Subdomain Takeover
pro/v1/domain/subdomain-takeoverProbes candidate subdomains for dangling CNAMEs pointing to known takeover-prone services (GitHub Pages, Heroku, S3, Azure Blob, Fastly, Netlify, Shopify, WordPress.com, Readme.io, etc.). When a CNAME target matches a known SaaS fingerprint, probes the HTTPS endpoint and matches the response body against the per-service takeover indicator (e.g., "There isn't a GitHub Pages site here"). Reports each finding with the vulnerable service, evidence, and remediation steps.
What It Does
Accepts either an explicit list of subdomains to probe or seeds from common names (www, mail, blog, api, dev, staging, docs, support, cdn, assets, status, etc.). For each candidate: (1) DoH CNAME lookup; (2) if CNAME target matches a takeover fingerprint, HTTPS GET the candidate; (3) body match against the service's takeover indicator text. Fingerprints currently cover 15+ services including GitHub Pages, Heroku, AWS S3, Azure Blob Storage, Fastly, Netlify, Shopify, WordPress.com, Tumblr, Readme, UserVoice, Ghost, Cargo Collective, and Unbounce. Returns per-candidate status plus an aggregated list of confirmed takeover-vulnerable subdomains.
Why It's Useful
Subdomain takeover is a low-sophistication, high-impact attack that persists for months or years after infrastructure deprovisioning. Teams forget that a blog.example.com CNAME still points to a cancelled Heroku app — until an attacker registers that app name and suddenly hosts malware under the legitimate brand. Automated detection catches these dangling CNAMEs during DNS audits rather than during an incident.
Use Cases
Continuous Subdomain Hygiene
Weekly scan of enumerated subdomains to catch new dangling CNAMEs created when teams tear down SaaS infrastructure.
Detect and remove orphaned CNAMEs before attackers find them.
Pen-Test Preparation
Enumerate vulnerable subdomains before a red-team engagement so findings can be exploited in-scope.
Confirm attack surface before engagement kickoff.
M&A DNS Cleanup
Sweep acquired-brand DNS for dangling SaaS CNAMEs as part of integration hygiene.
Remove inherited takeover risk during integration.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The apex domain whose subdomains should be probedExample: example.com |
zones | string | Optional | Comma-separated subdomain labels to probe (default: common list like www, blog, api, docs, staging, support, cdn, assets, status)Example: www,blog,docs |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
candidates_checked | number | Total subdomains probed |
vulnerable_count | number | Number of subdomains confirmed vulnerable to takeover |
candidates | array | Per-candidate result: subdomain, CNAME target, matched fingerprint, status, evidence |
vulnerable | array | Filtered list of confirmed-vulnerable subdomains |
findings | array | Findings with severity |
recommendations | array | Remediation steps |
Code Examples
curl "https://api.edgedns.dev/v1/domain/subdomain-takeover" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/domain/subdomain-takeover?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/domain/subdomain-takeover',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full Subdomain Takeover guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Subdomain Takeover endpoint live in the playground.