Safeey.io
Subdomains

Subdomain Takeover: How Forgotten DNS Becomes a Breach

The forgotten door

Subdomain takeover happens when a DNS record for one of your subdomains points to an external service — a hosting platform, a CDN, a SaaS tool — that you've stopped using but never removed from DNS. If an attacker can claim that service, they can serve their content from your subdomain.

Why it's dangerous

A subdomain like promo.yourbrand.com under an attacker's control is a powerful weapon:

  • Convincing phishing — visitors trust a page on your real domain.
  • Cookie theft — cookies scoped to your domain may be readable.
  • Reputation damage — malicious content appears to come from you.

How it happens

You spin up blog.yourbrand.com on a third‑party platform, point a CNAME at it, and later close the account — but leave the DNS record. The platform now considers that hostname unclaimed. An attacker who registers it on the same platform inherits your subdomain.

How to check and fix it

  • Audit your DNS records and remove any that point to services you no longer control.
  • Look for CNAMEs returning "not found" or default landing pages from the target service — a classic dangling‑record signal.
  • When decommissioning a service, remove the DNS record first.

Automate the discovery

Safeey enumerates your subdomains from certificate transparency logs and checks each one for dangling records and takeover signatures. Scan your domain to see what's out there.

Found this useful? Share it.

See what your site exposes

Safeey runs 1,700+ checks and shows you exactly what an attacker would find — with the fixes.

Scan your site