Introduction
DNS subdomain takeover remains one of the most overlooked but dangerous attack vectors, especially in organizations using cloud services or CI/CD workflows that dynamically manage DNS records. In this project, we developed a custom, provider-agnostic solution to detect and prevent subdomain takeover across all major DNS and cloud hosting providers.
The Challenge
- The organization operated thousands of DNS records, many linked to temporary services (e.g. Azure Blob, AWS S3, GitHub Pages)
- Several dangling CNAMEs pointed to decommissioned services, leaving them vulnerable to subdomain hijacking
- DNS records were managed across multiple providers:
- AWS Route53
- Cloudflare
- Edgecast
- Google Cloud DNS
- UltraDNS
- No centralized visibility, no automated checks, and no mitigation workflows
The Solution
🧠Architecture Overview
- Agentless architecture based on scheduled scanning, with modular support for providers
- Developed in Rails, deployable via GitLab pipelines
🔍Detection Engine
- Parsed all DNS zones across providers using provider-specific APIs and SDKs
- Identified:
- Dangling CNAMEs pointing to unclaimed services
- Unresolved A records or expired custom domains on cloud services
- Unclaimed orphaned records in static zones
- Cross-referenced with public fingerprints for known vulnerable targets (S3, GitHub, Heroku, Azure CDN, etc.)
🔄Provider Integration
- Modular design for DNS API support:
- AWS Route53 API
- Cloudflare API
- Edgecast API
- Google Cloud DNS API
- UltraDNS API
- Exported all findings to a central Elasticsearch index
📊Alerting & Dashboards
- Kibana dashboard showing:
- Vulnerable subdomains grouped by provider
- Age of record
- Known takeover vector
- Email alerts for critical findings
- Integrated remediation recommendations for each platform
🔒Prevention & Remediation
- Recommended workflow automation:
- Auto-deletion of dangling records
- Auto-claiming known services (when possible)
Results
| Metric | Before | After |
|---|---|---|
| Subdomain visibility | Partial, per team | Centralized, cross-provider view |
| Takeover risk | Unknown | Near-zero (continuous monitoring) |
| Response time to incidents | Manual (days/weeks) | Real-time alerting & automation |
| Provider coverage | Fragmented | Fully integrated (5+ providers) |
| Security posture | Reactive | Proactive & preventive |
Conclusion
This project delivered a scalable and extensible DNS security layer, capable of identifying and mitigating subdomain takeover risks across heterogeneous cloud infrastructures.
By combining cloud APIs, DNS scanning logic, and SIEM integration, the solution provides actionable visibility and helps organizations enforce DNS hygiene – before attackers exploit forgotten records.
