Subdomain Takeovers: What They Are, How They Happen, and How to Stop Them

If you’re seeing strange, spammy pages indexed under one of your subdomains you’re not imagining it. You could be facing a subdomain takeover, a sneaky and increasingly common security misstep that affects websites large and small.

We’ll explain exactly what a subdomain takeover is, how it happens, how to detect it, and the steps you can take to prevent it from ever happening again.

What Is a Subdomain Takeover?

A subdomain takeover occurs when a subdomain (like blog.yoursite.com) is still pointing to an external service — like GitHub Pages, Heroku, Shopify, or a retired CDN — but that service is no longer active or controlled by your account. If the DNS record still exists, but the service doesn’t, someone else can often claim it and serve their own content under your trusted domain.

To the outside world, it looks like that content is coming from blog.yoursite.com. Search engines index it. Users might click it. And it may be full of SEO spam, phishing pages, or malicious code.

In short: it’s a ghost town with an open door, and someone else moved in.

How Subdomain Takeovers Happen

Here’s the typical chain of events:

1. You use a third-party service — say, GitHub Pages — and point docs.yoursite.com to it via a CNAME or A record.
2. Later, you stop using the service, delete the GitHub repo, or close the Heroku app… but forget to remove the DNS record.
3. The DNS still resolves, but the destination returns a 404 or “no such site” message.
4. A malicious actor checks that endpoint, sees it’s unclaimed, and registers their own GitHub repo or Heroku app with the same name.
5. Now your subdomain is serving their content.

This can happen across dozens of platforms: GitHub, Heroku, Shopify, Bitbucket, WordPress.com, Amazon S3, Netlify, and more.

In some cases, attackers even set up redirect chains to malicious software, crypto scams, or spammy link farms.

How to Detect a Subdomain Takeover

You may have no idea it’s happened… until one of these signs shows up:

• Weird spammy pages indexed in Google — You search site:blog.yoursite.com and see Chinese characters, casino links, or download pages.
• Google Search Console alerts — Warnings for unusual content, malware, or manual actions.
• Visitors report phishing or unsafe site warnings — Your brand’s subdomain is now flagged by Chrome or Firefox.
• Unusual outbound traffic — Analytics or monitoring tools show visits to unexpected subdomains.
• CURL or browser tests show 404s or “no such site” errors on a subdomain with active DNS.

These are not harmless anomalies. They mean your brand is being hijacked from the inside out.

How to Audit for Vulnerable Subdomains

Follow this checklist to run a full audit:

1. Inventory All Subdomains

Use tools like:

• SecurityTrails
• Amass
• crt.sh (search SSL certs)
• Or run dig and nslookup scripts if you have access

2. Check for Dead or Unresolved Targets

Look for DNS records pointing to services that return:

• 404
• “No such app”
• “There is nothing here yet”
• Blank or generic holding pages

3. Probe With Tools

Use automated tools like:

• can-i-take-over-xyz — The canonical list of services vulnerable to takeovers
• subzy — Automated scanner
• lazyrecon — A full reconnaissance suite

4. Check Search Engine Indexes

Run:

site:subdomain.yourdomain.com

If you see content you didn’t publish — you’ve got a problem.

How to Prevent Subdomain Takeovers

1. Remove Unused DNS Records

This is the #1 fix. If a service is no longer in use, delete the associated CNAME or A record. Leaving it in place is like leaving your car unlocked with the keys on the seat.

2. Use DNS Monitoring

Set up alerts when new subdomains are created or modified. Cloudflare, DNSFilter, and AWS Route 53 can all help with this.

3. Implement a Subdomain Policy

Have a written policy for managing third-party integrations and how DNS changes are handled across teams. Include expiry dates for temporary services.

4. Educate Your Dev Team

Make sure engineers and IT staff know the risks of deleting apps without deleting DNS, especially on platforms like:

• GitHub Pages
• Heroku
• Netlify
• Amazon S3 static hosting

5. Use External Scanning Tools Regularly

Schedule scans quarterly (or monthly) using tools like Subjack, Subzy, or Bugcrowd’s monitoring stack.

Don’t Ignore This. We’re Warning You!

Subdomain takeovers are subtle but dangerous. You might not notice until your domain reputation takes a hit, your search rankings tank, or your brand appears on a phishing blacklist.

The good news: they’re completely preventable. All it takes is regular cleanup, awareness, and a few tools to keep your DNS tidy and your domain in your control.

Want help auditing your subdomains or securing your DNS? Let’s talk.