--- title: What is Subdomain Takeover? date: 2026-06-20 --- # What is Subdomain Takeover? A subdomain takeover happens when a DNS CNAME record points to a cloud service that no longer exists. The domain resolves, but the service behind it is gone — leaving an attacker the opportunity to claim it. ## How it works 1. You create a CNAME record: `blog.example.com → example.herokuapp.com` 2. You delete the Heroku app but forget to remove the DNS record 3. An attacker creates a new Heroku app at `example.herokuapp.com` 4. Your `blog.example.com` now serves the attacker's content ## Why it matters Attackers can host phishing pages, serve malware, or steal cookies on your domain. To users, it looks like your site. To security scanners, it's a critical vulnerability. ## How to protect yourself - Audit your DNS records regularly - Remove CNAME records when you decommission services - Use a monitoring tool like [Subscan](https://tryvex.cc) to scan automatically [← Back to blog](/blog)