indianajson / can-i-take-over-dns Goto Github PK

Service EasyDNS

Status Not Vulnerable

Nameserver

dns1.easydns.com
dns2.easydns.net
dns3.easydns.org
dns4.easydns.info

rush.easydns.com
nirvana.easydns.net
motorhead.easydns.org

dns1.easydnssec.com
dns2.easydnssec.net
dns3.easydnssec.org
dns4.easydnssec.info

Explanation

EasyDNS has stopped allowing a domain to be added to the system that is a lame delegation without it being verified through adding a hostname to the nameserver delegation via the domain registrar. Special thanks to @markjr for investigating this to conclusion.

Service NS1

Status Vulnerable

Nameservers

dns1.p**.nsone.net
dns2.p**.nsone.net
dns3.p**.nsone.net
dns4.p**.nsone.net

Explanation

If you have an NS1 account head into the control panel. Creating a new zone for your domain (assuming the zone is available to register) will perform the takeover. The nameservers do not need to match. For example, even if the nameserver on the domain is dns4.p05.nsone.net, but your zone is dns4.p03.nsone.net the takeover will still work.

False Positives

If you get an error that says "FQDN is used by multiple zones" that means it is already in someone else's accounts. You cannot takeover subdomains of root domains that already have zones. This is not due to this being an edge case, this is simply how DNS works.

Assistance with Takeovers

If you need help with a takeover now that NS1 no longer offers free accounts, DM me on Twitter then post a comment here (cause my Twitter notifications are broken) and I'll try to help.

We want your help!

Contributions are welcome! Like the project that inspired it this repository will change and shift with contributions from the community.

Want to add a service? Open an issue!

To suggest a new service please open a new issue, use the appropriate template, and fill out the template as completely as possible. After our discussions, I will update your initial Issue with any relevant details for those who read it in the future.

Want to add details about a service? Find it in the list.

There should be an issue for every provider in the primary list. If you want to suggest changes or provide details about how to perform takeovers please add it as a comment to the appropriate issue.

Need help? Let's do it!

If you need help with a takeover don't hesitate to ask, but we'd appreciate it if you opened a new issue using the Help w/ Take Over template. This way we can help you and keep the issues list cleaned up at all times.

More questions?

Feel free to throw any questions you have into this issue! I'll try to respond as I am able.

Service Cloudflare

Status Not Vulnerable

Nameserver

*.ns.cloudflare.com
*.ns.cloudflare.com

Assigned in pairs of two, with a boys name and a girls name.

Explanation

@Woutifier (an engineer on Cloudflare's DNS team) has confirmed the logic that allow a user to get randomly assigned a nameserver that was previously attached to a given domain has been removed. There is no known exploit by which to achieve takeovers on Cloudflare.

Old Disclaimer (for posterity)

Conducting takeovers with Cloudflare is possible though complicated and can return false positives. To successfully perform targeted takeovers will probably necessitate some type of automation and has, in my experience, only a 10% chance of success even if you have all of the necessary prerequisites. If you're still interested... read on!

Old Explanation (for posterity)

Cloudflare is a bit different than most DNS providers, because of the way they assign DNS names. According to the company's blog, they use people's names as their nameservers (e.g. bob.ns.cloudflare.com, lola.ns.cloudflare.com, etc) with roughly 50 boys names and 50 girls names. When you sign up to Cloudflare your account is assigned two semi-permanent nameservers, one girls name and one boys name, meaning you will be assigned 1 of 2,500 possible nameserver combinations. Quite a bit of time has passed since that blog post and Cloudflare now operates around 900 nameservers (see my master nameserver list), thus there are over 200,000 possible combinations.

That's not the whole story though. If the zone on Cloudflare has been deleted (i.e. returns SERVFAIL), it is possible that when you generate a new zone one of your two assigned nameservers will match one of the domain's existing nameservers. This is similar to how Amazon AWS used to allow takeovers via Route 53 with only one of four nameservers matching. As an example, if the vulnerable domain points to bob.ns.cloudflare.com and lola.ns.cloudflare.com and your account has bob.ns.cloudflare.com and edna.ns.cloudflare.com the takeover may be possible.

