royalcoder-sudo
commented
2 years ago this is a case where the number is set to ns5-ns7. I was trying to add to secondary dns.
Does this mean it's not vulnerable ?
Open indianajson opened 3 years ago
royalcoder-sudo
commented
2 years ago this is a case where the number is set to ns5-ns7. I was trying to add to secondary dns.
Does this mean it's not vulnerable ?
indianajson
commented
2 years ago @royalcoder-sudo This error means that an account on DNSMadeEasy already has the (sub)domain in a zone. The domain is currently returning an NXDOMAIN error (which typically is not vulnerable to this attack vector). Despite the fact that xe-1-2-.br01.sjc1.squareup.com does not exist in a zone its root (br01.sjc1.squareup.com) does, thus the subdomain is not vulnerable. Performing a dig request for br01.sjc1.squareup.com returns NOERROR and running a trace shows us the zone is located on DNSMadeEasy's ns5-ns7 servers.
nullblackvoid
commented
2 years ago Hi @indianajson
Does it work with ns10-ns15 zone?
indianajson
commented
2 years ago @xsh1synack I discussed this specific issue with another researcher a while back. They even asked DNSMadeEasy's customer service about delegating to those servers and were told that zones are only delegated to them if the main servers are having difficulty dealing with the load.
At the moment, I don't have a method for forcing zone delegation to those name servers. If anyone comes up with something please share!
Hacktus-zz
commented
2 years ago if it's between ns1-ns4 should I report that I claimed it ? without any poc will it be enough?
indianajson
commented
2 years ago @Sn0wd3nn You definitely want a POC, but you don't need to host a website. For DNS takeover POCs, you should add a TXT record to the hosted zone, something like POC by @Sn0wd3nn and then check to make sure it resolves using this tool https://toolbox.googleapps.com/apps/dig/#TXT/. (You may need to give it up to an hour to show up). This way you know the takeover worked and any triager will be able to quickly verify the issue.
Hacktus-zz
commented
2 years ago The thing is I found the subdomain is available in dnsmadeeasy to register it , and I did register it but I still feel like it's not vulnerable , like I cant do anything with it @indianajson
indianajson
commented
2 years ago If you want to DM me on Twitter with the details I'll try to tell you what exactly is going on with it. @Sn0wd3nn
Hacktus-zz
commented
2 years ago I did , chcek ur dm @indianajson
UN1337KN0WN
commented
2 years ago Hi everyone,
hope you doing great. Just a recap what i did and then my question. So forgive me if missed something.
So i found a subdomain that is possible to takeover. I went to dnsmadeeasy and took that domain (so i think ):
I add txt Record yesterday, but nothing came up. Do i have to purchase the domain to take it over at this point ? Probably ....right, because in that point i configure the dns before i purchase it?!?
Thank you in advance everyone :-)
indianajson
commented
2 years ago Hi @UN1337KN0WN - If the subdomain is vulnerable and you added it to DNSMadeEasy the takeover should work and you should not need to purchase any domains. To clarify though you need to add the subdomain to DNSMadeEasy, not the domain. For example, if test.example.com is vulnerable you need to add test.example.com, not example.com.
I'm going to add an explanation on how to test a domain for vulnerability and add it to this issue, but in the meantime feel free to DM me on Twitter (@indianajson) and I'll try to help you troubleshoot this. Since it's already in your DNSMadeEasy account you've got it locked in if it is indeed vulnerable.
UN1337KN0WN
commented
2 years ago Hi @indianajson,
thanks for the quick response. 1. Okay, because i thought the txt record that i add it should give me a response but nothing happened there. 2. hahah i know about the subdomain takeover, i was not sure about subdomain takeover on dnsmadeeasy. It was just odd that i not receive my txt record. 3, Appreciate the effort :)
Looked around the setup and found the following message:
Any clue here ?
indianajson
commented
2 years ago @UN1337KN0WN - That sounds like the nameservers for the domain aren't actually pointing to DNSMadeEasy. Go run a trace on the domain using this tool (enter the affected subdomain and click Dig). The last line in the response will say something like this:
test.example.com. 86400 IN NS a.iana-servers.net.
test.example.com. 86400 IN NS b.iana-servers.net.Tell me what appears after the NS in those two lines.
pdelteil
commented
2 months ago Recently Digicert bought DNSMadeEasy, now the default NS are nsXX.digicertdns.com.
ServiceDNSMadeEasyStatusVulnerableNameserverManaged DNS ns1.dnsmadeeasy.com ns2.dnsmadeeasy.com ns3.dnsmadeeasy.com ns4.dnsmadeeasy.com
Secondary DNS ns5.dnsmadeeasy.com ns6.dnsmadeeasy.com ns7.dnsmadeeasy.com
Alternate Managed DNS --> (not easily obtainable) ns10.dnsmadeeasy.com ns11.dnsmadeeasy.com ns12.dnsmadeeasy.com ns13.dnsmadeeasy.com ns14.dnsmadeeasy.com ns15.dnsmadeeasy.com
ExplanationHead over to the registration page on DNSMadeEasy. Since accounts are only active for 30 days I recommend you use an alteration to your primary email (e.g.
hacker+dns@wearehackerone.com). Now, the number in the nameservers in your vulnerable domain will determine which service you use.If the number is
ns1-ns4use Managed DNS to create the zone. After you enter your domain and submit the form it will assign you several nameservers. At least one of your assigned nameservers must match with your vulnerable domain. Theoretically, they all will match, but sometimes they don't.If the number is
ns5-ns7things get a bit more complicated. First, use Secondary DNS to create the zone. You will need to add a Secondary IP Set before you can configure the zone. Add192.135.223.10as the IP address. For the takeover to work, you need to set up a primary DNS first, which will push records to the secondary DNS provided by DNSMadeEasy. I recommend you use NS1 as the primary in this instance, its free and easily configurable. This article will explain the steps to configure your NS1 zone. It will take a minute for everything to getin sync, but afterward you should receive aNOERRORresponse from the vulnerable server. Now configure the DNS records for the takeover on NS1.If the number is
ns10-ns15you're probably not going to get this takeover. According to comments by DNSMadeEasy staff these nameservers are only delegated to a zone if the primary nameservers (ns1-ns4) are bogged down at that particular moment. There is no known reliable way to get thens10-ns15nameservers. Additionally, it has been discovered that these zones are used forwhitelabelDNS services provided by DNSMadeEasy.