Subdomain takeover

How it works

You create a subdomain like status.yourbrand.com pointing to a cloud service, then stop using the service but leave the DNS record. An attacker registers that service resource themselves and now controls what status.yourbrand.com shows. Because it sits on your real domain, anything they host inherits your trust and any cookies scoped to it.

Dangling DNS records, often CNAMEs to deprovisioned services, are the root cause.

How it relates to brand impersonation

A subdomain takeover gives an attacker brand impersonation on your own domain, which is far more convincing than any lookalike. Watching your DNS for dangling records is the defence.

How nebty helps

nebty monitors your domains for the kinds of DNS changes and exposures that enable abuse, so dangling records and takeovers can be caught before someone exploits them.

How to find your dangling records

A subdomain takeover starts with a record you forgot. Teams spin up a subdomain pointing at a cloud service, a help desk, a marketing tool, or a static host, then cancel the service later but leave the DNS record pointing at it. The resource name is now unclaimed, and anyone who registers it on that platform controls what your subdomain serves. To find the risk, audit your DNS for CNAME records that point at third-party services, then check whether each target still belongs to you; a 404 or an unclaimed-resource message is the tell. Remove records you no longer use, and adopt a rule that decommissioning a service includes deleting its DNS entry. Continuous monitoring of your own DNS catches the dangling records that creep back in as projects come and go.