Here's the catch. At this point, it would take upwards of 450 Cloudflare accounts to get an account that matches one of your specific vulnerable domain's nameservers. Additionally, in my experience, there is only around a 10% chance of success even if the nameservers assigned to your account match the domain. While this is a far cry from the theoretical 200,000 accounts previously believed necessary, that's still a lot of work to perform a targeted takeover. To that end, I'm reassigning this to Edge Case unless someone figures out a way to reduce the need for so many accounts.

Service Hover

Status Not Vulnerable

Nameserver

ns1.hover.com
ns2.hover.com

Explanation

Hover requires you to register the domain with them or transfer the domain into their service in order to create a zone, thus takeover is impossible with their service.

Service Name.com

Status Vulnerable w/ purchase

Nameservers

ns1***.name.com
ns2***.name.com
ns3***.name.com
ns4***.name.com

Explanation

Based on this article in the support portal it is possible to add on external domains onto an existing hosting plan. This does require an active Name.com account and a hosting plan.

Additionally, while the naming scheme for their nameservers contains a number and three random letters (e.g. ns1fkl.name.com) this does not seem to affect responses. For example, econfigmrkt.com does not have ns3nrz.name.com as a nameserver, however dig econfigmrkt.com @ns3nrz.name.com will respond NOERROR.

Consequently, despite the paywall, Name.com is vulnerable to takeover.

Service MyDomain

Status Vulnerable (w/ purchase)

Nameservers

ns1.mydomain.com
ns2.mydomain.com

Explanation

It is possible to add hosted zones for domains you do not own to your MyDomain account, thus a SERVFAIL error pointing to these nameservers means it is vulnerable to take over. In order to obtain an account, you must purchase something, like a domain or hosting. This should cost less than $10. Alternatively, feel free to open an issue asking for help and someone with an account may be willing to perform the takeover for you. Once you're registered navigate to the Domain Import tool and enter the vulnerable domain name. This will add it to your account and you can control the DNS records in the settings for the domain.

Service easyDNS

Status Not Vulnerable

Nameserver

dns1.easydns.com
dns2.easydns.net
dns3.easydns.org
dns4.easydns.info

rush.easydns.com
nirvana.easydns.net
motorhead.easydns.org

dns1.easydnssec.com
dns2.easydnssec.net
dns3.easydnssec.org
dns4.easydnssec.info

Explanation

easyDNS stopped allowing a domain to be added to the system that is a lame delegation without it being verified through adding a hostname to the nameserver delegation via the domain registrar.

Service Domain.com

Status Vulnerable

Nameserver

ns1.domain.com
ns2.domain.com

Explanation

Per Domain.com's Knowledge Base you can add external domains if you have an existing account or if you purchase something (like hosting). As it turns out Domain.com owns 000domains.com and dotster.com, which means creating a zone on domain.com will active a zone automatically on the other two services as well.

Needs Verification? Yes

While the documentation supports the belief that takeover is possible and their system uses the same backend as Bizland and MyDomain (which are vulnerable). We do need someone to verify that takeover is possible.

ServiceBigcommerce

Status Not Vulnerable

Nameserver

ns1.bigcommerce.com.
ns2.bigcommerce.com.
ns3.bigcommerce.com. 

Explanation

It's possible to create an account here. To add a custom domain is required to upgrade to a paid account (starting at US$39/month). The site checks if the domain is already taken by another account, making it not vulnerable, an edge case might exist but I couldn't find more examples to check.

Service 000Domains

Status Vulnerable

Nameserver

ns1.000domains.com
ns2.000domains.com
fwns1.000domains.com
fwns2.000domains.com

Explanation

000Domains is owned by Dotster, powered by Domain.com, which means creating a zone on Domain.com also creates a zone on Dotster and 000Domains (and vice versa). For example, 4orty3.net uses Dotster's DNS, however ns1.domain.com and ns1.000domains.com will resolve all records for 4orty3.net.

