Legal Disclaimer:

This platform is for authorized security research and educational purposes ONLY. Scanning assets without explicit permission is illegal.

Subdomain OSINT Guide

Subdomain Takeover: CNAME Hijacking Guide

A step-by-step breakdown of how stale DNS records allow attackers to claim legitimate subdomain namespaces.

Anatomy of a CNAME Hijacking

A subdomain takeover occurs when a DNS record points to an external resource (like an AWS S3 bucket, GitHub Pages, or Zendesk) that has been deleted, but the DNS record remains active.

How a Takeover Happens

1. DNS Setup: An organization sets a DNS record: docs.example.com CNAME example-bucket.s3.amazonaws.com.

2. Resource Decommission: The organization deletes the AWS S3 bucket example-bucket, but forgets to delete the CNAME record from its DNS zone.

3. Attack Vector: An attacker discovers that querying docs.example.com returns a "NoSuchBucket" error.

4. Exploitation: The attacker registers their own S3 bucket named example-bucket. They now control the content served at docs.example.com.

Consequences

  • Phishing Campaigns: Attackers can host phishing forms on a trusted company subdomain.
  • Session Hijacking: Attackers can read session cookies scoped to *.example.com sent by the victim's browser.
  • Bypassing Content Security Policies (CSP): Many CSP rules trust the organization's own subdomains, allowing the hijacked subdomain to bypass script restrictions.

Audit Your Subdomain Exposure

Map out forgotten development environments, staging configurations, and scan for dangling CNAME takeover vulnerabilities instantly.

Scan Subdomains Now

Frequently Asked Questions

How do I prevent subdomain takeovers?

Ensure that DNS record removal is integrated into your cloud resource decommissioning workflow. Never delete a third-party account or cloud bucket without first deleting the corresponding DNS record.

What DNS record types are vulnerable to takeovers?

CNAME, DNAME, MX, and even A/AAAA records can be vulnerable if they point to third-party hosting platforms with dynamic IP allocation.

Does the ReconShield Subdomain Finder detect takeovers?

It identifies subdomains that resolve to external cloud endpoints, allowing administrators to audit if those targets are active.

Related Subdomain Topics

Subdomain Enumeration Guide: Active vs. Passive OSINT Discovery

Learn the methodologies of subdomain enumeration. Discover how mapping host infrastructure uncovers staging environments and shadow IT.

Learn More

Passive Subdomain Enumeration: Stealth Reconnaissance Techniques

Learn how to discover subdomains without interacting with the target server using stealth passive OSINT techniques.

Learn More

Active Subdomain Enumeration: Brute-forcing, Zone Transfers & DNS Probing

Learn how active subdomain probing works. Discover techniques for brute-forcing, wildcards handling, and DNS zone transfers.

Learn More

Certificate Transparency (CT) Logs for Subdomain Discovery

Learn how Certificate Transparency logs function as a public ledger and why they are the most powerful passive subdomain discovery resource.

Learn More
Explore all subdomain profiles & topics

Related OSINT Guides

Subdomain Enumeration Guide
OSINT analysis guide
Certificate Transparency Logs
OSINT analysis guide
Shadow IT Risks
OSINT analysis guide