How to Prevent Subdomain Hijacking: A Guide for University IT Administrators

Introduction

In recent research by Alex Shakhov, it was discovered that dozens of prestigious university websites—including berkeley.edu, columbia.edu, and washu.edu—were unknowingly serving explicit pornographic content and malicious scams. The culprit? Abandoned subdomains whose DNS records (specifically CNAME records) were never cleared after the subdomain was decommissioned. Scammers, tracked as the Hazy Hawk group, hijack these orphaned records to redirect visitors to porn sites or fake virus alerts demanding payment.

How to Prevent Subdomain Hijacking: A Guide for University IT Administrators — Source: feeds.arstechnica.com

As an IT administrator at a university or any large organization, you need a proactive plan to prevent your own subdomains from being weaponized. This step-by-step guide will help you audit, clean up, and continuously monitor your DNS infrastructure to keep your institution’s reputation safe.

What You Need

Administrative access to your organization’s DNS zone files (via your registrar or DNS provider dashboard)
Subdomain inventory list – a spreadsheet or database of all subdomains ever created
DNS query tools (e.g., dig, nslookup, or online tools like MXToolbox)
Web crawler or scanning script to check subdomains for live content (optional but helpful)
Change management logs for past subdomain requests and decommission dates
Contact list for departmental stakeholders who originally requested subdomains
Backup of current DNS records before making changes

Step 1: Conduct a Comprehensive Subdomain Audit

Start by compiling every subdomain that has ever been created under your primary domain. This includes active ones and those that may have been decommissioned years ago. Use the following methods:

Export DNS zone files from your provider.
Search internal records for past subdomain requests (many universities lack a central registry, so ask departmental IT contacts).
Use external tools like SecurityTrails or DNSDumpster to discover all publicly listed subdomains.

For each subdomain, note its purpose, owner department, and whether it is still in use. Flag any subdomain that appears to be inactive or lacks a responsible owner.

Step 2: Identify Orphaned CNAME Records

CNAME records are the most common entry point for hijackers. A CNAME records maps a subdomain (e.g., provost.washu.edu) to another hostname (e.g., some.hosting.com). When the hosting service is decommissioned, the CNAME record remains pointing to a dead endpoint—which scammers can then register and take over.

To find orphaned CNAMEs:

Use dig to query each subdomain’s record type: dig CNAME subdomain.university.edu.
If the response shows a CNAME pointing to a third-party hostname that no longer resolves (NXDOMAIN), it’s orphaned.
Cross-reference with your web server logs: if the subdomain hasn’t received legitimate traffic in months, it’s a liability.

Step 3: Remove or Update Abandoned Records

Once you’ve identified orphaned CNAME records, you must act immediately. Do not simply delete the record without verifying its original purpose—some departments might be using it for email verification or third‑party integrations without realizing it’s been decommissioned internally.

Contact the departmental owner (if known) to confirm they no longer need the subdomain.
If no owner can be found, delete the CNAME record from your DNS zone.
If the subdomain still serves a legitimate purpose but you don’t want the CNAME to be hijackable, consider replacing it with an A record pointing to your own server, or use a CNAME to a hostname you control (e.g., a university‑managed server).
Set a TTL (Time to Live) low (e.g., 300 seconds) during the transition to propagate changes quickly.

Important: After deletion, verify that no live services break. Use a test environment first if possible.

Step 4: Implement a DNS Hygiene Policy

Prevention is better than cleanup. Establish formal policies to ensure subdomains are never abandoned again:

Require a responsible owner for every subdomain request (name, department, email).
Set expiration dates for temporary subdomains (e.g., conference‑specific or research‑project subdomains).
Maintain a central registry of all subdomains, updated every quarter.
Automate notifications when a subdomain reaches its decommission date – if no response, the record gets removed.

Step 5: Monitor Continuously for Hijacking

Even with a clean slate, scammers are persistent. Set up ongoing monitoring to detect hijacks early:

Use DNS monitoring services (e.g., DNS Spy or Checkmk) that alert you when a CNAME record changes unexpectedly.
Scan your subdomains weekly with a tool that checks the content served. If a subdomain suddenly redirects to a scam site or porn, you’ll know within hours.
Monitor Google search results for your domain + suspicious terms (e.g., “site:university.edu porn”).
Check third‑party threat intelligence feeds – services like VirusTotal or URLScan.io may flag your subdomains if they’re abused.

Step 6: Educate Your Campus Community

Many subdomains are created by faculty, students, or administrative offices without IT’s knowledge. Run awareness campaigns:

Hold a workshop on DNS security for departmental IT liaisons.
Create a simple form for requesting subdomains that includes a mandatory “end of life” plan.
Explain the consequences: as Shakhov’s research showed, a single orphaned CNAME can serve porn to visitors, damaging the university’s reputation and potentially violating legal standards.

Step 7: Perform Regular Audits (Quarterly or Bi‑annually)

Make auditing part of your routine. Every quarter:

Re‑run the subdomain inventory and compare it to the previous quarter’s list.
Check all CNAME records again – even ones you thought were secure can become orphaned if their destination host changes.
Update the central registry with any new subdomains or changes.

Tips & Best Practices

Don’t rely solely on registrar tools – use command‑line tools for deep inspection.
Involve your legal team – serving porn or malware can have serious legal ramifications (e.g., child pornography laws, FTC violations).
Consider DNSSEC to prevent DNS spoofing, though this won’t directly prevent hijacking of CNAME records.
Test decommission workflows – run a pilot with a low‑risk subdomain to see if your process works.
Share your findings – the problem uncovered by Shakhov affects hundreds of subdomains across at least 34 universities. Collaborate with other institutions via security forums.

By following these steps, you can prevent your university’s subdomains from becoming unwitting vehicles for explicit content and scams. The key is vigilance: orphaned CNAME records are like unlocked doors—they’re easy for attackers to exploit unless you lock them first.