Profile pixels re-imagined by Phil Giarrusso.
indianajson / can-i-take-over-dns Goto Github PK
View Code? Open in Web Editor NEW"Can I take over DNS?" — a list of DNS providers and how to claim vulnerable domains.
"Can I take over DNS?" — a list of DNS providers and how to claim vulnerable domains.
Profile pixels re-imagined by Phil Giarrusso.
Service
EasyDNSStatus
Not VulnerableNameserver
dns1.easydns.com
dns2.easydns.net
dns3.easydns.org
dns4.easydns.info
rush.easydns.com
nirvana.easydns.net
motorhead.easydns.org
dns1.easydnssec.com
dns2.easydnssec.net
dns3.easydnssec.org
dns4.easydnssec.info
Explanation
EasyDNS has stopped allowing a domain to be added to the system that is a lame delegation without it being verified through adding a hostname to the nameserver delegation via the domain registrar. Special thanks to @markjr for investigating this to conclusion.
Service
NS1Status
VulnerableNameservers
dns1.p**.nsone.net
dns2.p**.nsone.net
dns3.p**.nsone.net
dns4.p**.nsone.net
Explanation
If you have an NS1 account head into the control panel. Creating a new zone for your domain (assuming the zone is available to register) will perform the takeover. The nameservers do not need to match. For example, even if the nameserver on the domain is dns4.p05.nsone.net
, but your zone is dns4.p03.nsone.net
the takeover will still work.
False Positives
If you get an error that says "FQDN is used by multiple zones" that means it is already in someone else's accounts. You cannot takeover subdomains of root domains that already have zones. This is not due to this being an edge case, this is simply how DNS works.
Assistance with Takeovers
If you need help with a takeover now that NS1 no longer offers free accounts, DM me on Twitter then post a comment here (cause my Twitter notifications are broken) and I'll try to help.
Contributions are welcome! Like the project that inspired it this repository will change and shift with contributions from the community.
To suggest a new service please open a new issue, use the appropriate template, and fill out the template as completely as possible. After our discussions, I will update your initial Issue with any relevant details for those who read it in the future.
There should be an issue for every provider in the primary list. If you want to suggest changes or provide details about how to perform takeovers please add it as a comment to the appropriate issue.
If you need help with a takeover don't hesitate to ask, but we'd appreciate it if you opened a new issue using the Help w/ Take Over
template. This way we can help you and keep the issues list cleaned up at all times.
Feel free to throw any questions you have into this issue! I'll try to respond as I am able.
Service
CloudflareStatus
Not VulnerableNameserver
*.ns.cloudflare.com
*.ns.cloudflare.com
Assigned in pairs of two, with a boys
name and a girls
name.
Explanation
@Woutifier (an engineer on Cloudflare's DNS team) has confirmed the logic that allow a user to get randomly assigned a nameserver that was previously attached to a given domain has been removed. There is no known exploit by which to achieve takeovers on Cloudflare.
Old Disclaimer (for posterity)
Conducting takeovers with Cloudflare is possible though complicated and can return false positives. To successfully perform targeted takeovers will probably necessitate some type of automation and has, in my experience, only a 10% chance of success even if you have all of the necessary prerequisites. If you're still interested... read on!
Old Explanation (for posterity)
Cloudflare is a bit different than most DNS providers, because of the way they assign DNS names. According to the company's blog, they use people's names as their nameservers (e.g. bob.ns.cloudflare.com
, lola.ns.cloudflare.com
, etc) with roughly 50 boys
names and 50 girls
names. When you sign up to Cloudflare your account is assigned two semi-permanent nameservers, one girls
name and one boys
name, meaning you will be assigned 1 of 2,500 possible nameserver combinations. Quite a bit of time has passed since that blog post and Cloudflare now operates around 900 nameservers (see my master nameserver list), thus there are over 200,000 possible combinations.
