Remediation Guide 9 min read

How to Fix Orphaned Subdomains

Use this page when Passive Subdomain Discovery reveals hosts you no longer recognize, own, or intentionally expose.

Run Passive Subdomain Discovery

What This Means

Subdomain cleanup is mostly an inventory and ownership problem. The priority is to identify which hosts are current, which are stale, and which point to services that should have been removed or reclaimed. The safest fix is to classify first, then retire or resecure the exposed assets deliberately.

Asset stateWhat to verifyWhy it matters
Owned and activeCurrent business purpose and security ownerLegitimate assets still need hardening, not deletion.
Forgotten but reachableWhether the host still points to a live serviceThese are common sources of accidental exposure.
Delegated or third-partyWhether the external dependency is still intentionalStale third-party links widen attack surface silently.
Retired infrastructureWhether DNS still points to decommissioned servicesDangling or stale references create avoidable risk.

Common Causes

Patterns worth checking first

  • Project leftovers: Old environments or marketing assets remained in DNS after a migration ended.
  • Third-party drift: A SaaS or hosting dependency was removed operationally but left connected in DNS.
  • No ownership map: Teams can no longer say who owns certain public hostnames.

How To Confirm It Safely

Confirmation steps

  • Inventory the discovered hosts and assign ownership or unknown status.
  • Check whether each host still resolves to an intentional live service.
  • Review third-party dependencies tied to delegated or branded subdomains.
  • Capture evidence before removing records or decommissioning endpoints.

Fix Workflow

  1. Classify discovered hosts. Separate active, stale, delegated, and unknown assets first.
  2. Retire or reclaim stale assets. Remove DNS records or resecure services that no longer belong in the public estate.
  3. Document ownership. Assign accountable owners to the hosts that remain in service.
  4. Retest the domain. Run passive discovery again and confirm that the unnecessary surface has been reduced.

Implementation Examples

Asset inventory checklist
1. Resolve each hostname
2. Record owner and purpose
3. Remove stale DNS
4. Retest discovery output

Rollout Risks

Deleting DNS too quickly can break a real dependency

Not every low-visibility subdomain is truly unused.

  • Confirm owner and purpose first.
  • Schedule changes with the responsible team.
Third-party delegations can look inactive while still exposing branded risk

A stale SaaS mapping may still create takeover or trust issues even if traffic is low.

  • Review linked vendors explicitly.
  • Retire or secure branded delegates deliberately.

Validation Checklist

Post-fix validation

  • Unknown and stale hosts were classified and handled intentionally.
  • Retired services no longer remain in public DNS without ownership.
  • The remaining subdomain inventory has accountable owners.
  • Passive Subdomain Discovery confirms reduced unnecessary surface.

FAQ

Should I remove every low-traffic subdomain?

Only after confirming it no longer serves a real business purpose.

  • Classify first.
  • Remove stale assets, not merely quiet assets.
Are third-party mapped subdomains still my problem?

Yes. They still represent your public brand and attack surface.

  • Review vendor-linked DNS regularly.
  • Retire stale mappings rather than ignoring them.

Ready to verify the smaller public asset footprint?

Run Passive Subdomain Discovery again after DNS cleanup and confirm that the discovered surface now reflects the hosts you actually intend to expose.

Run Passive Subdomain DiscoveryCreate Account For Broader Workflow