What is Subdomain Takeover? Dangling DNS Records Explained

Dangling DNS Records (Subdomain Takeover)

Subdomain takeover occurs when a DNS record (usually a CNAME) points to an external service — like Vercel, Netlify, Heroku, or AWS S3 — that has been deleted or deprovisioned. An attacker can register a new project on that same platform, claim the dangling subdomain, and serve arbitrary content under your domain name. It falls under CWE-284 (Improper Access Control) because the root cause is a failure to control who can serve content on your infrastructure.

What is Subdomain Takeover?

You deployed a staging app to Vercel at staging.yourapp.com. You set up a CNAME record pointing staging.yourapp.com to cname.vercel-dns.com. A few months later, you delete the Vercel project — but forget to remove the DNS record.

Now that CNAME is dangling. It points to Vercel, but no project is behind it. An attacker creates a new Vercel project, adds staging.yourapp.com as a custom domain, and Vercel happily verifies it — because the CNAME already points there. The attacker now controls content on your subdomain.

This isn't theoretical. Subdomain takeovers are used for phishing campaigns, cookie theft (if cookies are scoped to .yourapp.com), and bypassing email security policies. The attacker's page looks completely legitimate because it's literally on your domain.

How does Subdomain Takeover work?

The attack targets the gap between your DNS configuration and your cloud infrastructure. When a CNAME points to a service that no longer exists, the subdomain is up for grabs on that platform.

Here's how the dangling record typically gets created:

Vulnerable — dangling CNAME after project deletion

# DNS records for yourapp.com
# (managed in Cloudflare, Route53, etc.)

# Active — points to your production app
yourapp.com.        A     76.76.21.21

# DANGLING — the Vercel project was deleted,
# but this CNAME still exists
staging.yourapp.com.  CNAME  cname.vercel-dns.com.

# DANGLING — old Netlify site, deprovisioned
docs.yourapp.com.     CNAME  yourapp-docs.netlify.app.

# DANGLING — Heroku app removed months ago
api-v1.yourapp.com.   CNAME  yourapp-api-v1.herokuapp.com.

Fixed — stale records removed, active records verified

# DNS records for yourapp.com
# Audit completed: 2026-03-29

# Active — production app on Vercel
yourapp.com.          A     76.76.21.21

# Active — current docs site (verified project exists)
docs.yourapp.com.     CNAME  yourapp-docs-v2.netlify.app.

# REMOVED: staging.yourapp.com (project deleted)
# REMOVED: api-v1.yourapp.com (migrated to /api/v1)

# Tip: run periodic DNS audits. For every CNAME,
# verify the target service still exists and you
# control it. Automate this with a cron job.

Why do AI tools generate Subdomain Takeover vulnerabilities?

AI tools don't directly create subdomain takeover vulnerabilities — but they accelerate the workflow that leads to them. When spinning up and tearing down projects is fast, DNS hygiene gets left behind.

Rapid prototyping creates infrastructure sprawl. You deploy three versions of a project to Vercel in a week. The DNS records pile up. When you delete the old projects, the records stay.
AI-generated deploy scripts skip cleanup. "Deploy this to Netlify" gets you a working deploy. Nobody asks the AI to also write the teardown script that removes DNS records.
Platform guides focus on setup, not decommission. Every tutorial shows how to add a custom domain. Almost none explain what to do when you remove the project behind it.

The vulnerability isn't in the code — it's in the infrastructure. Every project you ship and later abandon is a potential takeover target. The faster you build, the more dangling records you leave behind.

Common Subdomain Takeover patterns

Deleted Vercel/Netlify projects

CNAME still points to the platform, but the project is gone. Anyone on the platform can claim the subdomain.

Deprovisioned Heroku apps

Heroku app names are globally unique. Once you delete yours, someone else can register the same name and inherit your CNAME.

Removed S3 buckets

A CNAME pointing to an S3 bucket that no longer exists. An attacker creates a bucket with the same name in the same region.

Expired GitHub Pages sites

A CNAME pointing to a GitHub Pages site for a repo that was deleted or made private without removing the custom domain config.

