How to Find and Secure Subdomains in 6 Easy Steps

Let me ask you a question – do you know about all the subdomains linked to your company‘s main website?

Content Navigation show

Subdomains are extensions like mail.yourcompany.com or login.yourcompany.com that map to the same main domain.

Over 35% of organizations have unauthorized and forgotten subdomains that remain unsecured, according to DomainTools.

And here is why you MUST track and secure subdomains:

✅ Attackers constantly scan for subdomains and exploit any weaknesses to breach networks.

✅ They contain sensitive customer data, credentials, databases that can expose your business if compromised.

I know this can sound intimidating for someone without a technical background.

So in this beginner‘s guide, I‘ll explain exactly:

  • What subdomains are
  • Why finding and securing them is vital for security
  • 6 simple steps to do it yourself in under 60 minutes

Let‘s get you subdomain savvy, shall we?

What Exactly are Subdomains?

Think of subdomains like branches of your main company website. Some examples:

website.com 
- login.website.com
- shop.website.com 
- forum.website.com

Your root domain is website.com. But you can have unlimited sub-sections as subdomains.

These typically serve specific functions like login pages, wikis, mail servers and more.

Now under the hood, subdomains function using something called DNS.

DNS stands for Domain Name System – a database that maps domain names to IP addresses.

So when you enter a URL like mail.website.com – DNS converts this subdomain into the corresponding server‘s IP address to connect your browser.

Each subdomain will have its own unique IP mapping. This allows hosting multiple sites under one domain.

But here‘s the catch – with a complex infrastructure, it‘s easy to lose track of subdomains. Services get deployed without centralized tracking.

And if these forgotten branches remain unmaintained – they pose severe security risks!

Dangers of Unsecured Subdomains

Unmanaged subdomains can allow attackers easy backdoor access into networks by:

Hiding malware – A forgotten testing domain can have vulnerable code where malware can be injected.

Sniffing traffic – Attackers spy on insecure internal communications between subdomains.

Launching phishing – A fake login page on a subdomain tricks users into giving passwords.

Subdomain security threats

Subdomains become a soft underbelly exposing businesses as per this CISA advisory.

And hackers are adept at finding forgotten subdomains using specialized tools:

Subdomain hacking tools

Now I know this makes you feel helpless. How do you even begin tackling this mess?

Well by methodically following the 6 subdomain security steps I‘ve laid out below:

Step #1: Subdomain Mapping

The only way to tame subdomains is by first mapping what exists.

Use subdomain finder tools to discover what‘s linked to your root domain:

subdomain finder tools

I would highly recommend WhoisXML API‘s Subdomain Discovery tool.

It leverages a vast database of 2.3+ billion subdomains with over 1 million added daily to show you all associated sub-parts.

Simply enter your domain and in seconds you‘ll have this invaluable mapped subdomain list!

Having the lay of the land is key to securing your digital estate.

Step #2: Documentation

Now you likely have a mix of:

✅ Authorized subdomains like shop.yourcompany.com

❓ Unknown ones like dev-server.yourcompany

The next step is documenting this list in an Excel sheet:

subdomain documentation spreadsheet

Note details like:

✏️ Purpose – The functionality like app login, database etc.

✏️ Owner – The internal team responsible for it

✏️Technology – Languages, frameworks, servers used

✏️Security settings – Who has access and protocols enabled

This will help classify authorized vs unauthorized subdomains.

Step #3: Vulnerability Scanning

You now know what subdomains exist.

But could some have security holes or misconfigurations?

Run them through tools like Detectify or Netsparker to check for:

✅ Broken access controls

✅ Susceptibility to attacks like SQL injection, XSS

✅ Unpatched software vulnerabilities

Remediate any issues immediately by:

🔧 Disabling flawed subdomains

🔧 Applying additional firewall rules

This vulnerability cleansing will stop backdoors.

Step #4: Monitoring

The subdomain sprawl will keep growing with new sites and cloud resources.

So you need 24/7 monitoring via tools like Expanse, SecurityTrails and DomainTools.

Features to leverage:

📈 New subdomain notifications

📈 DNS traffic analysis to detect unwanted communications

📈 Anomaly detection flagging sudden domain changes

Constant vigilance will prevent unauthorized additions.

Step #5: Access Controls

With the list pruned, it‘s time for access hygiene.

Classify subdomains into:

🔐 Internal only – Restrict outside traffic

🔓 External facing – Selectively allow inbound connections

⛔️ Legacy – Decommission unused

Set this using firewalls or subdomain passwords:

Subdomain access control

Organizing access prevents exploits of legacy domains.

Step #6: Automating Security

Manually tracking subdomains across cloud infrastructure is impossible!

Instead automate security using platforms like CloudKnox Permissions Management.

These will auto-discover resources and enforce policies like:

🛡️ Removing excessive user privileges

🛡️ Detecting shadow IT subdomains

🛡️ Triggering approvals for wildcard certificates

Automation ensures sustained subdomain hygiene.

So there you have it – 6 ways to find and protect subdomains in 2022 as per experts.

While it can seem daunting, I‘ve broken down actionable steps anyone can implement in under 1 hour.

Discovery → Documentation → Scanning → Monitoring → Access Control → Security Automation

Stay safe from the dangers of forgotten subdomains!

Jeremy Collins
Independent Security Consultant

Tags: