For the people who say we are on the cloud and it is implicitly secure :P

AWS NS Takeover

From 101 to Detection and Exploitation!

I hope you would have heard of a conventional subdomain takeover because of a dangling CNAME entry. Recently while going through these amazing blogs( Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean and Subdomain Takeover: Going beyond CNAME) I got to know about this cool, non-conventional domain takeover which allows an adversary to have complete control over a vulnerable domain.

Prerequisite

Before we go ahead and get our hands dirty you need to have a fair understanding of the following concepts:

1. DNS(Domain Name Service)
2. Fundamentals of AWS(especially Route53 service)

The Misconfiguration

Usually while setting up a domain, we avail domain registration services from the registrar and provide the authoritative nameservers which stores and provides the respective DNS resource records. The security issue is regarding the misconfiguration while setting up authoritative nameservers for a domain.

To query the nameserver(s) corresponding to a domain we can simply use any DNS client such as dig, host, etc. to fetch the NS resource records. As shown below ns1.google.com, ns2.google.com, ns3.google.com and ns4.google.com are the authoritative nameservers for google.com.

In the scenario where AWS Route53 service is used, we would get the nameservers belonging to AWS as shown below.

Whenever we use AWS Route 53 service for managing DNS, usually AWS allocates four nameservers from its pool of…