## page was copied from DnsTemplate
##master-page:HelpTemplate

<<Navigation(children,1)>>

<<TableOfContents()>>

= A Guide to DNS Takeovers =

https://blog.projectdiscovery.io/guide-to-dns-takeovers/

{{{
A Guide to DNS Takeovers: The Misunderstood Cousin of Subdomain Takeovers
}}}
Let's start with this: A DNS takeover is not the same as a subdomain takeover.

 A DNS takeover occurs when you take over the DNS server that is assigned to that host.

(host というよりはドメインというのがよい。-- ToshinoriMaeno <<DateTime(2023-06-18T11:02:28+0900)>>)

== 攻撃手法 ==
{{{
How do DNS takeovers work?
}}}

Most of these cloud providers allow you to create DNS "zones". 
{{{
If you registered a new domain name and you wanted to use a cloud DNS provider
as your authoritative nameservers, you would:

    Create a new zone in the DNS provider
    Set your nameservers to the DNS servers associated with your zone
    Use the cloud provider console to add/remove/edit the DNS records associated with the domain
}}}

まずいシナリオ

{{{
The victim deletes the zone in the DNS provider 
but doesn't ever change the authoritative nameservers assigned to the domain.
}}}

As an attacker, if we can create a zone that uses any of the same nameservers, we could add DNS records for that domain.

Most DNS providers don't allow you to choose which nameservers get assigned. 
We can overcome this by creating many zones until we get one with a matching DNS server. 
This would be an extremely tedious process to perform manually - but we can automate the process.

Google Translate
{{{
攻撃者として、同じネームサーバーのいずれかを使用するゾーンを作成できれば、そのドメインに DNS レコードを追加できます。

ほとんどの DNS プロバイダーでは、割り当てるネームサーバーを選べません。
 目的のDNS サーバーを持つゾーンが取得できるまで、多くのゾーンを作成することでこれを克服できます。
手動で実行するのは非常に面倒なプロセスですが、プロセスは自動化できます。
}}}

Mitigation

Despite the risks, many organizations still have not figured out a good workflow for removing assets online without creating situations where they become vulnerable to DNS takeovers. 

It can be difficult to orchestrate the removal of assets without falling into a vulnerable state
because it often requires coordination from multiple service providers.

In general, it helps to think of the removal of assets from the top down, i.e. remove assets in this order:
{{{
    Remove the domain, or change the authoritative nameservers to something that can not be hijacked
    Remove the DNS zone in your DNS provider
    Remove the actual asset/service
}}}
It also helps to monitor your own cloud environments for situations like this to give you a fighting chance of detecting it before a hacker does!

----
CategoryDns CategoryWatch CategoryTemplate