Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. Potential subdomain takeover

Author: Government Security Group

Potential subdomain takeover

What this means

Potential subdomain takeover occurs when a subdomain has a CNAME record pointing to a service that no longer responds for that domain.

When a domain points to a non-existing record, a malicious actor could potentially exploit this by creating a page on the third-party service using the same host name.

This can lead to an attacker gaining control over the site and serving malicious content or phishing pages such as:

  • redirecting users to fraudulent websites
  • distributing malware
  • conducting phishing attacks by mimicking legitimate services
  • compromising user data and privacy through session hijacking or cookie theft

This can severely damage the reputation of the affected domain and lead to further security breaches.

Why this is a problem

Subdomain takeovers pose significant security risks, such as:

  • phishing attacks – attackers can host malicious content on the subdomain, leveraging the trust associated with the main domain
  • data theft – sensitive information can be stolen if users are tricked into interacting with the compromised subdomain
  • reputational damage – an organisation’s reputation can be severely damaged if the subdomain is used for malicious purposes
  • session hijacking – attackers may be able to steal user session cookies, potentially leading to unauthorised access

How to check if the problem is still there

Use dig to query the CNAME record for the subdomain.

Example

dig cname subdomain.example.gov.uk +short

subdomain.examplesupplier.co.uk

Check if the CNAME record resolves. Take the output of the previous command and check for a further CNAME record.

dig CNAME subdomain.examplesupplier.co.uk +short

subomain.examplesupplier2.co.uk

Keep following the CNAME chain until you do not get a response for the CNAME query. When you reach a domain without a CNAME check for an A record.

dig a subdomain.examplesupplier2.co.uk

If the response is NXDOMAIN (Non-Existent Domain), it indicates that the page does not exist on the third-party service.

How to fix it

Update the DNS records:

  • remove or correct any CNAME records that point to non-existing pages
  • ensure that all DNS records are pointing to valid and active services
  • decommission unused subdomains. If the subdomain is no longer needed, remove the DNS records to prevent potential misuse
  • implement change control policies to manage the lifecycle of creation and removal of DNS records, so that when third-party services are removed or decommissioned, that corresponding DNS records are tidied up

By keeping your DNS records properly configured and pointing to valid services, you can mitigate the risk of subdomain takeover and ensure that your domain’s users are directed to the intended destinations.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now