Security check

Subdomain takeover: can someone hijack your subdomains?

A DNS record pointing to a cloud service you stopped using can be hijacked by anyone who re-registers it. We map your subdomains and find the dangling records that can be taken over.

Run a free domain scan All checks →
Relates to: OWASP · Subdomain Takeover ISO 27001 · A.8.9 configuration management NIS2 · art. 21 — attack surface CIS · Controls v8 — 4

What we check

We enumerate your subdomains and check each DNS record: does a CNAME point to an external service (e.g. S3, GitHub Pages, Azure, Heroku, Netlify) that is no longer claimed? Such a dangling record can be re-registered by an attacker and used for phishing under your domain name.

Why it matters

A hijacked subdomain sits on your trusted domain — perfect for phishing, cookie theft and bypassing domain-based trust. It's one of the most common and overlooked flaws in a growing attack surface, and it isn't visible in your own systems.

How Security Guru tests it

Common mistakes

  • DNS record left after a cloud service was decommissioned
  • Old campaign/test subdomains no one owns anymore
  • CNAME to an S3 bucket or Pages site that was deleted
  • No inventory of which subdomains actually point where

What you get in the report

  • All subdomains and their DNS targets
  • Hijackable (dangling) records prioritised by risk
  • Exactly which record to remove or reconnect
  • Mapping to attack-surface requirements in NIS2/ISO

FAQ

Do you actually take over the subdomain?

No — we verify that it's hijackable without registering the service or publishing anything. You remediate from the report.

How do you find our subdomains?

Via public sources: certificate logs (CT), DNS and passive records — the same surface an attacker sees.

Is this part of the review?

Yes — subdomain takeover is a core part of our external attack-surface review.

Want to know your status?

Run a free scan or order a full Security Assessment — prioritised, not noise.

Run a free domain scan