Subdomain Hijacking and the Danger of Dangling DNS Records
Kevin TaylorShare
Subdomain hijacking needs no stolen password and no compromised server. It needs only a Domain Name System (DNS) record you forgot about, still pointing at a cloud service you stopped paying for, and the patience to claim that service before you notice.
The attacker then publishes whatever they like on a hostname that genuinely belongs to your domain, inheriting your reputation wholesale.
This differs from the takeover of an entire domain through registrar accounts, which has its own anatomy and defenses. Learn About Domain Hijacking 🔗
The Anatomy of a Dangling Record
The pattern starts innocently. A team spins up a marketing site, a status page, or a trial service on a cloud platform, points shop or status or demo at it through a CNAME, and eventually retires the service without retiring the record.
The record now dangles, resolving to a platform endpoint that nobody owns. On many platforms, anyone can register a new resource claiming that endpoint name, at which point your subdomain serves their content. Phishing pages hosted this way are devastating precisely because the address bar tells visitors the truth, that the hostname really is yours.
The SSL Certificate Dimension
A hijacked subdomain becomes more convincing still when secured, and an attacker controlling the content of a hostname can frequently pass Domain Control Validation (DCV) for that exact hostname, obtaining a perfectly genuine SSL Certificate for the subdomain they squat on. The padlock then vouches for the attacker.
Certification Authority Authorization (CAA) records are the structural defense on this front, declaring which Certificate Authority (CA) may issue for your domain at all and shrinking the attacker's options. Learn About CAA Records 🔗
Finding Your Own Dangling Records
The audit is a walk through the zone file asking one question of every CNAME and every address record pointing outside your infrastructure, namely whether the destination still belongs to you. Records pointing at cloud storage endpoints, hosting platforms, and retired third party services deserve the closest look.
Resolve each suspect name and visit it. A platform error page announcing that the resource does not exist is the exact signature of a claimable endpoint, and that record should come out the same day.
Important : Make record removal part of decommissioning, not a separate cleanup someone remembers later. The window between a service being retired and its record being deleted is the entire attack surface, and a one-line checklist item closes it permanently.
Cleanup closes the existing exposure, and two further habits limit the next one.
Reducing the Blast Radius
Beyond cleanup, two habits shrink what a hijack can achieve. Keeping CAA records published narrows issuance, and watching Certificate Transparency logs for your domain reveals any SSL Certificate issued for a hostname you did not request, which is often the first visible trace of a squatted subdomain. Learn About Certificate Transparency 🔗
Subdomains that genuinely should serve content deserve genuine coverage, and a Wildcard SSL Certificate keeps every legitimate name at one level secured under your control rather than leaving gaps an attacker can fill first. Explore Our Wildcard SSL Certificates 🔗
