Dangling CNAME & Takeover Detector

Detect dangling CNAME records that point to expired or uncontrolled domains. Prevent subdomain takeover attacks by identifying vulnerable CNAME configurations.

No signup

Instant scan

100% free

What Is a Dangling CNAME?

A dangling CNAME is a DNS CNAME record that points to a domain that no longer exists, has expired, or is not under your control. CNAME records create aliases — they redirect DNS queries from one hostname to another. When the target domain expires, is deleted, or changes ownership, the CNAME becomes "dangling" — pointing to nothing or to a domain controlled by someone else. Attackers routinely scan for dangling CNAMEs and register the expired target domains to take control of the source subdomain. This is called a subdomain takeover attack and is one of the most common DNS security vulnerabilities affecting cloud-hosted applications, CDNs, and third-party services.

Why It Matters

Subdomain takeover via dangling CNAMEs allows attackers to host content on your domain, issue valid SSL certificates, intercept traffic, steal cookies, and damage your brand reputation. It's a critical vulnerability that affects thousands of organizations.

Common Mistakes

Creating CNAMEs to third-party services (Heroku, GitHub Pages, Shopify, Azure) without monitoring the target, not removing CNAMEs when migrating away from a service, deleting cloud resources but leaving DNS records, and not regularly auditing CNAME configurations for dangling targets.

blog.yoursite.com

CNAME

→ old-cdn-provider.com

EXPIRED

TAKEOVER_ENGINE_V2

VULNERABLE

How It Works

Input Domain

Type the domain to scan for dangling CNAME records.

Query CNAMEs

We query all CNAME records for the domain and its subdomains.

Resolve Targets

We attempt to resolve each CNAME target to check if it's still valid.

Report Risks

Dangling targets and takeover risks are flagged with severity ratings.

CNAME Enumeration

Queries all CNAME records for the domain and common subdomains. Tests both direct CNAME queries and zone enumeration to find hidden CNAME aliases that may have been forgotten.

Target Resolution

Attempts to resolve each CNAME target to verify it still exists and is reachable. Checks DNS resolution, HTTP response, and whether the target responds with a known error page indicating a takeover opportunity.

Takeover Risk Assessment

Analyzes each dangling CNAME to determine the takeover risk based on the target domain type. Some targets (Heroku, GitHub Pages, Shopify) are easily claimed by anyone. Others require domain registration or DNS control.

Third-Party Service Detection

Identifies CNAMEs pointing to common third-party services like AWS, Azure, Heroku, GitHub Pages, Shopify, Wix, and CDNs. Many dangling CNAME vulnerabilities originate from these platforms when resources are deleted but DNS records remain.

SSL Certificate Risk

Evaluates whether an attacker could obtain a valid SSL certificate for a taken-over subdomain using ACME protocols (Let's Encrypt). Dangling subdomains with valid certificates are especially dangerous as they appear legitimate to users.

Remediation Guidance

For each dangling CNAME found, we provide specific remediation steps. This includes removing the CNAME record, updating it to the correct target, or claiming the expired target domain before an attacker does.

Frequently Asked Questions

What is a subdomain takeover?

A subdomain takeover occurs when an attacker gains control of a subdomain by exploiting a dangling CNAME or DNS record. If a CNAME points to a third-party service that has been deleted or expired, an attacker can claim the target resource and serve content on your subdomain.

Which services are commonly vulnerable to dangling CNAMEs?

Cloud platforms like Heroku, GitHub Pages, Azure, AWS, Shopify, Wix, and CDNs are common sources. When you delete a resource on these platforms but leave the CNAME pointing to it, the resource becomes claimable by anyone who knows the target URL.

How serious is a subdomain takeover?

Very serious. An attacker can host malicious content on your domain, steal cookies and session tokens, issue valid SSL certificates that appear legitimate, phish your users, damage your brand reputation, and bypass CSP and CORS policies that trust your domain.

How do I fix a dangling CNAME?

Remove the CNAME record if it's no longer needed. If the service is still in use, update the CNAME to point to the correct, current target. If the target domain has expired, register it immediately before an attacker does. Always audit DNS records after any infrastructure migration.

Can I prevent subdomain takeovers?

Yes. Maintain a DNS inventory, regularly audit CNAME records, remove records when decommissioning services, use DNS monitoring to detect new CNAMEs, and implement a change management process for DNS modifications. Consider using CNAME flattening where appropriate.

Is this dangling CNAME detector free?

Yes, this tool is 100% free with no signup required. For continuous dangling CNAME monitoring, automated takeover risk scanning across your entire domain portfolio, and alerting when new dangling CNAMEs appear, upgrade to CyberFurl Pro.

What is a dangling CNAME?

A dangling CNAME is a DNS record that points to a domain or service that has been deleted or expired. Attackers can register the target resource and take over your subdomain, a severe security risk known as subdomain takeover.

Related Security Tools

DNS reconnaissance check

Need Continuous Dangling CNAME Monitoring?

Automate dangling CNAME detection, monitor your entire domain portfolio for takeover risks, get alerted when new dangling records appear, and prevent subdomain takeovers before attackers find them.

Start Free Trial View Pricing