Domain/Subdomain takeover

👉 Overview

👀 What ?

Domain/Subdomain takeover is the process of registering a non-existent domain that is still linked from a website or a web application. This occurs when the domain becomes expired or deleted, but the DNS entries (like CNAME or MX records) still point to it. This situation can be leveraged by attackers to claim the expired or deleted domain and set up malicious content.

🧐 Why ?

Domain takeovers are important because they pose a significant security risk. If an attacker successfully takes over a domain, they can use it to host phishing pages, deliver malware, or carry out other malicious activities. It's crucial for website owners and administrators to be aware of this threat and take steps to prevent it.

⛏️ How ?

To prevent domain takeovers, regularly monitor your DNS records and remove any that point to non-existent or expired domains. Use tools like dig, nslookup, or online services to check your DNS records. If you find any pointing to non-existent domains, remove them immediately. Further, when deleting a subdomain, always ensure to also delete or update the corresponding DNS records.

⏳ When ?

Domain/Subdomain takeover has been a known issue in cybersecurity since the early days of the internet. However, with the increasing use of cloud services and rapid deployment of web applications, the instances of this threat have grown significantly in recent years.

⚙️ Technical Explanations

Domain/Subdomain takeover happens due to a misconfiguration in the DNS records. When a subdomain points to an external service (like a cloud hosting provider), and that service is deleted, but the DNS record still points to it, a security gap is created. Attackers can register the non-existent service and point the subdomain to a server they control. This gives them the ability to control the content of the subdomain. This issue can be exacerbated in large organizations where tracking of external services and subdomains can be challenging.