That's not the whole story though. If the zone on Cloudflare has been deleted (i.e. returns SERVFAIL
), it is possible that when you generate a new zone one of your two assigned nameservers will match one of the domain's existing nameservers. This is similar to how Amazon AWS used to allow takeovers via Route 53 with only one of four nameservers matching. As an example, if the vulnerable domain points to bob.ns.cloudflare.com
and lola.ns.cloudflare.com
and your account has bob.ns.cloudflare.com
and edna.ns.cloudflare.com
the takeover may be possible.
Here's the catch. At this point, it would take upwards of 450 Cloudflare accounts to get an account that matches one of your specific vulnerable domain's nameservers. Additionally, in my experience, there is only around a 10% chance of success even if the nameservers assigned to your account match the domain. While this is a far cry from the theoretical 200,000 accounts previously believed necessary, that's still a lot of work to perform a targeted takeover. To that end, I'm reassigning this to Edge Case
unless someone figures out a way to reduce the need for so many accounts.
Service
HoverStatus
Not VulnerableNameserver
ns1.hover.com
ns2.hover.com
Explanation
Hover requires you to register the domain with them or transfer the domain into their service in order to create a zone, thus takeover is impossible with their service.
Service
Name.comStatus
Vulnerable w/ purchaseNameservers
ns1***.name.com
ns2***.name.com
ns3***.name.com
ns4***.name.com
Explanation
Based on this article in the support portal it is possible to add on external domains onto an existing hosting plan. This does require an active Name.com account and a hosting plan.
Additionally, while the naming scheme for their nameservers contains a number and three random letters (e.g. ns1fkl.name.com) this does not seem to affect responses. For example, econfigmrkt.com
does not have ns3nrz.name.com
as a nameserver, however dig econfigmrkt.com @ns3nrz.name.com
will respond NOERROR
.
Consequently, despite the paywall, Name.com is vulnerable to takeover.
Service
MyDomainStatus
Vulnerable (w/ purchase)Nameservers
ns1.mydomain.com
ns2.mydomain.com
Explanation
It is possible to add hosted zones for domains you do not own to your MyDomain account, thus a SERVFAIL
error pointing to these nameservers means it is vulnerable to take over. In order to obtain an account, you must purchase something, like a domain or hosting. This should cost less than $10. Alternatively, feel free to open an issue asking for help and someone with an account may be willing to perform the takeover for you. Once you're registered navigate to the Domain Import tool and enter the vulnerable domain name. This will add it to your account and you can control the DNS records in the settings for the domain.
Service
easyDNSStatus
Not VulnerableNameserver
dns1.easydns.com
dns2.easydns.net
dns3.easydns.org
dns4.easydns.info
rush.easydns.com
nirvana.easydns.net
motorhead.easydns.org
dns1.easydnssec.com
dns2.easydnssec.net
dns3.easydnssec.org
dns4.easydnssec.info
Explanation
easyDNS stopped allowing a domain to be added to the system that is a lame delegation without it being verified through adding a hostname to the nameserver delegation via the domain registrar.
Service
Domain.comStatus
VulnerableNameserver
ns1.domain.com
ns2.domain.com
Explanation
Per Domain.com's Knowledge Base you can add external domains if you have an existing account or if you purchase something (like hosting). As it turns out Domain.com owns 000domains.com
and dotster.com
, which means creating a zone on domain.com
will active a zone automatically on the other two services as well.
Needs Verification?
YesWhile the documentation supports the belief that takeover is possible and their system uses the same backend as Bizland and MyDomain (which are vulnerable). We do need someone to verify that takeover is possible.
Service
BigcommerceStatus
Not VulnerableNameserver
ns1.bigcommerce.com.
ns2.bigcommerce.com.
ns3.bigcommerce.com.
Explanation
It's possible to create an account here. To add a custom domain is required to upgrade to a paid account (starting at US$39/month). The site checks if the domain is already taken by another account, making it not vulnerable
, an edge case might exist but I couldn't find more examples to check.
Service
000DomainsStatus
VulnerableNameserver
ns1.000domains.com
ns2.000domains.com
fwns1.000domains.com
fwns2.000domains.com
Explanation
000Domains is owned by Dotster, powered by Domain.com, which means creating a zone on Domain.com also creates a zone on Dotster and 000Domains (and vice versa). For example, 4orty3.net
uses Dotster's DNS, however ns1.domain.com
and ns1.000domains.com
will resolve all records for 4orty3.net
.
