If you manage more than a handful of domains and subdomains, there is a good chance you do not have a complete picture of what is actually out there. Most organizations don’t. And that gap between what you think exists and what actually exists is exactly where attackers like to operate.
This article walks you through what the attack surface of a domain portfolio really means, why it grows silently over time, and what you can do to get it under control before someone else maps it out for you.
What Is a Domain Attack Surface, Exactly?
Your domain attack surface is the sum of all DNS records, subdomains, mail configurations, and connected services that are publicly visible and potentially exploitable. It is not just your main website. It includes every subdomain, every MX record, every forgotten staging environment, and every third-party service that has a CNAME pointing somewhere.
Think of it this way: your main domain is the front door of your building. But your subdomains are side doors, back doors, basement windows, and rooftop hatches. Some of them you installed deliberately. Others were put there by people who no longer work for you. A few you have probably forgotten about entirely.
The problem is that attackers do not forget. They have automated tools that enumerate subdomains in minutes. If your attack surface is larger than you realize, you are giving them more options than you should.
How Domain Portfolios Grow Out of Control
Nobody sets out to create a messy domain portfolio. It happens gradually. A developer spins up staging.yourcompany.com for a project that ends six months later. Marketing creates promo-summer2023.yourcompany.com for a campaign and never takes it down. An external agency sets up api-partner.yourcompany.com and nobody remembers to clean up the DNS entry when the partnership ends.
I have personally seen a situation where a client had over 40 subdomains they did not know about. Some pointed to IP addresses that had been reassigned to completely different organizations. One was a CNAME to an AWS S3 bucket that had been deleted months ago, which is a textbook subdomain takeover scenario. Anyone could have claimed that bucket name and served whatever content they wanted under that company’s domain.
This kind of drift is normal. It happens in every organization, regardless of size. The question is whether you have a system to catch it.
The Real Risks You Are Facing
Forgotten or misconfigured subdomains create several concrete threats.
Subdomain takeover is probably the most dangerous. When a subdomain points to a service you no longer control, an attacker can register that service and take ownership of your subdomain. They can then host phishing pages, steal cookies scoped to your parent domain, or damage your reputation.
Missing email authentication is another common issue. If your subdomains lack proper SPF, DKIM, and DMARC records, attackers can send emails that appear to come from your domain. This is not theoretical. It happens constantly, and it is one of the primary methods behind business email compromise attacks.
Exposed internal services often appear when development or staging subdomains are left publicly accessible. These environments typically have weaker security controls, default credentials, or debug modes enabled. They are low-hanging fruit for anyone scanning your infrastructure.
Stale DNS records pointing to old IP addresses can also leak information about your infrastructure or create confusion that attackers can exploit.
Step-by-Step: Mapping Your Domain Attack Surface
Getting visibility into your actual attack surface requires a systematic approach. Here is how to start.
Step 1: Enumerate all subdomains. Do not rely on your internal documentation alone. It is almost certainly incomplete. Use automated subdomain discovery to find everything that exists in public DNS, certificate transparency logs, and other sources. You will likely find subdomains you forgot about or never knew existed.
Step 2: Check where each subdomain points. For every subdomain, verify that the target service, IP address, or CNAME destination is something you actually control. Flag anything that points to a service you have decommissioned.
Step 3: Audit DNS record health. Look for misconfigured records, missing mail authentication, and inconsistencies. Pay special attention to wildcard records, which can introduce risks across your entire domain.
Step 4: Establish continuous monitoring. A one-time audit is useful but insufficient. Your domain portfolio changes over time, and new subdomains can appear without your knowledge. Continuous monitoring ensures you catch issues as they emerge, not months later during the next manual review.
Step 5: Create a decommissioning process. When a project ends or a service is retired, make DNS cleanup part of the shutdown procedure. This sounds obvious, but very few organizations actually do it consistently.
Common Misconceptions Worth Addressing
“We only have a few subdomains.” This is almost never true once you actually look. Certificate transparency logs alone often reveal subdomains that internal teams have no record of. Automated discovery routinely doubles or triples the number of known subdomains in an organization.
“Our domain registrar handles security.” Your registrar manages your domain registration. It does not monitor what your DNS records point to or whether your subdomains are vulnerable to takeover. These are completely different concerns.
“We cleaned this up last year.” Domain portfolios do not stay clean. New subdomains appear, services change, people leave the company. Without ongoing monitoring, you are back to square one within months.
Making It Manageable
The good news is that this problem is entirely solvable with the right tooling. Manual audits are time-consuming and error-prone, which is exactly why most organizations skip them. Automated tools that continuously discover subdomains and monitor DNS health remove the burden of remembering to check.
At DNSVigil, we built our service specifically around this problem. It automatically discovers all subdomains associated with your domain, monitors their DNS health around the clock, and alerts you immediately when something looks wrong, whether that is a dangling CNAME, a missing SPF record, or a subdomain pointing to a service you no longer own. The goal is to give you a complete, always-current map of your digital footprint so nothing slips through the cracks.
Frequently Asked Questions
How often should I audit my domain portfolio? Ideally, you should have continuous automated monitoring. If you are doing manual audits, quarterly is a reasonable minimum, but a lot can change in three months.
Is subdomain takeover really that common? Yes. Security researchers discover vulnerable subdomains at major companies on a regular basis. Bug bounty programs pay out for these findings routinely because the impact can be severe.
Do small businesses need to worry about this? Absolutely. Small businesses are often targeted precisely because they are less likely to have monitoring in place. Even a single misconfigured subdomain can lead to phishing attacks against your customers.
Can I just delete all subdomains I do not recognize? Not without checking first. Some may be serving legitimate functions that were set up by someone who has since left the organization. Investigate before you delete, but do investigate.
Your domain portfolio is part of your public-facing infrastructure. Treat it with the same attention you give your firewalls and access controls. The attackers mapping your subdomains will not wait for your next annual review, and neither should you.