What is a subdomain takeover?

A subdomain takeover occurs when a DNS record (usually a CNAME) points to an external service that is no longer in use. An attacker can register the same service and serve content under your subdomain — enabling phishing, cookie theft, and brand impersonation with a trusted domain name.

Which services are vulnerable?

Services that allow custom domain registration are potentially vulnerable when a CNAME points to them but the service account is deleted. Common examples include GitHub Pages, Heroku, AWS S3, Azure, Shopify, Fastly, Pantheon, Tumblr, WordPress.com, and many more.

How dangerous is a subdomain takeover?

Very dangerous. An attacker controlling your subdomain can: steal cookies scoped to the parent domain, host convincing phishing pages on a trusted domain, intercept OAuth flows, bypass CSP restrictions, and damage brand reputation. Many bug bounty programs rate this as high or critical severity.

How do I fix a dangling CNAME?

Either remove the DNS record pointing to the decommissioned service, or reclaim the service by re-registering it. Always clean up DNS records when shutting down external services. Implement a DNS inventory process to prevent future occurrences.

Does this tool send traffic to my subdomains?

Subdomain discovery uses certificate transparency logs (passive, no traffic to your servers). DNS CNAME lookups use Google DNS-over-HTTPS. The verification step does send a single HTTP request to flagged subdomains to confirm the service status.

Free Subdomain Takeover Checker

Find dangling DNS records vulnerable to takeover

Enter a domain to discover subdomains via certificate transparency logs, then check each one for dangling CNAME records pointing to unclaimed services like GitHub Pages, Heroku, S3, Azure, and more. A dangling CNAME means an attacker could register the target service and serve malicious content on your subdomain.

Trusted by teams at

How it works

How Subdomain Takeover Checker works

Enter your domain

Type any domain name. We'll enumerate its subdomains using certificate transparency logs — a passive technique that doesn't touch the target's servers.

Check CNAME records

For each discovered subdomain, we query DNS for CNAME records and check whether they point to known cloud services that could be claimed by an attacker.

Identify takeover risks

Subdomains with dangling CNAMEs are flagged with the affected service and risk level. You get specific remediation steps for each vulnerable subdomain.

Features

What Subdomain Takeover Checker checks

Enumerate subdomains passively

Discovers subdomains via certificate transparency logs without sending any traffic to the target domain. This reveals subdomains that may have been forgotten or decommissioned.

Detect dangling CNAME records

Queries DNS for CNAME records and identifies those pointing to services that are no longer configured — the key indicator of a subdomain takeover vulnerability.

Check major cloud service providers

Tests for dangling references to GitHub Pages, Heroku, AWS S3, Azure, Shopify, Fastly, Pantheon, Tumblr, and other services known to be vulnerable to subdomain takeover.

Verify service availability

For flagged subdomains, attempts to fetch the URL to confirm the service returns an error or default page — distinguishing between active services and truly dangling references.

Use cases

Who should use the free Subdomain Takeover Checker

Security Teams

Regularly scan your organization's domains for dangling DNS records. Subdomain takeovers are high-impact, easy-to-exploit, and frequently overlooked in security programs.

Bug Bounty Hunters

Quickly check a target's subdomain footprint for takeover vulnerabilities. Subdomain takeovers are one of the most commonly reported and rewarded bug bounty findings.

DevOps Engineers

Verify that DNS cleanup happens when decommissioning services. A forgotten CNAME after shutting down a Heroku app or S3 bucket creates an immediate takeover risk.

More tools

All free security tools

FAQ

Frequently asked questions

Everything you need to know about the free Subdomain Takeover Checker.

Go beyond Subdomain Takeover Checker

This free Subdomain Takeover Checker checks a handful of things. Maced's AI pentest checks thousands.

Get a full autonomous penetration test — including OWASP Top 10, authentication flaws, business logic errors, API security, and more — with a compliance-ready report in hours.

