Contents

https://0xpatrik.com/

https://securitytrails.com/blog/blast-radius-dns-takeovers Blast Radius: DNS Takeovers

https://assets.securitytrails.com/cdn-cgi/image/width=789,quality=75,format=auto/blog/blast-radius-dns-takeovers/Blast-Radius-Graphic.jpg

Implications of DNS takeover

Firstly, DNS takeover is not that different from other types of takeover such as CNAME. 
One difference is that DNS takeover can cover multiple subdomains with different domain names. 
Since the attacker controls the DNS zone, she can create great FQDNs for phishing or other malicious activity. 
Let’s say that “sub.example.com” is affected by the DNS takeover. 
An attacker might take it further and create a new subdomain called “login.sub.example.com” on which she can host a phishing login page that looks exactly like the original.

Affected third-party DNS providers

AWS Route53 was the most targeted DNS provider for takeovers. 

When creating a new DNS zone, Route53 would assign four nameservers at random to the DNS zone from a pool of thousands. 
Such behavior was chosen to deliberately counter such takeovers. 
However, an attacker could easily “brute-force” the correct name server simply 
by creating and deleting the Route53 zones at a rapid pace. 
There was even an exception in paying policy, where Route53 wouldn’t bill the client if the DNS zone wasn’t alive for more than a couple of hours. 

This meant that the attacker could take over the Route53 domains pretty easily.

In May 2021, however, Amazon released the fix for this behavior 
by simply not assigning the same nameservers twice to the same DNS zone. 
This means that DNS takeover is mitigated on Route53. 
Personally, I had many successes with Route53 in my past bug bounties.


CategoryDns CategoryWatch CategoryTemplate

MoinQ: DNS/attacks/blast_radius_DNS (last edited 2022-03-14 08:13:31 by ToshinoriMaeno)