Per Domain.com's Knowledge Base you can add external domains if you have an existing account (you can purchase something then cancel to get an account).
To perform a takeover on 000Domains, get an account on Domain.com and add the zones there (which will activate the zone on 000Domains).
Service
UltraDNSStatus
Not VulnerableNameserver
pdns***.ultradns.com
udns***.ultradns.com
sdns***.ultradns.com
All DNS nameservers under ultradns.com
run off the same list of zones, thus a zone with NS udns34.ultradns.com
will still get resolved by pdns148.ultradns.com
.
Explanation
While accounts start at $30 per month and can be created by adding a service to your cart via this page UltraDNS has built internal detection to limit/stop DNS takeovers using their service.
Credit
Special thanks to @m0chan for investigating this and getting us an answer!
Service
BizlandStatus
VulnerableNameserver
ns1.bizland.com
ns2.bizland.com
clickme.click2site.com
clickme2.click2site.com
Explanation
It is possible to add hosted zones for domains you do not own to your Bizland account, thus a SERVFAIL
error pointing to any of these nameservers means it is vulnerable to a takeover via Bizland. In order to obtain an account, sign up for a 30-day trial via this link. Once you're registered it should add the domain you specified during registration. If it does not, navigate to the Domain Import tool and enter the vulnerable domain name. This will add it to your account and you can control the DNS records in the settings for the domain.
Service
DNSMadeEasyStatus
VulnerableNameserver
Managed DNS
ns1.dnsmadeeasy.com
ns2.dnsmadeeasy.com
ns3.dnsmadeeasy.com
ns4.dnsmadeeasy.com
Secondary DNS
ns5.dnsmadeeasy.com
ns6.dnsmadeeasy.com
ns7.dnsmadeeasy.com
Alternate Managed DNS --> (not easily obtainable)
ns10.dnsmadeeasy.com
ns11.dnsmadeeasy.com
ns12.dnsmadeeasy.com
ns13.dnsmadeeasy.com
ns14.dnsmadeeasy.com
ns15.dnsmadeeasy.com
Explanation
Head over to the registration page on DNSMadeEasy. Since accounts are only active for 30 days I recommend you use an alteration to your primary email (e.g. [email protected]
). Now, the number in the nameservers in your vulnerable domain will determine which service you use.
If the number is ns1
-ns4
use Managed DNS to create the zone. After you enter your domain and submit the form it will assign you several nameservers. At least one of your assigned nameservers must match with your vulnerable domain. Theoretically, they all will match, but sometimes they don't.
If the number is ns5
-ns7
things get a bit more complicated. First, use Secondary DNS to create the zone. You will need to add a Secondary IP Set before you can configure the zone. Add 192.135.223.10
as the IP address. For the takeover to work, you need to set up a primary DNS first, which will push records to the secondary DNS provided by DNSMadeEasy. I recommend you use NS1 as the primary in this instance, its free and easily configurable. This article will explain the steps to configure your NS1 zone. It will take a minute for everything to get in sync
, but afterward you should receive a NOERROR
response from the vulnerable server. Now configure the DNS records for the takeover on NS1.
If the number is ns10
-ns15
you're probably not going to get this takeover. According to comments by DNSMadeEasy staff these nameservers are only delegated to a zone if the primary nameservers (ns1
-ns4
) are bogged down at that particular moment. There is no known reliable way to get the ns10
-ns15
nameservers. Additionally, it has been discovered that these zones are used for whitelabel
DNS services provided by DNSMadeEasy.
Service
Microsoft AzureStatus
Edge CaseNameserver
ns1-**.azure-dns.com
ns2-**.azure-dns.net
ns3-**.azure-dns.org
ns4-**.azure-dns.info
UPDATE
It seems a lot of people have been having trouble performing Azure takeovers and while it was always a bit hit or miss it seems to have gotten more difficult. For now, this is being re-assigned as an Edge Case until further research can be conducted.
