimed Heroku app, deleted S3 bucket, expired Azure host) by registering that resource yourself and inheriting the trusted hostname.
Subdomain takeover happens when a dangling DNS record points at a cloud or SaaS resource that no longer exists, and the attacker registers a new resource of the same name. A CNAME like `marketing.example.com → example-marketing.herokuapp.com` is dormant after the Heroku app is deleted; whoever next claims `example-marketing.herokuapp.com` controls the content served at `marketing.example.com`, including cookies for the parent domain and the appearance of legitimacy for phishing. Detection scans every CNAME in a zone for resources that return the cloud provider's "this app does not exist" page. The fix is to remove the DNS record before tearing down the resource it points at.
Reference
Related terms
See also
Referenced on
- Complete Guide to DNS Attacks and DNS Security (Prevention, Testing & Mitigation)
- Dangling CNAMEs and Subdomain Takeover Risk Across the Global DNS
- DNS Hijacking Explained: How Attackers Take Control of Your Domain's Resolution
- DNS Zone Transfer Attack (AXFR): How a Single Query Exposes Your Entire Domain
- DNS Zone Walking for Subdomain Enumeration: How NSEC Exposes Your Subdomains
- How Expired Name Servers Become Domain Hijacking Vectors
- Subdomain Takeover: How Dangling DNS Records Let Attackers Hijack Your Domain
- What Is NXDOMAIN? Understanding the 'Domain Does Not Exist' DNS Response
- WHOIS Lookup