Menu
Fix deliverability Security Pricing
Theme
Free tool

Dangling DNS check.

Detect CNAMEs pointing to unclaimed SaaS targets. Dangling DNS records are the #1 cause of subdomain takeover attacks.

Dangling DNS records are the #1 cause of subdomain takeover attacks.
Domain
No signup. No spam.

What is a dangling DNS record?

A dangling DNS record is a CNAME (or A record) that points to a resource that no longer exists. This commonly happens when you cancel a SaaS service but forget to remove the DNS record. An attacker can claim the abandoned resource and serve their own content on your subdomain.

How takeovers happen
  1. You create blog.example.com CNAME myapp.herokuapp.com
  2. You delete the Heroku app but forget the DNS record
  3. An attacker creates myapp on Heroku and claims it
  4. Your subdomain now serves the attacker's content
Vulnerable services
Any SaaS that lets users claim custom domains is potentially vulnerable. Common targets include: Heroku, GitHub Pages, AWS S3, Azure, Shopify, Zendesk, Fastly, Netlify, and many more.
Impact
Attackers can serve phishing pages, steal cookies (if the parent domain sets them broadly), issue valid SSL certificates, and damage your brand reputation — all under your domain name.

Signs of a dangling record

Indicator
Severity
What to do
CNAME resolves to NXDOMAIN
Critical
The target doesn't exist. Remove the CNAME immediately or reclaim the resource.
CNAME to known-vulnerable SaaS pattern
High
Verify the resource is still yours. Patterns like *.herokuapp.com, *.s3.amazonaws.com are high risk.
Subdomain returns SaaS default/error page
High
The SaaS no longer has your app configured. Remove the record or reconfigure.
A record points to IP you don't own
Medium
Verify the IP still belongs to your infrastructure. Cloud IPs can be recycled.

Prevention checklist

  • Remove DNS records when decommissioning any SaaS service
  • Audit subdomains quarterly for stale CNAMEs
  • Use DNS monitoring to detect new/changed CNAME records
  • Restrict who can create DNS records (change management)
  • Document all subdomain-to-service mappings
Related tools
Continuous subdomain monitoring
DNS Doctors scans your subdomains continuously and alerts you when CNAMEs become dangling or point to suspicious targets.
Learn more