Add check to see if a CNAME's apex is registered, so now if foo.com points to test.bar.com, we will check if bar.com is available to register. If it is, foo.com is considered vulnerable; otherwise, not.
Please note that tko-subs will not catch subdomains which point to an unknown provider which uses "just in time" DNS records.
For example, suppose there is a provider called unknownprovider.com that puts up DNS records for each customer in an ad-hoc fashion, as opposed to pointing all customer to one IP (or a shared pool of IPs) and identifying them based on the value of the Host header.
If foo.test.com points to test.unknownprovider.com which is not claimed and therefore returns an NXDOMAIN response, tko-subs will not consider foo.test.com vulnerable, because it looks exactly like a domain pointing to a non-existent subdomain of an existent domain, which is normally not exploitable.
So make sure to update the providers file regularly with any new services.
foo.compoints totest.bar.com, we will check ifbar.comis available to register. If it is,foo.comis considered vulnerable; otherwise, not.Please note that tko-subs will not catch subdomains which point to an unknown provider which uses "just in time" DNS records. For example, suppose there is a provider called
unknownprovider.comthat puts up DNS records for each customer in an ad-hoc fashion, as opposed to pointing all customer to one IP (or a shared pool of IPs) and identifying them based on the value of theHostheader.If
foo.test.compoints totest.unknownprovider.comwhich is not claimed and therefore returns anNXDOMAINresponse, tko-subs will not considerfoo.test.comvulnerable, because it looks exactly like a domain pointing to a non-existent subdomain of an existent domain, which is normally not exploitable.So make sure to update the providers file regularly with any new services.