Subdomain Monitoring

Automatically discover and monitor all subdomains under your root domains. Track DNS changes, detect subdomain takeovers, and identify misconfigurations before they become security incidents.

  • Automated subdomain discovery via DNS enumeration
  • Continuous monitoring with real-time change detection
  • Subdomain takeover vulnerability alerts
  • Integration with Cloudflare, AWS Route 53, Azure DNS
  • SSL/TLS certificate expiration tracking
Start Monitoring Subdomains
Domain: example.com
Subdomains found: 127
 
api.example.com
www.example.com
staging.example.com
dev.example.com (SSL expires in 5 days)
old-app.example.com (Takeover risk)
 
Monitoring: Active
Last scan: 2 minutes ago

Why Monitor Subdomains

Subdomains represent a significant portion of your external attack surface. Without monitoring, forgotten or misconfigured subdomains create security vulnerabilities.

Prevent Subdomain Takeovers

Detect dangling DNS records that point to deprovisioned services (AWS S3, Heroku, Azure). Attackers exploit these to host phishing sites or steal session cookies.

Track DNS Configuration Changes

Receive alerts when DNS records change unexpectedly. Detect unauthorized modifications, accidental misconfigurations, or DNS hijacking attempts.

Monitor SSL/TLS Certificates

Track certificate expiration dates across all subdomains. Avoid service interruptions and browser warnings from expired certificates.

Continuous Automated Scanning

Scheduled scans run automatically without manual intervention. New subdomains are discovered and added to monitoring within minutes of DNS propagation.

Comprehensive Reporting

Export subdomain inventories, vulnerability reports, and historical change logs. Meet compliance requirements for asset management documentation.

Multi-Channel Alerts

Receive notifications via email, Slack, or webhook integration. Configure alert thresholds and severity levels to reduce notification noise.

How Subdomain Monitoring Works

Set up continuous subdomain monitoring in three steps. No complex configuration required.

1

Add Your Domain

Enter your root domain and verify ownership using a TXT DNS record. Optionally integrate with your DNS provider for automated domain sync.

2

Automatic Discovery

Our system enumerates subdomains using multiple techniques: DNS zone transfers, certificate transparency logs, DNS brute-forcing, and reverse DNS lookups.

3

Continuous Monitoring

Scheduled scans run every 24 hours. Receive immediate alerts when new subdomains appear, DNS records change, or security issues are detected.

Subdomain Discovery Methods

Our platform uses multiple techniques to ensure comprehensive subdomain enumeration

DNS Enumeration

Queries authoritative nameservers for all DNS record types (A, AAAA, CNAME, MX, TXT). Attempts zone transfers when possible and performs recursive queries to discover subdomain hierarchies. This method discovers active subdomains currently responding to DNS queries.

Certificate Transparency Logs

Monitors public Certificate Transparency logs where SSL/TLS certificates are recorded. Extracts Subject Alternative Names (SANs) to discover subdomains even if they're not publicly advertised via DNS. This reveals subdomains that may have been decommissioned but had certificates issued.

Intelligent Brute-Force

Uses curated wordlists of common subdomain names (api, www, staging, dev, admin) combined with your organization's naming patterns. Tests thousands of potential subdomains while respecting rate limits. Discovers subdomains that aren't linked or referenced elsewhere.

Reverse DNS Lookups

Performs reverse PTR record queries on IP ranges associated with your infrastructure. Discovers subdomains configured on shared hosting or cloud platforms where multiple domains share IP addresses. Useful for identifying subdomains on CDNs or load balancers.

Search Engine Indexing

Queries search engine indexes (Google, Bing) using site: operators to find publicly indexed subdomains. Discovers subdomains that appear in search results, web archives, or cached pages. Particularly effective for finding old or forgotten subdomains.

DNS Provider Integration

Directly connects to Cloudflare, AWS Route 53, Google Cloud DNS, and Azure DNS APIs. Pulls complete zone files to ensure 100% subdomain coverage without enumeration gaps. Automatically syncs when new records are added to your DNS provider.

Understanding Subdomain Takeover Vulnerabilities

One of the most critical risks from unmonitored subdomains

What is a Subdomain Takeover?

A subdomain takeover occurs when a subdomain's DNS record points to an external service (like AWS S3, Heroku, GitHub Pages, or Azure) that has been deprovisioned or deleted. The DNS record remains active, but the target service no longer belongs to you. Attackers can claim that service and control your subdomain.

For example: Your marketing team created promo.yourcompany.com pointing to an AWS S3 bucket for a campaign. The campaign ended, the S3 bucket was deleted, but the DNS CNAME record remained. An attacker creates a new S3 bucket with the same name and now controls promo.yourcompany.com—using your domain to host phishing pages, steal cookies, or damage your brand reputation.

