Pyalm Guard
Jul 7, 2026

Subdomain Takeover: How Dangling DNS Records Get Hijacked — and How to Find Them

A subdomain takeover happens when a DNS record still points at a service you no longer own. Here's how dangling CNAMEs get hijacked, what an attacker can do with one, and how to detect and close them.

A subdomain takeover is one of the quietest ways to lose control of part of your domain. Nobody breaks into a server. No password is stolen. A DNS record simply keeps pointing at a service you stopped using — and someone else claims the other end.

What a subdomain takeover actually is

Most subdomains don't resolve to your own servers. They CNAME to a third-party service: a marketing site on a SaaS host, a docs portal, a status page, a storage bucket, a support widget. The record says "for help.example.com, go ask this provider."

The problem starts when you decommission that service but leave the DNS record behind. Now help.example.com points at a hostname the provider no longer has assigned to anyone. That's a dangling CNAME. If the provider lets a new customer claim that hostname, whoever claims it now controls content served at your subdomain.

Why it matters more than it looks

A subdomain you forgot about is still your domain to a browser, a user, and often a cookie. An attacker who takes one over can:

  • Phish with a real domain. A login page on portal.example.com is far more convincing than any lookalike domain.
  • Steal cookies and tokens scoped to *.example.com, depending on how yours are set.
  • Bypass allowlists — CSP frame-ancestors, CORS rules, and OAuth redirect allowlists that trust your own subdomains now trust the attacker.
  • Damage reputation by hosting spam or malware under your brand.

How to find dangling records

Detection is really two questions asked across every subdomain you have:

  1. Do I even know all my subdomains? Enumerate them from certificate-transparency logs, passive DNS, and a brute-force wordlist. You can't check records you don't know exist.
  2. Does each CNAME still resolve to a claimed resource? For every subdomain that CNAMEs to a third party, confirm the target still exists and is still yours. A CNAME that resolves to a provider's "no such site" fingerprint is the red flag.

Doing this by hand across a real domain is tedious, which is exactly why forgotten records survive. Pyalm Guard automates both halves: it enumerates subdomains passively and by brute-force, then flags dangling CNAMEs as subdomain-takeover risk in a severity-ranked report — run it on a domain you own.

How to prevent them

  • Delete the DNS record the moment you retire a service — make it a step in your decommissioning checklist, not an afterthought.
  • Enumerate on a schedule. Attack surface grows quietly; a quarterly sweep catches records that outlived their service.
  • Prefer records you control for anything sensitive, and avoid wildcard CNAMEs that mask individual dangling entries.
  • Claim before you cancel where a provider allows it, so there's no window between "you stopped paying" and "the hostname is free."

The fix is almost always a one-line DNS deletion. The hard part is knowing which line — and that's a discovery problem, not a security-genius problem.

Assess your attack surface with Pyalm Guard | Introducing Pyalm Guard | SPF, DKIM & DMARC explained | HTTP security headers guide

Keep reading

More from Pyalm

Jul 7, 2026

Introducing Pyalm Guard: An Authorized Security Posture Assessment Tool

Point Pyalm Guard at a domain you own and it runs a full, non-destructive checkup — DNS, subdomains, email authentication, TLS, headers, ports, threat intelligence, and breach exposure — scored into one clear risk grade.

Jul 7, 2026

SPF, DKIM, and DMARC Explained: How to Stop Email Spoofing on Your Domain

SPF says who can send, DKIM proves nothing was tampered with, and DMARC ties them together and tells receivers what to do. Here's how the three work — and how to check yours are set up right.

Jul 7, 2026

HTTP Security Headers: A Practical Guide to HSTS, CSP, and the Rest

A handful of response headers quietly decide whether your site can be framed, downgraded, or injected into. Here's what HSTS, CSP, X-Frame-Options and friends do, and how to tell if yours are set right.

Jul 10, 2026

Pyalm Books Is a Full Accounting, POS & Inventory Platform — Not Just E-Invoicing

UAE e-invoicing is why many businesses find Pyalm Books, but it's a fraction of what's inside. Here's the full picture: double-entry accounting, a built-in POS, inventory, purchases, banking, and projects.

Jul 10, 2026

Beyond Broadcasts: Tenreply's Shared Inbox, AI Support and WhatsApp CRM

Broadcasts get attention, but the day-to-day value of Tenreply is everything around them — a shared team inbox, an AI support agent, no-code flows, and a built-in CRM that turns chats into tracked leads.

Jul 10, 2026

More Than Courses: Assignments, Learner Q&A and a Job Board in Pyalm Learn

A course library is table stakes. Pyalm Learn adds the things that make learning stick and pay off — assignments and quizzes, in-context learner Q&A, analytics, and a built-in job board — all under your brand.

Check Your Security Posture in Minutes

Pyalm Guard runs an authorized, non-destructive checkup on a domain you own — DNS, subdomains, email auth, TLS, headers, ports, and threat intel — scored into one clear risk grade. No account, nothing stored on our servers.

Open Pyalm Guard About Pyalm Guard