Per Domain.com's Knowledge Base you can add external domains if you have an existing account (you can purchase something then cancel to get an account).

To perform a takeover on 000Domains, get an account on Domain.com and add the zones there (which will activate the zone on 000Domains).

Service UltraDNS

Status Not Vulnerable

Nameserver

pdns***.ultradns.com
udns***.ultradns.com
sdns***.ultradns.com

All DNS nameservers under ultradns.com run off the same list of zones, thus a zone with NS udns34.ultradns.com will still get resolved by pdns148.ultradns.com.

Explanation

While accounts start at $30 per month and can be created by adding a service to your cart via this page UltraDNS has built internal detection to limit/stop DNS takeovers using their service.

Credit

Special thanks to @m0chan for investigating this and getting us an answer!

Service Bizland

Status Vulnerable

Nameserver

ns1.bizland.com
ns2.bizland.com
clickme.click2site.com
clickme2.click2site.com

Explanation

It is possible to add hosted zones for domains you do not own to your Bizland account, thus a SERVFAIL error pointing to any of these nameservers means it is vulnerable to a takeover via Bizland. In order to obtain an account, sign up for a 30-day trial via this link. Once you're registered it should add the domain you specified during registration. If it does not, navigate to the Domain Import tool and enter the vulnerable domain name. This will add it to your account and you can control the DNS records in the settings for the domain.

Service DNSMadeEasy

Status Vulnerable

Nameserver

Managed DNS
      ns1.dnsmadeeasy.com
      ns2.dnsmadeeasy.com
      ns3.dnsmadeeasy.com
      ns4.dnsmadeeasy.com

Secondary DNS
      ns5.dnsmadeeasy.com
      ns6.dnsmadeeasy.com
      ns7.dnsmadeeasy.com

Alternate Managed DNS --> (not easily obtainable)
      ns10.dnsmadeeasy.com
      ns11.dnsmadeeasy.com
      ns12.dnsmadeeasy.com
      ns13.dnsmadeeasy.com
      ns14.dnsmadeeasy.com
      ns15.dnsmadeeasy.com

Explanation

Head over to the registration page on DNSMadeEasy. Since accounts are only active for 30 days I recommend you use an alteration to your primary email (e.g. [email protected]). Now, the number in the nameservers in your vulnerable domain will determine which service you use.

If the number is ns1-ns4 use Managed DNS to create the zone. After you enter your domain and submit the form it will assign you several nameservers. At least one of your assigned nameservers must match with your vulnerable domain. Theoretically, they all will match, but sometimes they don't.

If the number is ns5-ns7 things get a bit more complicated. First, use Secondary DNS to create the zone. You will need to add a Secondary IP Set before you can configure the zone. Add 192.135.223.10 as the IP address. For the takeover to work, you need to set up a primary DNS first, which will push records to the secondary DNS provided by DNSMadeEasy. I recommend you use NS1 as the primary in this instance, its free and easily configurable. This article will explain the steps to configure your NS1 zone. It will take a minute for everything to get in sync, but afterward you should receive a NOERROR response from the vulnerable server. Now configure the DNS records for the takeover on NS1.

If the number is ns10-ns15 you're probably not going to get this takeover. According to comments by DNSMadeEasy staff these nameservers are only delegated to a zone if the primary nameservers (ns1-ns4) are bogged down at that particular moment. There is no known reliable way to get the ns10-ns15 nameservers. Additionally, it has been discovered that these zones are used for whitelabel DNS services provided by DNSMadeEasy.

Service Microsoft Azure

Status Edge Case

Nameserver

ns1-**.azure-dns.com
ns2-**.azure-dns.net
ns3-**.azure-dns.org
ns4-**.azure-dns.info

UPDATE

It seems a lot of people have been having trouble performing Azure takeovers and while it was always a bit hit or miss it seems to have gotten more difficult. For now, this is being re-assigned as an Edge Case until further research can be conducted.

