For the people who say we are on the cloud and it is implicitly secure :P

AWS NS Takeover

From 101 to Detection and Exploitation!

Shiv Sahni
4 min readAug 12, 2019

I hope you would have heard of a conventional subdomain takeover because of a dangling CNAME entry. Recently while going through these amazing blogs( Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean and Subdomain Takeover: Going beyond CNAME) I got to know about this cool, non-conventional domain takeover which allows an adversary to have complete control over a vulnerable domain.


Before we go ahead and get our hands dirty you need to have a fair understanding of the following concepts:

  1. DNS(Domain Name Service)
  2. Fundamentals of AWS(especially Route53 service)

The Misconfiguration

Usually while setting up a domain, we avail domain registration services from the registrar and provide the authoritative nameservers which stores and provides the respective DNS resource records. The security issue is regarding the misconfiguration while setting up authoritative nameservers for a domain.

To query the nameserver(s) corresponding to a domain we can simply use any DNS client such as dig, host, etc. to fetch the NS resource records. As shown below,, and are the authoritative nameservers for

In the scenario where AWS Route53 service is used, we would get the nameservers belonging to AWS as shown below.

Whenever we use AWS Route 53 service for managing DNS, usually AWS allocates four nameservers from its pool of…



Shiv Sahni

Security Engineer |Security Consultant |Infosec Trainer | Author | Lecturer | Open Source Contributor | Learner