Subdomain Takeover
pro/v1/domain/subdomain-takeoverProbes candidate subdomains for dangling CNAMEs pointing to takeover-prone services. The 2026-05 fingerprint table covers 35+ services (GitHub Pages, Vercel, Firebase Hosting, Heroku, AWS S3, AWS Elastic Beanstalk, AWS CloudFront, Azure Blob/App Service/CloudApp/Traffic Manager, Fastly, Netlify, Surge.sh, Bitbucket, Shopify, WordPress.com, Tumblr, Ghost, Webflow, Squarespace, Wix, Pantheon, Statuspage, Tilda, Helpjuice, Helpscout, UserVoice, Readme.io, Unbounce, Zendesk, Cargo Collective, HatenaBlog, Ngrok, JetBrains YouTrack, Gemfury). Body fingerprints are regex patterns rather than exact strings, so reworded error pages still match.
What It Does
Walks the CNAME chain for each candidate (up to 8 hops, so `www → cdn.example.com → dangling.s3.amazonaws.com` is detected). For each terminal target, matches against the fingerprint table, then probes HTTPS and runs body regex matching to confirm the service is unclaimed. Falls back to A-record check when no CNAME is present. Returns per-candidate status with the full cname_chain, matched service, evidence, remediation steps, and a per-service remediation_link.
Why It's Useful
Subdomain takeover is a low-sophistication, high-impact attack that persists for months or years after infrastructure deprovisioning. Teams forget that a blog.example.com CNAME still points to a cancelled Heroku app — until an attacker registers that app name and suddenly hosts malware under the legitimate brand. Automated detection catches these dangling CNAMEs during DNS audits rather than during an incident.
Use Cases
Continuous Subdomain Hygiene
Weekly scan of enumerated subdomains to catch new dangling CNAMEs created when teams tear down SaaS infrastructure.
Detect and remove orphaned CNAMEs before attackers find them.
Pen-Test Preparation
Enumerate vulnerable subdomains before a red-team engagement so findings can be exploited in-scope.
Confirm attack surface before engagement kickoff.
M&A DNS Cleanup
Sweep acquired-brand DNS for dangling SaaS CNAMEs as part of integration hygiene.
Remove inherited takeover risk during integration.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The apex domain whose subdomains should be probedExample: example.com |
zones | string | Optional | Comma-separated subdomain labels to probe (default: ~50 common labels covering web/api/admin/CI/monitoring/mail/access — www, api, docs, staging, status, jenkins, grafana, vpn, etc., capped at 30 when user-supplied).Example: www,blog,docs |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
candidates_checked | number | Total subdomains probed |
vulnerable_count | number | Number of subdomains confirmed vulnerable to takeover |
candidates | array | Per-candidate result with cname_target, cname_chain (full hop list), matched_service, matched_category, http_status, body_fingerprint_matched, status, evidence, remediation, and remediation_link. Phase 2: when a subdomain has only an A record (no CNAME) and the IP resolves into a known cloud range (AWS/Azure/GCP/OCI), the cloud-provider "no resource here" fingerprint is checked — Hazy Hawk-class dangling-IP takeovers are flagged with matched_category="dangling_cloud_ip". |
vulnerable | array | Filtered list of confirmed-vulnerable subdomains |
findings | array | Findings with severity |
recommendations | array | Remediation steps |
Code Examples
curl "https://api.edgedns.dev/v1/domain/subdomain-takeover" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/domain/subdomain-takeover?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/domain/subdomain-takeover',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full Subdomain Takeover guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Subdomain Takeover endpoint live in the playground.