This document discusses securing DNS records from takeovers. It defines DNS records and types like A, CNAME, MX, and NS records. It explains how these records can be exploited through takeovers if they point to invalid resources. The main types of takeovers discussed are CNAME, A, MX, and NS record takeovers. It provides examples of impacts like phishing and outlines approaches to protect against takeovers through centralized management of DNS records and periodic auditing.
2. About Me
● Chandrapal Badshah
● Security Engineer
● Pentest, Automation, Read books
● Philosophy & Stoicism
● Manage @HackwithGithub on Twitter
3. What is a DNS record ?
A DNS record is a mapping of human-friendly name to IP addresses *.
Like a key value pair where the key is always a human-friendly name and the
value is either an IP address / another human-friendly name
A DNS server (called Name Server) is simply a database that has hosts these DNS
records.
4. Types of DNS records
Multiple types of DNS records:
● A Record : Maps to IPv4 address
● CNAME Record : Maps to another DNS record
5. Types of DNS records
● AAAA Record : Maps to IPv6 address
● MX Record : Maps to mail server responsible for accepting email messages
● NS Record : Maps to authoritative DNS server of a website
and many more ...
6. Introduction to DNS record takeovers
● Dangling DNS records are just out-of-date records that may have served its
purpose in the past
● In simple terms, dangling DNS record is a valid DNS record pointing to an
invalid resource.
● Takeover is just the exploitation of dangling DNS records
7. Types of takeovers
Out of all the DNS record types in use, 4 are known to be vulnerable:
● CNAME record
● A record
● MX record
● NS record
8. CNAME Takeovers
● Try to gain control over the resource that the CNAME record is pointing to.
● Most common among subdomain takeovers
11. CNAME Takeovers
● Most widely exploited attack vector
○ Easy to judge if a CNAME record is vulnerable (because of some identifiers)
○ Most BBP consider this as Medium to High severity bug
○ Detection can be completely automated and easy $$$ if found
○ Lots of SaaS vendors without proper verifications
● One noteworthy repo is https://github.com/EdOverflow/can-i-take-over-xyz
● Common reasons for this:
○ SaaS providers allow to register/reuse same resource name
○ Expired domain
○ Non-existent domain due to typo in CNAME record
12. A Takeovers
● Try to gain access to the IP address pointed by the A record
● More common than dangling CNAME records but less exploited
○ No easy way to distinguish if an IP is available to takeover / just behind a firewall / was
already assigned to some other cloud user
○ Less probability of finding it in your BBP scope
○ Depends on the cloud provider
● Can be exploited for malware distribution / malvertising
● Unlike CNAME records, one subdomain can point to multiple A records
13. MX Takeovers
● Try to gain access to the resource the MX record is pointing to
● Comparatively low impact than other takeovers
○ MX records only used to receive emails
○ Usually > 1 MX record for domain
○ Priority of the MX record matters
○ Not every subdomain will have MX records
● The impact
○ Email fraud (can be used in phishing emails)
○ Intellectual Property disclosure
14. NS Takeovers
● Try to gain access to NS records of a domain
● The least probable compared to other methods
○ More than one NS record used for domains
○ Seldom used for subdomains
○ If a NS record is not properly setup, the subdomains don’t work (no place for typos)
● High impact as NS takeover makes you authoritative DNS server
○ Depends on number of configured NS records
15. Impact of DNS record takeover
● A & CNAME record takeover
○ Phishing / ask for login credentials
○ Malware distribution
○ Can register to services where verification is TXT file upload
○ Chain other vulnerabilities to takeover user accounts and other sensitive information
○ Can issue SSL certificate for domains (from SSL providers using ACMEv1)
● MX record takeover
○ Receive emails (Intellectual property disclosure)
○ Email fraud
● NS record takeover
○ Complete control on (sub)domain’s DNS
16. How to protect from takeovers ?
● Need People, Process and Technology
● People & Process
○ Have a centralized place for all your domain registrations & DNS records
● Technology
○ Get list of all public IPs
○ Get list of custom domains / subdomains created by Cloud Provider / SaaS services
○ Get DNS records (A, CNAME, MX and NS) that you own
○ If there are any DNS records not pointing to IPs / DNS records you own, note it
○ If the noted DNS record are not whitelisted, report it
○ Have a periodic check of the whitelisted DNS records
17. How to protect from takeovers ?
all_ips = []
all_resources = []
dns_records = {}
whitelisted = {}
for each record in dns_records:
for each resource in dns_records[record]:
if resource not in all_ips
and not in all_resources
and not in whitelisted:
report({ record : resource })
18. Example : How to protect from takeovers ?
● Mandates employees to use AWS Route53 which company owns
● Security team gets a list of all AWS Services they use that which creates
custom domains
○ AWS Cloudfront
○ AWS Elastic Load Balancer
○ AWS S3 buckets
● Security team writes an audit script which runs every day to fetch all
non-whitelisted DNS records pointing to 3rd party
● Security team is being vigilant instead of being a blocker
20. How to protect from takeovers in complex env ?
● When using multiple regions within same cloud provider or using different
cloud provider the method remains the same
● Get all IPs and DNS records (across all regions & cloud accounts) and check if
the DNS record is pointing to a third party
21. Thank you
Any Questions ?
Blog : https://badshah.io/remove-domain-takeover-bug-class/
POC : https://gitlab.com/bnchandrapal/dns-takeover-mitigation-poc
22. What am I working on now ?
Follow on Twitter to get more updates on:
● Mobile App Security Pipeline (Android & iOS)
● SAST