Common Vulnerable Services

  • AWS S3: CNAME pointing to bucket that no longer exists
  • Heroku: DNS record pointing to deprovisioned Heroku app
  • GitHub Pages: Subdomain pointing to deleted GitHub repository
  • Azure: CNAME to deleted Azure Cloud Services or App Service
  • Shopify: Subdomain configured for deleted Shopify store
  • Fastly/CDN: DNS pointing to removed CDN configuration

How Our Detection Works

Our subdomain monitoring tool performs active checks on every discovered subdomain:

  1. Resolve DNS records and identify CNAME targets
  2. HTTP/HTTPS requests to check response codes and content
  3. Pattern matching against known vulnerable service fingerprints
  4. Detection of error messages indicating unclaimed resources
  5. Verification that the service is actively owned by your organization

When a potential takeover is detected, you receive an immediate high-priority alert with remediation steps: either remove the DNS record or reclaim the service endpoint.

Real-World Impact

Subdomain takeovers have affected major organizations including Microsoft, Uber, and the UK government. Attackers use taken-over subdomains for phishing campaigns (appearing to come from your domain), malware distribution, stealing authentication cookies, and SEO manipulation. The average time between subdomain decommissioning and takeover discovery is 6-12 months—providing attackers extended access.

DNS Provider Integrations

Connect your DNS provider for automatic subdomain synchronization

Cloudflare Integration

Authenticate using Cloudflare API token with Zone:Read permissions. Automatically import all zones and subdomains under your account. Continuous sync ensures new DNS records are detected within 5 minutes of creation in Cloudflare dashboard.

Setup time: 2 minutes | Auto-sync: Every 5 minutes

AWS Route 53 Integration

Connect using IAM role with route53:ListHostedZones and route53:ListResourceRecordSets permissions. Supports multiple AWS accounts and all hosted zone types (public and private). Pull complete zone files including alias records and weighted routing policies.

Setup time: 3 minutes | Auto-sync: Every 10 minutes

G Google Cloud DNS

Authenticate with service account having dns.managedZones.list and dns.resourceRecordSets.list permissions. Import subdomains across multiple GCP projects. Supports DNSSEC-enabled zones and Cloud DNS integration with GKE.

Setup time: 3 minutes | Auto-sync: Every 10 minutes

Azure DNS Integration

Connect using service principal with Reader role on DNS zones. Supports both Azure DNS and Azure Private DNS zones. Automatically discovers subdomains across all subscriptions in your tenant with proper RBAC permissions.

Setup time: 4 minutes | Auto-sync: Every 10 minutes

DNS provider integration is optional. You can add domains manually and use our active discovery methods instead. Integrations provide the advantage of guaranteed completeness—every subdomain in your DNS zones is monitored without enumeration gaps.

All API credentials are encrypted at rest using AES-256. We never make modifications to your DNS records.

Subdomain Monitoring Use Cases

Development Teams

Track Staging & Test Environments

Monitor development, staging, and QA subdomains. Ensure test environments don't leak sensitive data and maintain proper access controls.

Security Teams

Prevent Subdomain Takeovers

Identify dangling CNAME records before attackers exploit them. Detect forgotten subdomains pointing to decommissioned cloud resources.

DevOps Teams

Maintain DNS Hygiene

Keep your DNS zone clean by identifying orphaned records. Remove subdomains for retired services and consolidate redundant entries.

Compliance

Asset Inventory Management

Maintain accurate subdomain inventory for compliance frameworks (SOC 2, ISO 27001). Generate audit reports showing all internet-facing assets.

Subdomain Monitoring Best Practices

Establish Naming Conventions

Use consistent subdomain naming patterns (env-service-region.domain.com). This makes it easier to identify legitimate subdomains and spot unauthorized additions. Document your naming schema and enforce it through deployment pipelines and infrastructure-as-code.

Implement Subdomain Lifecycle Management

Create processes for subdomain creation, modification, and retirement. Require approval workflows for new subdomains. When decommissioning services, ensure DNS records are removed simultaneously—not left dangling for later cleanup.

Regular DNS Hygiene Audits

Quarterly reviews of all subdomains to identify candidates for retirement. Remove DNS records for development projects that ended, marketing campaigns that concluded, or test environments no longer needed. Unused subdomains represent unnecessary attack surface.

Configure Alert Thresholds Appropriately

Set monitoring frequency based on your change velocity. High-traffic production environments may need hourly scans, while stable infrastructure can use daily scans. Configure different alert severities: critical for takeovers, high for SSL expiration, medium for DNS changes.

Maintain Subdomain Inventory Documentation

Export regular reports showing all discovered subdomains, their purpose, owner/team, and criticality. This inventory becomes essential for incident response, audit compliance, and merger/acquisition due diligence. Update documentation when organizational changes occur.

