Subdomain Takeover Checker

Find dangling subdomains an attacker could hijack to impersonate you.

Subdomain takeover is one of the most overlooked risks on the internet. You spin up a subdomain pointing at a third-party service — a GitHub Pages site, an S3 bucket, a Heroku app — and later tear the service down, but forget to remove the DNS record. That record now dangles: it still points at the provider, but the resource is gone, so anyone can re-register it and serve their content from your subdomain. Because the subdomain is genuinely yours, browsers and users trust it completely. A subdomain takeover checker finds those dangling records before an attacker does.

What it checks
  • Subdomains with a CNAME pointing at a service whose target no longer resolves (dangling)
  • Subdomains pointing at unclaimed GitHub Pages, S3, Heroku, Shopify, Azure, Netlify and other services
  • The provider's "unclaimed resource" fingerprint that confirms a takeover is possible
  • Both your discovered subdomains and a list of common subdomain names
  • Newly at-risk subdomains since the last check

Why it matters

A hijacked subdomain inherits all the trust of your brand: it serves over your own domain, often with a valid certificate, so phishing pages, cookie theft and OAuth abuse become far more convincing. The risk is insidious because it appears through inaction — a service is decommissioned, the DNS record is left behind, and nothing looks wrong until someone claims it. Continuous checking turns that silent gap into an alert while it is still just a misconfiguration.

How BrandSentryPro does it

Add your domain as a monitor and BrandSentryPro checks your subdomains — the ones it has discovered plus common names — resolving each one's DNS and testing whether it points at a dangling or unclaimed third-party resource. It re-checks over time and flags any newly at-risk subdomain, so a record that becomes exploitable after a service shutdown is caught early.

Frequently asked questions

What is a subdomain takeover?
It happens when a subdomain's DNS record points at a third-party service (like GitHub Pages or S3) whose underlying resource has been removed. The record is left "dangling", so an attacker can claim that resource and serve their own content from your subdomain.
How dangerous is a subdomain takeover?
Very. The attacker controls content on a subdomain your users and browsers already trust as yours — ideal for convincing phishing, stealing cookies scoped to your domain, and abusing OAuth or single sign-on flows. It also damages brand reputation.
How do I prevent subdomain takeovers?
Remove or update DNS records as soon as you decommission the service they point to, and audit your subdomains regularly for dangling records. A subdomain takeover checker automates that audit and warns you when a new at-risk record appears.

Related checkers

All in one place

Run this check automatically

Add a monitor and BrandSentryPro keeps every check running for you — with alerts the moment something needs attention.

Get started