Old Explanation
You can set up a free account with Microsoft Azure, as long as you provide a credit card on file. Once you are logged in, head over to the DNS Zones and click + New
. In the Name
field enter the vulnerable (sub)domain. You will automatically be assigned four nameservers as shown above, but you need the numbers to match your vulnerable domain. If the numbers do not match you need to delete the zone and the resource group associated with it before you try again. Simply creating a new zone within the same resource group will typically assign you the same nameservers. This process could take a while, but typically less than 50 attempts will suffice.
Service
DNSimple Status
Vulnerable Nameserver
ns1.dnsimple.com
ns2.dnsimple.com
ns3.dnsimple.com
ns4.dnsimple.com
Explanation
You can sign up for a free account on DNSimple. After creating your account go to Domains
and click Add Domains
. If you are able to create a zone for the vulnerable domain then takeover is possible. REMEMBER, the zone will not function until you start a 30-day trial with DNSimple, which requires a credit card on file.
False Positives
DNSimple can produce false positives because a domain can be in an account where the account owner's payment method has expired, thus the domain will not resolve (i.e. shows a DNS SERVFAIL error), but cannot be added to your account.
Service
Verizon Small BusinessStatus
UnknownNameserver
yns1.yahoo.com
yns2.yahoo.com
Explanation
Version acquired Yahoo and has finally begun to shut down old Yahoo websites in favor of rebranded Verizon websites. This has modified the flow for this and as of current we are unsure if it is still possible.
Old Explanation
Yahoo Small Business provides websites, domains, and hosting services. First, create a free account. Once you log in click Create a website today
. Next, follow the steps to create a "free website" and click Publish
. You will be asked if you want to use a Custom Domain or a free subdomain, select Custom Domain
. On the next page select the Basic Plan
. After this, there will be a line of text on the next page that reads Want to use your existing domain name? Click here.
, click it and enter your vulnerable domain. If the domain is available it will tell you and ask you to verify you own the domain. Assuming you have authorized to perform the takeover from a bug bounty program then proceed. It will then ask for your credit card and details. Once finished the DNS will begin to propagate and the takeover will be successful.
Service
HostingerStatus
Vulnerable (w/ purchase)Nameserver
ns1.dns-parking.com
ns2.dns-parking.com
Explanation
With a paid hosting plan it appears you can add a domain without ownership verification, per this article. However, this needs to be verified.
Service
AWS Route 53Status
Not VulnerableNameservers
ns-****.awsdns-**.org
ns-****.awsdns-**.co.uk
ns-***.awsdns-**.com
ns-***.awsdns-**.net
Explanation
AWS Route 53 is no longer vulnerable to DNS takeovers even when SERVFAIL errors are returned due to changes by the team that stops takeovers via newly created zones. This has been independently verified.
Yes, you can perform DNS takeovers of domains pointing to TierraNet's DNS service.
Service
TierraNetStatus
VulnerableNameserver
ns1.domaindiscover.com
ns2.domaindiscover.com
Explanation
While not immediately obvious you can manage external domains with TierraNet. Set up a free account with them and then go to the Manage DNS section of the website. The page says you have to pay $7.95 for the DNS zones if you don't use their paid services elsewhere, but the system will let you add the zones without paying, thus performing the takeovers. After performing the takeover you will be sent a bill via email. If you then remove the zone they will wave the fee.
Service
Google Cloud DNSStatus
Vulnerable (as of July 2023)Nameserver
ns-cloud-**.googledomains.com
Explanation
If a domain points to one of the nameservers listed above it is using Google Cloud DNS, a free service. A SERVFAIL
error indicates the domain is vulnerable to take over. To perform the takeover set up a free Google Cloud account then navigate to Cloud DNS. Click Create Zone
and then enter the (sub)domain name in the field named DNS name
. Your new zone will be given four random Google nameservers. These must match the ones on the vulnerable domain. If they do not match simply delete the zone and create another one, you should be assigned a different random set of Google nameservers. It can take a few attempts to get them to match.