Old Explanation

You can set up a free account with Microsoft Azure, as long as you provide a credit card on file. Once you are logged in, head over to the DNS Zones and click + New. In the Name field enter the vulnerable (sub)domain. You will automatically be assigned four nameservers as shown above, but you need the numbers to match your vulnerable domain. If the numbers do not match you need to delete the zone and the resource group associated with it before you try again. Simply creating a new zone within the same resource group will typically assign you the same nameservers. This process could take a while, but typically less than 50 attempts will suffice.

Service DNSimple

Status Vulnerable

Nameserver

ns1.dnsimple.com
ns2.dnsimple.com
ns3.dnsimple.com
ns4.dnsimple.com

Explanation

You can sign up for a free account on DNSimple. After creating your account go to Domains and click Add Domains. If you are able to create a zone for the vulnerable domain then takeover is possible. REMEMBER, the zone will not function until you start a 30-day trial with DNSimple, which requires a credit card on file.

False Positives

DNSimple can produce false positives because a domain can be in an account where the account owner's payment method has expired, thus the domain will not resolve (i.e. shows a DNS SERVFAIL error), but cannot be added to your account.

Service Verizon Small Business

Status Unknown

Nameserver

yns1.yahoo.com
yns2.yahoo.com

Explanation

Version acquired Yahoo and has finally begun to shut down old Yahoo websites in favor of rebranded Verizon websites. This has modified the flow for this and as of current we are unsure if it is still possible.

Old Explanation

Yahoo Small Business provides websites, domains, and hosting services. First, create a free account. Once you log in click Create a website today. Next, follow the steps to create a "free website" and click Publish. You will be asked if you want to use a Custom Domain or a free subdomain, select Custom Domain. On the next page select the Basic Plan. After this, there will be a line of text on the next page that reads Want to use your existing domain name? Click here., click it and enter your vulnerable domain. If the domain is available it will tell you and ask you to verify you own the domain. Assuming you have authorized to perform the takeover from a bug bounty program then proceed. It will then ask for your credit card and details. Once finished the DNS will begin to propagate and the takeover will be successful.

Service Hostinger

Status Vulnerable (w/ purchase)

Nameserver

ns1.dns-parking.com
ns2.dns-parking.com

Explanation

With a paid hosting plan it appears you can add a domain without ownership verification, per this article. However, this needs to be verified.

Service AWS Route 53

Status Not Vulnerable

Nameservers

ns-****.awsdns-**.org
ns-****.awsdns-**.co.uk
ns-***.awsdns-**.com
ns-***.awsdns-**.net

Explanation

AWS Route 53 is no longer vulnerable to DNS takeovers even when SERVFAIL errors are returned due to changes by the team that stops takeovers via newly created zones. This has been independently verified.

Yes, you can perform DNS takeovers of domains pointing to TierraNet's DNS service.

Service TierraNet

Status Vulnerable

Nameserver

ns1.domaindiscover.com
ns2.domaindiscover.com

Explanation

While not immediately obvious you can manage external domains with TierraNet. Set up a free account with them and then go to the Manage DNS section of the website. The page says you have to pay $7.95 for the DNS zones if you don't use their paid services elsewhere, but the system will let you add the zones without paying, thus performing the takeovers. After performing the takeover you will be sent a bill via email. If you then remove the zone they will wave the fee.

Service Google Cloud DNS

Status Vulnerable (as of July 2023)

Nameserver

ns-cloud-**.googledomains.com

Explanation

If a domain points to one of the nameservers listed above it is using Google Cloud DNS, a free service. A SERVFAIL error indicates the domain is vulnerable to take over. To perform the takeover set up a free Google Cloud account then navigate to Cloud DNS. Click Create Zone and then enter the (sub)domain name in the field named DNS name. Your new zone will be given four random Google nameservers. These must match the ones on the vulnerable domain. If they do not match simply delete the zone and create another one, you should be assigned a different random set of Google nameservers. It can take a few attempts to get them to match.

Errors / Issues

1. If you get an error about domain verification then the domain is not vulnerable.
2. There have been multiple comments about this fact that this may be patched, this needs to be investigated further and I haven't had time yet.

