Hotel Subdomain Security: Hidden Threats and Protection Strategies

An incident that happened to one of our clients led us to examine this issue in depth. The IT manager of a boutique hotel in Istanbul thought they were completely safe after putting their main site behind Cloudflare. However, a few weeks later, a fake booking site became active using exactly the hotel's real server IP address. How had this happened?

The answer was simple: the "mail.hotelname.com" subdomain pointed directly to the old email server that was not configured with Cloudflare. And that IP address was public.

A subdomain is a prefix added to a main domain. "www.hotelname.com" is a subdomain; so is "reservation.hotelname.com". Hotels usually create dozens of subdomains over the years: a campaign site for a season, an old booking engine, a test environment, corporate email infrastructure, and more.

Some of these subdomains are forgotten over time. DNS records are not deleted, and they continue to point to old servers. These forgotten addresses can be a gold mine for fraudsters.

Cloudflare and similar CDN (Content Delivery Network) services add a protective layer in front of websites. This hides the real server IP. However, this protection only applies to records configured through Cloudflare.

A subdomain like "mail.hotelname.com" must point directly to the server IP for SMTP (email) traffic. The email protocol cannot be routed through Cloudflare. This means that if someone searches for the "mail" subdomain with a simple DNS query, they can easily find the real IP.

In our research, we encountered such open subdomain records in more than seventy-five percent of the Turkish hotels we examined. Some of these were old infrastructure addresses that hadn't been used for years, but they were still accessible. For more information on the relationship between SSL certificates and subdomains, read our sahte-ssl-sertifika-tespiti-rehberi article.

The term "Dangling DNS" refers to a situation where a DNS record still exists, but the server or service it points to is no longer active. This is a common but often unnoticed threat in the hotel industry.

A hotel contracted with a third-party booking engine years ago. A "reservation.hotelname.com" subdomain was created and pointed to that company's server. In later years, the engine was changed, and a new subdomain was opened for the new provider; however, the old DNS record remained in place, forgotten by everyone.

At this point, three scenarios can emerge. In the first scenario, the third-party company closed, and that IP address was assigned to another customer. The new IP owner can direct traffic coming to "reservation.hotelname.com" to their own server. In the second scenario, the provider terminated the service, but the domain registration still points to them. In the third scenario, an attacker can buy that IP address and set up a phishing site using the hotel's reputation through the subdomain.

Some hotels have hosted promotional materials or old blog content on cloud storage services like AWS S3, Azure Blob, or Google Cloud Storage. Subdomains like "cdn.hotelname.com" or "media.hotelname.com" were configured for these services, but the storage bucket was deleted when the contract ended.

If the DNS record wasn't deleted when the bucket was, anyone who can create a new bucket with the same name as the deleted bucket can take over that subdomain. This is called "subdomain takeover" and is a situation encountered from time to time on Turkish hotel sites we examined in our research.

Subdomains created during integration with SaaS services like reservation management software, channel managers, or customer loyalty programs can become orphaned when the service contract ends. Addresses like "loyalty.hotelname.com" or "crm.hotelname.com" can remain in DNS records for months or even years.

Subdomains like "mail.", "smtp.", "imap.", and "webmail." point to the email infrastructure. These always leave the real IP exposed. Industry experts especially emphasize that the DNS records for these subdomains must be carefully managed.

Subdomains like "summer2022.", "campaign.", "rez.", and "booking." might have been opened for old projects and forgotten. These addresses might be indexed in search engines and remain connected directly to the server.

Subdomains like "dev.", "test.", "staging.", and "beta." are the most dangerous from a security perspective. This is because these environments usually operate with incomplete security configurations and might have access to production databases.

Subdomains like "admin.", "panel.", "cpanel.", and "wp-admin." can point directly to access panels. When misconfigured, these both reveal the IP and become targets for brute force attacks.

When a fraudster or attacker wants to learn the real IP address of a hotel, they follow these steps:

1. DNS Enumeration: Tries common subdomains like "www", "mail", "ftp", and "admin" with brute-force DNS tools.
2. Certificate Transparency Logs: Lists the subdomains used by looking at all certificates issued for that domain via crt.sh.
3. Web Archive: Researches old DNS records in the Wayback Machine and similar archives.
4. Reverse IP Query: Lists all sites hosted on that IP before Cloudflare.

These four steps are completed within minutes, and in most cases, the real IP is reached. You can find more details about the methods fraudsters use to bypass the Cloudflare protective layer in our otel-domain-guvenligi-typosquatting article.

The first and most critical step is to bring together all the DNS records you have. We see that many hotels do not know their own list of subdomains. Export all A, CNAME, and MX records from your DNS management panel.

Remove DNS records for subdomains that are no longer in use, such as old campaign sites, old CRM infrastructure, or old e-commerce integrations. This both closes the security gap and simplifies domain management.

Route the subdomains you continue to use (except for the management panel) through the Cloudflare proxy as much as possible. This keeps the real IP address hidden.

Allow access to management subdomains like "admin." or "cpanel." only from specific IP addresses. This prevents brute force attacks and unauthorized access attempts.

At least once a month, check all the subdomains you have with scanning tools. You'll have the chance for early detection when a new vulnerability emerges.

In a resort hotel on the Aegean coast that we examined during our research, a subdomain belonging to an old reservation engine that was decommissioned two years ago was still active. Someone reaching the real IP address of the hotel through this subdomain could also discover other services hosted on the same IP. When we informed the hotel, the managers were completely unaware of that subdomain.

What is subdomain takeover and why does it pose a risk for my hotel? Subdomain takeover is when an attacker takes over a subdomain where a DNS record exists but is no longer active. The attacker can open a platform account for the deleted service and point the DNS record to their own server. In this case, the subdomain carrying the hotel's reputation can be used as a phishing site.

How can I find out how many subdomains I have? You can export all records from your DNS management panel (cPanel, Cloudflare, Route53). You can also see certificates belonging to all subdomains recorded in CT logs by searching your domain name via crt.sh. The combination of these two methods provides the most comprehensive inventory.

Can't I put email subdomains behind the Cloudflare proxy? No, SMTP email traffic cannot be routed through the Cloudflare proxy. Therefore, subdomains like "mail." and "smtp." always reveal the real IP. For a solution, it's recommended to move the email infrastructure to a separate IP or a cloud-based email service.

Won't it be harmful to delete DNS records for old subdomains? No, on the contrary, it is beneficial. Deleting DNS records for unused subdomains eliminates security risk. If you're not sure whether traffic is still coming to that address, analyze the record type before deleting the DNS record; then you can remove it safely.

Detect all of your hotel's subdomains and potential IP leaks in minutes with our free tool. See immediately which of your subdomains pose a risk.