How Flowpatrol detects Subdomain Takeover

Flowpatrol checks for dangling DNS records by resolving your subdomains and verifying the services behind them:

1Enumerates subdomains using DNS records, certificate transparency logs, and common subdomain patterns.
2Resolves each CNAME chain and identifies which cloud platform the record points to.
3Checks for takeover signals — looks for error pages, 404s, and platform-specific "site not found" responses that indicate the service doesn't exist.
4Reports vulnerable subdomains with the dangling record, the target platform, and the exact DNS change needed to fix it.

Dangling DNS records are invisible until someone exploits them. Flowpatrol finds them before that happens.

Check your subdomains for dangling records.

Flowpatrol scans your DNS for abandoned cloud services. Find the records you forgot to clean up — before someone else claims them.

Try it free

Dangling DNS Records (Subdomain Takeover)

What is Subdomain Takeover?

How does Subdomain Takeover work?

The attack targets the gap between your DNS configuration and your cloud infrastructure. When a CNAME points to a service that no longer exists, the subdomain is up for grabs on that platform.

Here's how the dangling record typically gets created:

Vulnerable — dangling CNAME after project deletion

# DNS records for yourapp.com
# (managed in Cloudflare, Route53, etc.)

# Active — points to your production app
yourapp.com.        A     76.76.21.21

# DANGLING — the Vercel project was deleted,
# but this CNAME still exists
staging.yourapp.com.  CNAME  cname.vercel-dns.com.

# DANGLING — old Netlify site, deprovisioned
docs.yourapp.com.     CNAME  yourapp-docs.netlify.app.

# DANGLING — Heroku app removed months ago
api-v1.yourapp.com.   CNAME  yourapp-api-v1.herokuapp.com.

Fixed — stale records removed, active records verified

# DNS records for yourapp.com
# Audit completed: 2026-03-29

# Active — production app on Vercel
yourapp.com.          A     76.76.21.21

# Active — current docs site (verified project exists)
docs.yourapp.com.     CNAME  yourapp-docs-v2.netlify.app.

# REMOVED: staging.yourapp.com (project deleted)
# REMOVED: api-v1.yourapp.com (migrated to /api/v1)

# Tip: run periodic DNS audits. For every CNAME,
# verify the target service still exists and you
# control it. Automate this with a cron job.

Why do AI tools generate Subdomain Takeover vulnerabilities?

Rapid prototyping creates infrastructure sprawl. You deploy three versions of a project to Vercel in a week. The DNS records pile up. When you delete the old projects, the records stay.
AI-generated deploy scripts skip cleanup. "Deploy this to Netlify" gets you a working deploy. Nobody asks the AI to also write the teardown script that removes DNS records.
Platform guides focus on setup, not decommission. Every tutorial shows how to add a custom domain. Almost none explain what to do when you remove the project behind it.

Common Subdomain Takeover patterns

Deleted Vercel/Netlify projects

CNAME still points to the platform, but the project is gone. Anyone on the platform can claim the subdomain.

Deprovisioned Heroku apps

Heroku app names are globally unique. Once you delete yours, someone else can register the same name and inherit your CNAME.

Removed S3 buckets

A CNAME pointing to an S3 bucket that no longer exists. An attacker creates a bucket with the same name in the same region.

Expired GitHub Pages sites

A CNAME pointing to a GitHub Pages site for a repo that was deleted or made private without removing the custom domain config.

How Flowpatrol detects Subdomain Takeover

Flowpatrol checks for dangling DNS records by resolving your subdomains and verifying the services behind them:

1Enumerates subdomains using DNS records, certificate transparency logs, and common subdomain patterns.
2Resolves each CNAME chain and identifies which cloud platform the record points to.
3Checks for takeover signals — looks for error pages, 404s, and platform-specific "site not found" responses that indicate the service doesn't exist.
4Reports vulnerable subdomains with the dangling record, the target platform, and the exact DNS change needed to fix it.

Dangling DNS records are invisible until someone exploits them. Flowpatrol finds them before that happens.

Dangling DNS Records (Subdomain Takeover)