SpoofSentry
Free ToolsPricingStart Free Trial

Subdomain Takeover Scanner

Check if your domain has dangling DNS records that could be exploited for subdomain takeover attacks.

What is Subdomain Takeover?

Subdomain takeover occurs when a subdomain points to a third-party service (via a CNAME record) that has been deprovisioned or unclaimed. An attacker can register the resource on the third-party platform and serve content under your domain name.

How it works

  1. Your organization creates blog.example.com pointing to a hosted service (e.g., example.herokuapp.com) via a CNAME record.
  2. The service is later discontinued, but the DNS CNAME record is never removed.
  3. An attacker claims example.herokuapp.com on Heroku and now controls the content served at blog.example.com.

Common vulnerable services

  • AWS S3 — Deleted S3 bucket names can be re-registered.
  • GitHub Pages — Removed repository or unconfigured custom domain.
  • Heroku — Deleted apps leave CNAMEs dangling.
  • Azure — Deprovisioned resources with remaining DNS records.
  • Netlify / Vercel — Removed projects with stale DNS entries.

Why it matters for email security

If a mail-related subdomain (e.g., mail.example.com) is taken over, an attacker may be able to send emails that appear to originate from your domain. Without a strict DMARC subdomain policy (sp=reject), these emails could pass authentication checks and reach inboxes.

Free Dangling DNS Scanner - Subdomain Takeover Detection | SpoofSentry