← Back to Blog
June 15, 2026By David Chen, DevSecOps Specialist

Preventing Subdomain Takeovers: How to Audit for Dangling DNS

What is a Dangling DNS Record?

A dangling DNS record occurs when a domain or subdomain has a CNAME, MX, or NS record pointing to an external provider (like GitHub Pages, AWS S3, Heroku, or Shopify) that has been deleted or deprovisioned. Because the DNS record remains active, an attacker can register the deprovisioned resource name at the provider and hijack all incoming traffic.

The Impact of a Subdomain Takeover

Subdomain takeovers can have catastrophic consequences:

  • Cookie Hijacking: Attackers can read session cookies shared across the root domain.
  • Phishing Clones: Host fully convincing credential harvesting sites under your trusted brand domain.
  • Bypassing Content Security Policies (CSP): Subdomain trust allows malicious scripts to bypass security boundaries.
  • Remediation Framework

    1. Zone File Verification:

    2. Authoritative Response Probing:

    3. Prompt Cleanup: