AWS Route 53 no longer vulnerable

[thr3athunt3r]

AWS Route 53 no longer vulnerable to takeover domains with dangling delegation records

[SimonGurney]

Hi,

I did a Route53 takeover for a demo at BSIDES Newcastle just a couple weeks ago, what makes you think you cant take it over?

I've noted sometimes it doesnt work, but for me most of the time it does.

Linky to the recording: https://youtu.be/GGfQlPZSRk4?t=712

[SimonGurney]

My theory is that sometimes it doesnt work because the domain isactually configured, but as a private hosted zone ands not public. This means it is installed on the nameservers but only resolves when queired from the same aws account.

Unfortunately, you cannot tell if its not configured at all or configured as a private zone.

[thr3athunt3r]

My case is domain with ns records but not in a hosted zone is not vulnerable. Failed with 7 domains tested which have signature 'aws_ns' at yesterday.

Some references from googling: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/protection-from-dangling-dns.html https://github.com/indianajson/can-i-take-over-dns/issues/1

[SimonGurney]

Hmmm, its a fair point. It's a bit of an edge case.

This takeover is definitely possible in some cases, but there are some protections (which you have linked).

I'll add a comment to the information we return for this signature to state that its a bit of an edge case.