MoinQ:

1. A Guide to DNS Takeovers

https://blog.projectdiscovery.io/guide-to-dns-takeovers/

A Guide to DNS Takeovers: The Misunderstood Cousin of Subdomain Takeovers

Let's start with this: A DNS takeover is not the same as a subdomain takeover.

(host というよりはドメインというのがよい。-- ToshinoriMaeno 2023-06-18 02:02:28)

1.1. 攻撃手法

How do DNS takeovers work?

Most of these cloud providers allow you to create DNS "zones".

If you registered a new domain name and you wanted to use a cloud DNS provider
as your authoritative nameservers, you would:

    Create a new zone in the DNS provider
    Set your nameservers to the DNS servers associated with your zone
    Use the cloud provider console to add/remove/edit the DNS records associated with the domain

まずいシナリオ

The victim deletes the zone in the DNS provider 
but doesn't ever change the authoritative nameservers assigned to the domain.

As an attacker, if we can create a zone that uses any of the same nameservers, we could add DNS records for that domain.

Most DNS providers don't allow you to choose which nameservers get assigned. We can overcome this by creating many zones until we get one with a matching DNS server. This would be an extremely tedious process to perform manually - but we can automate the process.

Google Translate

攻撃者として、同じネームサーバーのいずれかを使用するゾーンを作成できれば、そのドメインに DNS レコードを追加できます。

ほとんどの DNS プロバイダーでは、割り当てるネームサーバーを選べません。
 目的のDNS サーバーを持つゾーンが取得できるまで、多くのゾーンを作成することでこれを克服できます。
手動で実行するのは非常に面倒なプロセスですが、プロセスは自動化できます。

Mitigation

Despite the risks, many organizations still have not figured out a good workflow for removing assets online without creating situations where they become vulnerable to DNS takeovers.

It can be difficult to orchestrate the removal of assets without falling into a vulnerable state because it often requires coordination from multiple service providers.

In general, it helps to think of the removal of assets from the top down, i.e. remove assets in this order:

    Remove the domain, or change the authoritative nameservers to something that can not be hijacked
    Remove the DNS zone in your DNS provider
    Remove the actual asset/service

It also helps to monitor your own cloud environments for situations like this to give you a fighting chance of detecting it before a hacker does!


CategoryDns CategoryWatch CategoryTemplate

MoinQ: DNS/takeovers/guide (last edited 2023-06-18 02:06:54 by ToshinoriMaeno)