= DNS/ManagedDNS = <> <> 日本語だと「DNS運用サービス」というあたりか。[[DNS/共用DNSサービス]]もだいぶ定着した。 https://en.wikipedia.org/wiki/List_of_managed_DNS_providers Managed DNS Services Overview https://www.trustradius.com/managed-dns == 任意のゾーンを作らせる == かつてのさくらや現在のRoute53のように、サブドメインのゾーンを作らせるサービスもある。 これらに対するNSに委譲すると、乗取られる危険性がある。 委譲を残したまま、ゾーンを抹消しているものも多い。(awsdnsに多い。)-- ToshinoriMaeno <> == Can I Take Over DNS? == A list of DNS providers and whether their zones are vulnerable to DNS takeover! Maintained by https://github.com/indianajson/can-i-take-over-dns [[DNS/floating_domains]] で名前の上がっている危険なサービス DigitalOcean, Route53, GoDaddy: https://arstechnica.com/information-technology/2019/01/godaddy-weakness-let-bomb-threat-scammers-hijack-thousands-of-big-name-domains/ Cloudflare Subdomain Takeover: Going beyond CNAME https://0xpatrik.com/subdomain-takeover-ns/ [[attachment:ns_automation-2.png]] https://github.com/indianajson/can-i-take-over-dns マネージドサービス時代のDNSの運用管理について考える 2021年7月9日 Internet Week ショーケース オンライン 2021 株式会社日本レジストリサービス(JPRS) 森下 泰宏 Copyright © 2021 株式会社日本レジストリサービス 1 ~ DNSテイクオーバーを題材に ~ ランチのおともにDNS https://www.nic.ad.jp/sc-2021/program/sc-2021-day2-0.pdf == orphaned == [[DNS/lame_delegation]]の危うさに改めて気付いた '''The Hacker Blog''' https://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via-a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/index.html December 05, 2016 == Vulnerability == The Managed DNS Vulnerability The root of this vulnerability occurs when a managed DNS provider allows someone to add a domain to their account __without any verification of ownership__ of the domain name itself. This is actually an incredibly common flow (flaw?) and is used in cloud services such as '''AWS, Google Cloud, Rackspace and of course, Digital Ocean. ''' The issue occurs when a domain name is used with one of these cloud services and the zone is later deleted without also changing the domain’s nameservers. サービス利用を取りやめたにもかかわらず、ドメイン名のサーバ(登録)を変更し忘れていると危ない。w (他人がそのサーバにゾーンを作成する可能性がある。怖い状況になる。) This means that the domain is still fully set up for use in the cloud service but has no account with a zone file to control it. In many cloud providers this means that '''anyone can create a DNS zone for that domain and take full control over the domain.''' This allows an attacker to take full control over the domain to set up a website, issue SSL/TLS certificates, host email, etc. Worse yet, after combining the results from the various providers affected by this problem over 120,000 domains were vulnerable (likely many more).