Blast Radius: DNS Takeovers

Subdomain takeover remains a common vulnerability, and a destructive one at that. On one hand, there are types that practically don't exist anymore, such as C name takeovers, while there are still plenty of hanging DNS records, PoC creation is nearly impossible due to restrictions put in place by major cloud providers (mainly AWS). On the other hand, and in terms of severity, DNS or NS takeovers are less common but create the highest impact. An NS subdomain takeover is similar in principle to other types of subdomain takeovers. And due to the major role that NS records play in internet traffic, and the possibility of attackers chaining multiple attack vectors, an NS takeover can lead to severe implications for the target organization. For our new blog series Blast Radius, security professionals, researchers and experts deep dive into different attacks and vulnerabilities, explore how they can impact the entire internet ecosystem, and examine what they mean for organizations of all sizes, across all industries. To talk about the growing danger of DNS takeovers, we are joined by Patrik Hudák. Patrik has been a regular on our blog, sharing about his latest research on subdomain takeovers, and has been a crucial resource for many in the bug bounty community. He began his research by studying other takeover methods and the different tools used to execute them before discovering the impact of DNS takeovers. While not that common, he has achieved many successes in bug bounty hunting with this particular vulnerability. How companies can be affected When a company hosts its DNS zones on a third-party DNS provider (such as AWS Route 53), there is a possibility of DNS takeover (also known as NS takeover). Such a takeover happens when the DNS zone is removed from the DNS provider, but the DNS delegation link stays in play. If such an event happens, an attacker can register the same DNS zone on the same provider and host arbitrary records for such a zone. For more technical information, please refer to the following link: Although this seems to be only a theoretical attack, there are numerous cases where this has actually occurred, even with large companies. Everybody who uses third-party DNS providers is affected if the process for the creation and removal of DNS zones is incorrect. Thus, companies of any size should audit their internal processes for such events. There are, however, more tricky scenarios. Since DNS uses multiple nameservers for DNS zones for redundancy, sometimes only a subset of such nameservers is affected by DNS takeover. Let's say that domain "example.com" uses two nameservers: "dns.existingdomain.com" and "dns.nonexistingdomain.com". The latter, as the name suggests, does not exist and thus cannot correctly serve requests for the "example.com" zone. From the usability perspective, there is no downtime. Every DNS request made for "example.com" is served by "dns.existingdomain.com" since DNS uses quiet fallback. In this scenario, an attacker can exploit the non-existing nameserver simply by registering the domain name (if it is available) which would lead to becoming an authoritative nameserver for "example.com". During the DNS request, the round-robin mechanism for choosing a nameserver is used, in other words, there is a 50% chance that while requesting DNS info for the "example.com" zone, it would hit the malicious nameserver. If it does, an attacker can serve arbitrary DNS results with the high TTL which would sit quietly in a cache for a long time. Implications of DNS takeover Firstly, DNS takeover is not that different from other types of takeover such as C name. One difference is that DNS takeover can cover multiple subdomains with different domain names. Since the attacker controls the DNS zone, she can create great FQDNs for phishing or other malicious activity. Let's say that "sub.example.com" is affected by the DNS takeover. An attacker might take it further and create a new subdomain called "login.sub.e...