Test Subdomain Takeover Defenses

Periodically create intentionally vulnerable test subdomains pointing to deprovisioned services (in controlled environments). Verify your monitoring detects them within expected timeframes. Use these tests to validate alert routing and team response procedures.

Subdomain Monitoring vs Manual Discovery

Capability Manual Tools (Sublist3r, Amass) bspeka Subdomain Monitoring
Initial subdomain discovery One-time scan Automated + continuous
Ongoing monitoring Requires manual re-scanning Scheduled automatic scans
Change detection Manual comparison needed Automatic alerts on changes
Subdomain takeover detection Manual verification required Automated vulnerability checks
SSL certificate monitoring Not included Expiration tracking + alerts
DNS provider integration Not available Cloudflare, Route 53, Azure DNS
Historical tracking No change history Complete audit logs
Team collaboration Local tool output only Multi-user dashboard
Setup time Manual configuration required 15 minutes to production

Frequently Asked Questions

How often should I scan for subdomains?
Scanning frequency depends on your organization's size and change velocity. For actively developed environments with frequent deployments, daily or hourly scans ensure new subdomains are discovered quickly. Stable production environments can use weekly scans. Our Professional plan includes continuous monitoring with customizable scan schedules. The free plan provides weekly scans suitable for small websites with infrequent changes.
What's the difference between passive and active subdomain discovery?
Passive discovery collects subdomain information from public sources without directly probing your infrastructure—including Certificate Transparency logs, search engine indexes, DNS databases (like DNSDumpster), and web archives. Active discovery performs direct DNS queries, HTTP requests, and brute-force enumeration against your domains. Our tool combines both methods: passive techniques for historical subdomains and active scanning for current configuration. This hybrid approach maximizes coverage while respecting rate limits.
Can you monitor wildcard subdomains?
Yes. We detect wildcard DNS records (*.domain.com) and flag them in monitoring dashboards. However, wildcard records present enumeration challenges since infinite subdomains technically exist. We monitor the wildcard configuration itself for changes and test common subdomain patterns to verify the wildcard is resolving correctly. If you need monitoring of specific subdomains under a wildcard (like user1.domain.com, user2.domain.com), you can add those explicitly to track them individually.
How do you detect subdomain takeover vulnerabilities?
Our system performs multi-step verification: First, we identify CNAME records pointing to external services. Second, we attempt HTTP/HTTPS connections to those subdomains. Third, we analyze response codes, content, and headers for fingerprints indicating unclaimed services—such as "NoSuchBucket" for AWS S3, "No such app" for Heroku, or "There isn't a GitHub Pages site here" for GitHub. We maintain an updated database of vulnerable service fingerprints. When a potential takeover is detected, we verify it's not a false positive before alerting. Our detection accuracy exceeds 95% with minimal false positives.
What happens when you find a new subdomain?
New subdomains trigger an immediate comprehensive scan checking DNS configuration, SSL certificate validity, open ports, HTTP/HTTPS response codes, subdomain takeover risk, and comparison against your baseline configuration. Results appear in your dashboard within minutes. Depending on your alert settings, you may receive notifications for new discoveries. The subdomain is added to continuous monitoring and included in all future scheduled scans. You can categorize it (production/staging/development) and assign ownership for tracking purposes.
Do you monitor subdomains of subdomains (multi-level subdomains)?
Yes. We discover and monitor multi-level subdomains like api.staging.dev.domain.com. DNS enumeration naturally discovers nested subdomains through recursive queries. Certificate Transparency logs often reveal deep subdomain hierarchies. There's no depth limit—we monitor all discovered subdomains regardless of nesting level. This is particularly important for organizations using environment-based subdomain structures (production.app.domain.com, staging.app.domain.com) or microservice architectures.
Can I exclude certain subdomains from monitoring?
Yes. You can create exclusion rules for subdomains you don't want monitored—such as known development subdomains, third-party controlled subdomains, or internal-only subdomains. Excluded subdomains still appear in your inventory but don't trigger alerts or count against scan limits. This reduces noise and focuses monitoring on business-critical subdomains. Exclusions support wildcard patterns for bulk filtering.
How far back does historical subdomain tracking go?
We maintain complete historical records from your account creation date forward. This includes when subdomains were first discovered, all DNS record changes, SSL certificate renewals, configuration modifications, and resolved security issues. Historical data is retained indefinitely on Professional and Enterprise plans. Free plan includes 30 days of history. You can export historical data for compliance documentation or incident investigation. Timeline visualizations show how your attack surface has evolved over months or years.

Start Monitoring Your Subdomains

Free plan includes 1 domain with weekly scans. Professional plan offers 10 domains with continuous monitoring for €99/month.

Start Free Trial