Service Network Solutions

Status Not Vulnerable

Nameserver

ns**.worldnic.com

Explanation

After a careful review, it has been determined that zones cannot be created with Network Solutions unless the domain is transferred to their registrar, thus DNS takeover is believed to be impossible.

Service Dotster

Status Vulnerable (w/ purchase)

Nameserver

ns1.dotster.com
ns2.dotster.com
ns1.nameresolve.com
ns2.nameresolve.com

Explanation

Dotster is powered by Domain.com, which means creating a zone on Domain.com also creates a zone on Dotster (and vice versa). For example, 4orty3.net uses Dotster's DNS, however ns1.domain.com will resolve all records for 4orty3.net.

Per Domain.com's Knowledge Base you can add external domains if you have an existing account or if you purchase something (like hosting). Thus, to perform a takeover on Dotster, I recommend you get an account on Domain.com (buy something cheap and cancel) then add the zones to Domain.com (which will activate the zone on Dotster).

Since Dotster also owns 000domains.com creating a zone on Dotster will active a zone automatically on 000domains.com's DNS.

Needs Verification? Yes

While the documentation supports the belief that takeover is possible and their system uses the same backend as Bizland and MyDomain (which are vulnerable). We do need someone to verify that takeover is possible.

Service Digital Ocean

Status Vulnerable

Nameserver

ns1.digitalocean.com
ns2.digitalocean.com
ns3.digitalocean.com

Explanation

To perform a takeover create a new account on Digital Ocean and follow the DNS quick start guide. In short, once inside the Dashboard click on the big green Create button and select Domains/DNS. Enter the vulnerable domain in the form field labeled Enter domain. If the page allows you to create the zone the takeover was successful.

Digital Ocean's vulnerability to DNS takeovers was discussed in detail by Matthew Bryant in 2016 and they are still vulnerable today.

Service MediaTemple (mt)

Status Not Vulnerable

Nameserver

ns1.mediatemple.net
ns2.mediatemple.net

Explanation

Media Temple now requires TXT verification before adding domains to your account, thus their service is no longer vulnerable. Thanks to @m0chan and @eur0pa for investigating this!

Service DomainPeople

Status Not Vulnerable

Nameserver

ns1.domainpeople.com
ns2.domainpeople.com

Explanation

After a careful review, it does not appear zones can be created with DomainPeople unless the domain is transferred to their registrar, thus DNS takeover is believed to be impossible.

Service Linode

Status Vulnerable

Nameserver

ns1.linode.com
ns2.linode.com

Explanation

You can create an account on Linode, but you will need to put a credit card on file. Once set up you can create a zone here. If the domain is available the zone will be created, but not begin serving just yet. You need a paid "Linode" running (which is one of their servers instance) for the zone to begin serving. The cheapest server is $5 per month. Once activated the zone will start serving records and the takeover will be successful.

Service Reg.ru

Status Vulnerable w/ purchase

Nameserver

ns1.reg.ru
ns2.reg.ru

Explanation

First, you need to register an account. The two fields it wants are an email and phone number. For the phone number enter +7 (495) 580-11-11 (this is reg.ru's main telephone line, it shouldn't work but it does).

Second, follow this help desk article. It explains how to purchase DNS services for a domain not registered with reg.ru. Simply follow the on-screen instructions (you will need to run everything through Google Translate). It costs about $2.00 USD (300 Ruples) to purchase a zone, but the takeover will work. Be sure to use a card that doesn't charge foreign transaction fees.

Finally, after you pay the fee, go to the other services page in the dashboard. There will be an option listed labeled DNS services (in Russian), here you can modify the DNS records.

Yes, you can perform DNS takeovers of domains pointing to Hurricane Electric's DNS service.

Service Hurricane Electric

Status Vulnerable

Nameserver

ns5.he.net
ns4.he.net
ns3.he.net
ns2.he.net
ns1.he.net

Explanation

To perform a takeover, simply create a free account on Hurricane Electric and head to the DNS manager. Click "Add a new domain" and enter the vulnerable domain. The zone will be created and the takeover successful.