indianajson / can-i-take-over-dns

"Can I take over DNS?" — a list of DNS providers and how to claim vulnerable domains.
990 stars 93 forks source link
bugbounty bugbountytips dangling-dns dns dns-hijacking domain-takeover hacking hacking-tool infosec nameservers subdomain-takeover takeover-subdomain

Can I Take Over DNS?
A list of DNS providers and whether their zones are vulnerable to DNS takeover!
Maintained by  

Inspired by the popular Can I Take Over XYZ? project by @EdOverflow this project is uniquely oriented towards DNS takeovers. DNS takeovers pose a high threat to companies, warrant high bounties, and are easy to find. We are trying to make this list comprehensive, so please contribute!

Here's a public $500 bounty report for a DNS takeover that I wrote with a thorough explanation to help you understand the issue.

DNS Providers

These companies provide DNS nameserver services to the general public. In this list you will find out whether domains pointing to these nameservers are vulnerable to DNS takeover and where you can learn more about them.

Provider Status Fingerprint Takeover Instructions
000Domains Vulnerable (w/ purchase) ns1.000domains.com
ns2.000domains.com
fwns1.000domains.com
fwns2.000domains.com
Issue #19
AWS Route 53 Not Vulnerable ns-****.awsdns-**.org
ns-****.awsdns-**.co.uk
ns-***.awsdns-**.com
ns-***.awsdns-**.net
Issue #1
Azure (Microsoft) Edge Case ns1-**.azure-dns.com
ns2-**.azure-dns.net
ns3-**.azure-dns.org
ns4-**.azure-dns.info
Issue #5
BigCommerce Not Vulnerable ns1.bigcommerce.com
ns2.bigcommerce.com
ns3.bigcommerce.com
Issue #35
Bizland No New Accounts ns1.bizland.com
ns2.bizland.com
clickme.click2site.com
clickme2.click2site.com
Issue #3
ClouDNS Not Vulnerable *.cloudns.net
Cloudflare Not Vulnerable *.ns.cloudflare.com Issue #10
Digital Ocean Vulnerable ns1.digitalocean.com
ns2.digitalocean.com
ns3.digitalocean.com
Issue #22
DNSMadeEasy Vulnerable ns**.dnsmadeeasy.com Issue #6
DNSimple Vulnerable ns1.dnsimple.com
ns2.dnsimple.com
ns3.dnsimple.com
ns4.dnsimple.com
Issue #16
Domain.com Vulnerable (w/ purchase) ns1.domain.com
ns2.domain.com
Issue #17
DomainPeople Not Vulnerable ns1.domainpeople.com
ns2.domainpeople.com
Issue #14
Dotster No New Accounts ns1.dotster.com
ns2.dotster.com
ns1.nameresolve.com
ns2.nameresolve.com
Issue #18
EasyDNS Not Vulnerable dns1.easydns.com
dns2.easydns.net
dns3.easydns.org
dns4.easydns.info
Issue #9
Gandi.net Not Vulnerable a.dns.gandi.net
b.dns.gandi.net
c.dns.gandi.net
Google Cloud Vulnerable ns-cloud-**.googledomains.com Issue #2
Hostinger (old NS) Not Vulnerable ns1.hostinger.com
ns2.hostinger.com
Hover Not Vulnerable ns1.hover.com
ns2.hover.com
Issue #21
Hurricane Electric Vulnerable ns5.he.net
ns4.he.net
ns3.he.net
ns2.he.net
ns1.he.net
Issue #25
Linode Vulnerable ns1.linode.com
ns2.linode.com
Issue #26
MediaTemple (mt) Not Vulnerable ns1.mediatemple.net
ns2.mediatemple.net
Issue #23
MyDomain Vulnerable (w/ purchase) ns1.mydomain.com
ns2.mydomain.com
Issue #4
Name.com Vulnerable (w/ purchase) ns1.name.com
ns2
.name.com
ns3.name.com
ns4
.name.com
Issue #8
namecheap Not Vulnerable *.namecheaphosting.com
*.registrar-servers.com
Network Solutions Not Vulnerable ns**.worldnic.com Issue #15
NS1 Registration Closed
I can help, comment on the linked issue.
dns1.p**.nsone.net
dns2.p**.nsone.net
dns3.p**.nsone.net
dns4.p**.nsone.net
Issue #7
TierraNet Vulnerable ns1.domaindiscover.com
ns2.domaindiscover.com
Issue #24
Reg.ru Vulnerable
(sanctions may stop payments)
ns1.reg.ru
ns2.reg.ru
Issue #28
UltraDNS Not Vulnerable pdns.ultradns.com
udns
.ultradns.com
sdns***.ultradns.com
Issue #29
Yahoo Small Business Vulnerable (w/ purchase) yns1.yahoo.com
yns2.yahoo.com
Issue #20

Private DNS

These are private nameservers operated by various companies. The general public cannot create zones on these nameservers and thus takeovers are not possible. Knowning nameservers that are private and not vulnerable can be helpful to eliminate false positives from your testing.

Owner Status Fingerprint
Activision Not Vulnerable ns*.activision.com
Adobe Not Vulnerable adobe-dns-0*.adobe.com
Apple Not Vulnerable a.ns.apple.com
b.ns.apple.com
c.ns.apple.com
d.ns.apple.com
Automattic Not Vulnerable ns*.automattic.com
Capital One Not Vulnerable ns*.capitalone.com
Disney Not Vulnerable ns.twdcns.com
ns
.twdcns.info
ns*.twdcns.co.uk
Google Not Vulnerable ns*.google.com
Lowe's Not Vulnerable authns*.lowes.com
T-Mobile Not Vulnerable ns10.tmobileus.com
ns10.tmobileus.net

What is a DNS takeover?

DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a request for DNS records the server responds with a SERVFAIL error. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.

You can read more at: https://0xpatrik.com/subdomain-takeover-ns/

A python implementation of DNS takeovers: https://github.com/pwnesia/dnstake

Contributions

We need more DNS providers added to the database with information about their services.

If you want to help out, please check out the getting started guide here.

Press

"How does one know whether a DNS provider is exploitable? There is a frequently updated list published on GitHub called “Can I take over DNS,” which has been documenting exploitability by DNS provider over the past several years."
Brian Krebs

"I honestly think this is a great resource for security researchers and bug bounty hunters."
@0xpatrik

"A new, but incredibly useful resource.. Essentially, a more modern/accurate can-i-take-over list for the STO you likely don't yet know about"
Michael Skelton, Director of Security @ BugCrowd

"Still trying to find your first domain/subdomain takeover vulnerability? Go to indianajson/can-i-take-over-dns for a curated DNS takeover list. "
Intigriti, Bug Bounty Platform

"There's this excellent resource on GitHub... which has a list of nameservers... that you can perform takeovers on, so I think this is an excellent resource"
Shubham Shah, CTO of Assetnote

.