Start Pentest

Proof of exploit on every finding · SOC 2 & ISO 27001 compatible

Free Subdomain Takeover Checker

Find dangling DNS records vulnerable to takeover

How Subdomain Takeover Checker works

Enter your domain

Check CNAME records

Identify takeover risks

What Subdomain Takeover Checker checks

Enumerate subdomains passively

Detect dangling CNAME records

Check major cloud service providers

Verify service availability

Who should use the free Subdomain Takeover Checker

Security Teams

Bug Bounty Hunters

DevOps Engineers

All free security tools

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questions

This free Subdomain Takeover Checker checks a handful of things. Maced's AI pentest checks thousands.

Free Subdomain Takeover Checkerself.__wrap_n!=1&&self.__wrap_b("_R_138dav5ubtpfl7b_",1)

Find dangling DNS records vulnerable to takeoverself.__wrap_n!=1&&self.__wrap_b("_R_158dav5ubtpfl7b_",1)

How Subdomain Takeover Checker worksself.__wrap_n!=1&&self.__wrap_b("_R_l5dav5ubtpfl7b_",1)

Enter your domainself.__wrap_n!=1&&self.__wrap_b("_R_2j9dav5ubtpfl7b_",1)

Check CNAME recordsself.__wrap_n!=1&&self.__wrap_b("_R_2l9dav5ubtpfl7b_",1)

Identify takeover risksself.__wrap_n!=1&&self.__wrap_b("_R_2n9dav5ubtpfl7b_",1)

What Subdomain Takeover Checker checksself.__wrap_n!=1&&self.__wrap_b("_R_l5lav5ubtpfl7b_",1)

Enumerate subdomains passivelyself.__wrap_n!=1&&self.__wrap_b("_R_339lav5ubtpfl7b_",1)

Detect dangling CNAME recordsself.__wrap_n!=1&&self.__wrap_b("_R_359lav5ubtpfl7b_",1)

Check major cloud service providersself.__wrap_n!=1&&self.__wrap_b("_R_379lav5ubtpfl7b_",1)

Verify service availabilityself.__wrap_n!=1&&self.__wrap_b("_R_399lav5ubtpfl7b_",1)

Who should use the free Subdomain Takeover Checkerself.__wrap_n!=1&&self.__wrap_b("_R_l5tav5ubtpfl7b_",1)

Security Teamsself.__wrap_n!=1&&self.__wrap_b("_R_1j9tav5ubtpfl7b_",1)

Bug Bounty Huntersself.__wrap_n!=1&&self.__wrap_b("_R_1l9tav5ubtpfl7b_",1)

DevOps Engineersself.__wrap_n!=1&&self.__wrap_b("_R_1n9tav5ubtpfl7b_",1)

All free security toolsself.__wrap_n!=1&&self.__wrap_b("_R_l65av5ubtpfl7b_",1)

Scanners

Checkers

Decoders & Generators

Compliance & Assessments

Frequently asked questionsself.__wrap_n!=1&&self.__wrap_b("_R_l6dav5ubtpfl7b_",1)

What is a subdomain takeover?

Which services are vulnerable?

How dangerous is a subdomain takeover?

How do I fix a dangling CNAME?

Does this tool send traffic to my subdomains?

This free Subdomain Takeover Checker checks a handful of things. Maced's AI pentest checks thousands.self.__wrap_n!=1&&self.__wrap_b("_R_15alav5ubtpfl7b_",1)

Free Subdomain Takeover Checker

Find dangling DNS records vulnerable to takeover

How Subdomain Takeover Checker works

Enter your domain

Check CNAME records

Identify takeover risks

What Subdomain Takeover Checker checks

Enumerate subdomains passively

Detect dangling CNAME records

Check major cloud service providers

Verify service availability

Who should use the free Subdomain Takeover Checker

Security Teams

Bug Bounty Hunters

DevOps Engineers

All free security tools

Frequently asked questions

This free Subdomain Takeover Checker checks a handful of things. Maced's AI pentest checks thousands.