For the people who say we are on the cloud and it is implicitly secure :P

AWS NS Takeover

From 101 to Detection and Exploitation!

Shiv Sahni
4 min readAug 12, 2019


I hope you would have heard of a conventional subdomain takeover because of a dangling CNAME entry. Recently while going through these amazing blogs( Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean and Subdomain Takeover: Going beyond CNAME) I got to know about this cool, non-conventional domain takeover which allows an adversary to have complete control over a vulnerable domain.


Before we go ahead and get our hands dirty you need to have a fair understanding of the following concepts:

  1. DNS(Domain Name Service)
  2. Fundamentals of AWS(especially Route53 service)

The Misconfiguration

Usually while setting up a domain, we avail domain registration services from the registrar and provide the authoritative nameservers which stores and provides the respective DNS resource records. The security issue is regarding…



Shiv Sahni

Security Engineer |Security Consultant |Infosec Trainer | Author | Lecturer | Open Source Contributor | Learner