Errors / Issues
Service
Network SolutionsStatus
Not VulnerableNameserver
ns**.worldnic.com
Explanation
After a careful review, it has been determined that zones cannot be created with Network Solutions unless the domain is transferred to their registrar, thus DNS takeover is believed to be impossible.
Service
DotsterStatus
Vulnerable (w/ purchase)Nameserver
ns1.dotster.com
ns2.dotster.com
ns1.nameresolve.com
ns2.nameresolve.com
Explanation
Dotster is powered by Domain.com, which means creating a zone on Domain.com also creates a zone on Dotster (and vice versa). For example, 4orty3.net
uses Dotster's DNS, however ns1.domain.com
will resolve all records for 4orty3.net
.
Per Domain.com's Knowledge Base you can add external domains if you have an existing account or if you purchase something (like hosting). Thus, to perform a takeover on Dotster, I recommend you get an account on Domain.com (buy something cheap and cancel) then add the zones to Domain.com (which will activate the zone on Dotster).
Since Dotster also owns 000domains.com
creating a zone on Dotster will active a zone automatically on 000domains.com's DNS.
Needs Verification?
YesWhile the documentation supports the belief that takeover is possible and their system uses the same backend as Bizland and MyDomain (which are vulnerable). We do need someone to verify that takeover is possible.
Service
Digital OceanStatus
VulnerableNameserver
ns1.digitalocean.com
ns2.digitalocean.com
ns3.digitalocean.com
Explanation
To perform a takeover create a new account on Digital Ocean and follow the DNS quick start guide. In short, once inside the Dashboard click on the big green Create
button and select Domains/DNS
. Enter the vulnerable domain in the form field labeled Enter domain
. If the page allows you to create the zone the takeover was successful.
Digital Ocean's vulnerability to DNS takeovers was discussed in detail by Matthew Bryant in 2016 and they are still vulnerable today.
Service
MediaTemple (mt)Status
Not VulnerableNameserver
ns1.mediatemple.net
ns2.mediatemple.net
Explanation
Media Temple now requires TXT verification before adding domains to your account, thus their service is no longer vulnerable. Thanks to @m0chan and @eur0pa for investigating this!
Service
DomainPeopleStatus
Not VulnerableNameserver
ns1.domainpeople.com
ns2.domainpeople.com
Explanation
After a careful review, it does not appear zones can be created with DomainPeople unless the domain is transferred to their registrar, thus DNS takeover is believed to be impossible.
Service
LinodeStatus
VulnerableNameserver
ns1.linode.com
ns2.linode.com
Explanation
You can create an account on Linode, but you will need to put a credit card on file. Once set up you can create a zone here. If the domain is available the zone will be created, but not begin serving just yet. You need a paid "Linode" running (which is one of their servers instance) for the zone to begin serving. The cheapest server is $5 per month. Once activated the zone will start serving records and the takeover will be successful.
Service
Reg.ruStatus
Vulnerable w/ purchaseNameserver
ns1.reg.ru
ns2.reg.ru
Explanation
First, you need to register an account. The two fields it wants are an email and phone number. For the phone number enter +7 (495) 580-11-11
(this is reg.ru's main telephone line, it shouldn't work but it does).
Second, follow this help desk article. It explains how to purchase DNS services for a domain not registered with reg.ru. Simply follow the on-screen instructions (you will need to run everything through Google Translate). It costs about $2.00 USD (300 Ruples) to purchase a zone, but the takeover will work. Be sure to use a card that doesn't charge foreign transaction fees.
Finally, after you pay the fee, go to the other services page in the dashboard. There will be an option listed labeled DNS services
(in Russian), here you can modify the DNS records.
Yes, you can perform DNS takeovers of domains pointing to Hurricane Electric's DNS service.
Service
Hurricane ElectricStatus
VulnerableNameserver
ns5.he.net
ns4.he.net
ns3.he.net
ns2.he.net
ns1.he.net
Explanation
To perform a takeover, simply create a free account on Hurricane Electric and head to the DNS manager. Click "Add a new domain" and enter the vulnerable domain. The zone will be created and the takeover successful.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.