Subdomain Takeover

What is it?

Subdomain takeover is a process of taking control of a subdomain. This can be done when a subdomain is pointing to a third party provider that is no longer in use - seeing that an attacker can register another non-existing domain name on the third party service and hijack the subdomain.


Let’s say we are running a blog at We have the blog at Blogosphere and are pointing the subdomain towards Blogosphere so it is accessible that way.

At some point we decide to stop blogging and delete the blog at Blogosphere. However, still leads to Blogosphere as we forgot to delete that connection.

An attacker can now sign up at Blogosphere, create their own blog and claim as the address. If it points to the Blogosphere already, Blogosphere will accept this without further questions. now leads to the hacker’s blog, of which they control the content.

How do we check for potential takeovers?

  1. Surface monitoring would detect the subdomain:

  1. Surface monitoring will find that there is a CNAME entry pointing to a website which isn’t connected to the asset

Eg. has a CNAME entry that redirects it to

  1. Each time the page is requested from the DNS server, the user has a chance of being redirected to the fake website.

In this instance the DNS record on the server is malicious, and redirects the user to a fake server/website.

A subdomain takeover claims the server, and rather than taking control over it makes the fake website look as it’s the original one.