What is a dangling CNAME
A dangling CNAME points to a service you no longer control — letting attackers claim it and hijack your subdomain. Dangling CNAME sits close to the public DNS layer that resolvers, browsers, inbox providers, and attackers all see. That makes configuration quality and change control just as important as the underlying standard itself.
If you are already working through Subdomain Takeover, this topic gives you the missing layer between the raw signal and the decision you have to make. For a live check, start with the CyberFurl subdomain review and then use the See the DNS posture feature page to see where it fits in the wider CyberFurl workflow.
How attackers exploit it
A dangling CNAME points at a service endpoint the domain no longer controls. If that external service namespace can be re-claimed, an attacker can stand up content under the old target and effectively take over the subdomain without touching the main registrar account.
Affected providers (S3, Azure, Heroku, GitHub Pages, Shopify, etc.)
This risk shows up anywhere a third-party platform lets customers bind subdomains and later release them. Cloud storage, app platforms, page hosting, commerce tooling, and similar services have all produced real takeover cases over the years.
Real takeover cases
The reason this issue keeps paying bug bounties is simple: the subdomain still carries the brand's trust. When an abandoned mapping is reclaimed, the attacker inherits a legitimate-looking hostname without having to spoof it.
How to detect dangling CNAMEs
Detection starts with inventory and verification. You need to know which subdomains point to external platforms and whether those platforms still recognize the binding. Static DNS review alone is not enough if the application side has already been deprovisioned.
- 1
Inventory authoritative DNS dependencies
Document the providers, nameservers, delegation points, and high-risk records that shape Dangling CNAME. Most DNS incidents start with missing ownership context.
- 2
Harden the exposed record path
Apply the record, protocol, or monitoring control that directly reduces Dangling CNAME. That usually means changing authoritative data, registrar controls, or verification workflows rather than adding another scanner.
- 3
Test from the outside
Remediation playbook
The cleanest fixes are to remove the record, re-claim the service intentionally, or replace the target with a provider you still control. The dangerous habit is leaving “temporary” CNAMEs in place after the owning team has moved on.
- 1
Inventory authoritative DNS dependencies
Document the providers, nameservers, delegation points, and high-risk records that shape Dangling CNAME. Most DNS incidents start with missing ownership context.
- 2
Harden the exposed record path
Apply the record, protocol, or monitoring control that directly reduces Dangling CNAME. That usually means changing authoritative data, registrar controls, or verification workflows rather than adding another scanner.
- 3
Test from the outside
Tools to check your Dangling CNAME
Use the CyberFurl subdomain review when you want to see the live signal on a real domain, and then step back to the See the DNS posture feature page when you need the wider workflow around posture, monitoring, or remediation. That combination is usually much more useful than reading the standard in isolation.
Further reading inside CyberFurl
- CyberFurl subdomain review
- See the DNS posture feature
- Subdomain Takeover
- CyberFurl public security report
Standards and references
Frequently asked questions
Is a dangling CNAME the same as subdomain takeover?
Sometimes, but the better question is under what conditions it is true. With Dangling CNAME, the answer usually depends on the live configuration, the surrounding protocol behavior, and whether the systems on the other side actually honor the signal the way the documentation suggests.
How do I find dangling CNAMEs in bulk?
Start with the live public evidence, not the config file you hope is in production. Once you know what the domain is actually publishing or sending, compare that with the intended posture, make one controlled change, and then validate it again from the outside.