Introducing Heimdall: DNS Lifecycle Management to Prevent Subdomain Takeovers

In the ever-expanding landscape of cloud infrastructure, organizations are spinning up and tearing down resources faster than ever. But what happens to the DNS records pointing to those deprecated resources? In many cases, they're simply forgotten—leaving a critical security gap that attackers are increasingly eager to exploit.

We built Heimdall to solve this problem. Named after the all-seeing Norse god who guards the Bifröst bridge, Heimdall is our DNS lifecycle management platform that continuously monitors your attack surface for dangling DNS records and subdomain takeover vulnerabilities.

What is a Subdomain Takeover?

A subdomain takeover occurs when an attacker gains control of a subdomain that belongs to your organization. This typically happens when a DNS record (usually a CNAME) points to an external service that has been deprovisioned, but the DNS record itself was never removed.

Anatomy of a Subdomain Takeover

Service Created

blog.company.com → company.azurewebsites.net

→

Service Deleted

Azure resource removed, DNS record forgotten

→

Attacker Claims

Attacker creates company.azurewebsites.net

→

Takeover Complete

blog.company.com now serves attacker content

Why Should You Care?

Subdomain takeovers are not theoretical—they're happening constantly. The impact can be severe:

⚠️ Real-World Consequences

Credential theft: Attackers can host convincing phishing pages on your legitimate subdomain. Since the domain is genuinely yours, browsers show no warnings and users have no reason to be suspicious.

Session hijacking: If the parent domain's cookies are scoped too broadly, attackers can steal authentication cookies from users visiting the compromised subdomain
Reputation damage: Attackers can host malware, illegal content, or defacement pages that appear to come from your organization
SEO poisoning: Your domain authority can be leveraged to boost malicious content in search rankings
Email spoofing: In some cases, attackers can configure email services to send authenticated emails from your subdomain
Compliance violations: Uncontrolled subdomains serving unauthorized content can trigger regulatory issues

The Scale of the Problem

We've scanned thousands of domains across various industries and the numbers are sobering. In a recent assessment of Fortune 500 companies, we found that 67% had at least one dangling DNS record pointing to a claimable cloud resource. Many had dozens.

The root cause is simple: there's no enforcement mechanism tying DNS lifecycle to infrastructure lifecycle. When a developer tears down an Azure App Service or an S3 bucket, nothing reminds them to clean up the DNS record. Over time, these orphaned records accumulate like digital landmines.

Introducing Heimdall

Heimdall started as an internal tool our penetration testing team used to find subdomain takeover vulnerabilities during red team engagements. We realized that the same technology could help organizations proactively defend themselves, so we productized it.

🔍 Continuous Discovery

Automatically enumerate subdomains using DNS brute forcing, web scraping, and passive reconnaissance sources

☁️ Cloud-Aware Scanning

Native integration with Azure, AWS, and GCP to detect dangling resources before attackers do

🚨 Real-Time Alerts

Instant notifications when new vulnerabilities are detected, with severity classification and remediation guidance

🔄 Automated Scheduling

Configure scan frequencies per asset group—from continuous monitoring to weekly audits

Heimdall's scheduled tasks dashboard showing automated scans running every 30 minutes across multiple codenames. Tasks can run vulnerability scanners, refresh DNS records, or execute full reconnaissance pipelines.

Multi-Scanner Architecture

Heimdall doesn't rely on a single detection method. It orchestrates multiple specialized scanners to maximize coverage:

Azure Takeover Scanner: Directly queries Azure Resource Manager to identify claimable App Services, CDN endpoints, Traffic Manager profiles, and more
DNS Reaper: Open-source subdomain takeover detection integrated as a first-class scanner
Domain Availability: Checks if CNAME targets are available for registration across multiple cloud providers
Nuclei Integration: Leverages the community-driven Nuclei template library for emerging takeover techniques

Offensive & Defensive Modes

Heimdall can operate in two modes. In defensive mode, it alerts your security team to vulnerabilities for remediation. In offensive mode (used during authorized penetration tests), it can automatically claim vulnerable resources to prove exploitability and prevent real attackers from getting there first.

Codename-Based Organization

Large organizations often have complex domain portfolios spanning multiple business units, acquisitions, and projects. Heimdall uses a "codename" system to organize assets:

Group domains by business unit, client, or project
Apply different scan schedules and alerting rules per codename
Track domain counts and vulnerability metrics independently
Generate reports scoped to specific asset groups

Pipeline Automation

Security automation shouldn't be a one-off scan. Heimdall's pipeline system lets you build multi-stage workflows:

Pipeline: Full Reconnaissance
├── Stage 1: Subdomain Enumeration (Multiple Sources)
├── Stage 2: DNS Resolution & Record Analysis
├── Stage 3: Azure Resource Correlation
├── Stage 4: Takeover Vulnerability Scan
└── Stage 5: Alert Generation & Reporting

Pipelines can be triggered on schedule, via webhook, or manually. Each stage's output feeds into the next, building a comprehensive picture of your external attack surface.

Getting Started

Heimdall is currently available as a managed service for Fjord.AI clients. We handle the infrastructure, maintain the scanner signatures, and provide expert triage of findings. For organizations with specific compliance requirements, we also offer on-premise deployment options.

A typical onboarding looks like this:

Asset Discovery: Provide your root domains, and we'll enumerate the full subdomain landscape
Baseline Scan: Initial comprehensive scan to identify existing vulnerabilities
Remediation Support: Our team helps prioritize and guide cleanup of dangling records
Continuous Monitoring: Ongoing scans catch new vulnerabilities as your infrastructure evolves

Beyond Detection: DNS Hygiene Best Practices

While Heimdall provides the visibility layer, true DNS lifecycle management requires process changes:

Infrastructure as Code: Define DNS records alongside the resources they point to. When the resource is destroyed, the record goes with it
Ownership tagging: Every DNS record should have a clear owner. Orphaned records are records waiting to become vulnerabilities
Regular audits: Even with automation, periodic manual review catches edge cases
Least privilege CNAME: Avoid wildcards where possible. Each subdomain should have a specific, intentional record
TTL awareness: High TTLs mean stale records linger longer in caches after you delete them

Protect Your Attack Surface

Don't let forgotten DNS records become your next breach headline. Let's assess your subdomain security posture.

Request a Demo