Can I Take Over Dns Save

"Can I take over DNS?" — a list of DNS providers and how to claim (sub)domains via missing hosted zones

Project README

Can I Take Over DNS?
A list of DNS providers and whether their zones are vulnerable to DNS takeover!
Maintained by  

Inspired by the popular Can I Take Over XYZ? project by @EdOverflow this project is uniquely oriented towards DNS takeovers. While dangling DNS records pose a high threat to companies and warrant high bounties, DNS takeovers pose even greater risks and are sometimes even easier to find. We are trying to make this list comprehensive, so please contribute!

DNS Providers

These companies provide DNS nameserver services to the general public. In this list you will find out whether domains pointing to these nameservers are vulnerable to DNS takeover and where you can learn more about them.

Provider Status Fingerprint Takeover Instructions
000Domains Vulnerable (w/ purchase) ns1.000domains.com
ns2.000domains.com
fwns1.000domains.com
fwns2.000domains.com
Issue #19
AWS Route 53 Not Vulnerable ns-****.awsdns-**.org
ns-****.awsdns-**.co.uk
ns-***.awsdns-**.com
ns-***.awsdns-**.net
Issue #1
Azure (Microsoft) Edge Case ns1-**.azure-dns.com
ns2-**.azure-dns.net
ns3-**.azure-dns.org
ns4-**.azure-dns.info
Issue #5
Bizland No New Accounts ns1.bizland.com
ns2.bizland.com
clickme.click2site.com
clickme2.click2site.com
Issue #3
Cloudflare Edge Case *.ns.cloudflare.com Issue #10
Digital Ocean Vulnerable ns1.digitalocean.com
ns2.digitalocean.com
ns3.digitalocean.com
Issue #22
DNSMadeEasy Vulnerable ns**.dnsmadeeasy.com Issue #6
DNSimple Vulnerable ns1.dnsimple.com
ns2.dnsimple.com
ns3.dnsimple.com
ns4.dnsimple.com
Issue #16
Domain.com Vulnerable (w/ purchase) ns1.domain.com
ns2.domain.com
Issue #17
DomainPeople Not Vulnerable ns1.domainpeople.com
ns2.domainpeople.com
Issue #14
Dotster Vulnerable (w/ purchase) ns1.dotster.com
ns2.dotster.com
ns1.nameresolve.com
ns2.nameresolve.com
Issue #18
EasyDNS Vulnerable dns1.easydns.com
dns2.easydns.net
dns3.easydns.org
dns4.easydns.info
Issue #9
Gandi.net Not Vulnerable a.dns.gandi.net
b.dns.gandi.net
c.dns.gandi.net
Google Cloud Vulnerable ns-cloud-**.googledomains.com Issue #2
Hostinger (old NS) Not Vulnerable ns1.hostinger.com
ns2.hostinger.com
Hover Not Vulnerable ns1.hover.com
ns2.hover.com
Issue #21
Hurricane Electric Vulnerable ns5.he.net
ns4.he.net
ns3.he.net
ns2.he.net
ns1.he.net
Issue #25
Linode Vulnerable ns1.linode.com
ns2.linode.com
Issue #26
MediaTemple (mt) Not Vulnerable ns1.mediatemple.net
ns2.mediatemple.net
Issue #23
MyDomain Vulnerable (w/ purchase) ns1.mydomain.com
ns2.mydomain.com
Issue #4
Name.com Vulnerable (w/ purchase) ns1***.name.com
ns2***.name.com
ns3***.name.com
ns4***.name.com
Issue #8
namecheap Not Vulnerable *.namecheaphosting.com
*.registrar-servers.com
Network Solutions Not Vulnerable ns**.worldnic.com Issue #15
NS1 Registration Closed
I can help, comment on the linked issue.
dns1.p**.nsone.net
dns2.p**.nsone.net
dns3.p**.nsone.net
dns4.p**.nsone.net
Issue #7
TierraNet Vulnerable ns1.domaindiscover.com
ns2.domaindiscover.com
Issue #24
Reg.ru Vulnerable
(sanctions may stop payments)
ns1.reg.ru
ns2.reg.ru
Issue #28
UltraDNS Not Vulnerable pdns***.ultradns.com
udns***.ultradns.com
sdns***.ultradns.com
Issue #29
Yahoo Small Business Vulnerable (w/ purchase) yns1.yahoo.com
yns2.yahoo.com
Issue #20

Private DNS

These are private nameservers operated by various companies. The general public cannot create zones on these nameservers and thus takeovers are not possible. Knowning nameservers that are private and not vulnerable can be helpful to eliminate false positives from your testing.

Owner Status Fingerprint
Activision Not Vulnerable ns*.activision.com
Adobe Not Vulnerable adobe-dns-0*.adobe.com
Apple Not Vulnerable a.ns.apple.com
b.ns.apple.com
c.ns.apple.com
d.ns.apple.com
Automattic Not Vulnerable ns*.automattic.com
Capital One Not Vulnerable ns*.capitalone.com
Disney Not Vulnerable ns*.twdcns.com
ns*.twdcns.info
ns*.twdcns.co.uk
Google Not Vulnerable ns*.google.com
Lowe's Not Vulnerable authns*.lowes.com
T-Mobile Not Vulnerable ns10.tmobileus.com
ns10.tmobileus.net

What is a DNS takeover?

DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a request for DNS records the server responds with a SERVFAIL error. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.

You can read more at: https://0xpatrik.com/subdomain-takeover-ns/

A python implementation of DNS takeovers: https://github.com/pwnesia/dnstake

Contributions

We welcome contributions!

We need new DNS providers added with information of their vulernability status. You can submit new services here! We have a list of DNS providers that need to be investigated here.

Press

"I honestly think this is a great resource for security researchers and bug bounty hunters."
@0xpatrik

"A new, but incredibly useful resource.. Essentially, a more modern/accurate can-i-take-over list for the STO you likely don't yet know about"
Michael Skelton, Director of Security @ BugCrowd

"Still trying to find your first domain/subdomain takeover vulnerability? Go to indianajson/can-i-take-over-dns for a curated DNS takeover list. "
Intigriti, Bug Bounty Platform

"There's this excellent resource on GitHub... which has a list of nameservers... that you can perform takeovers on, so I think this is an excellent resource"
Shubham Shah, CTO of Assetnote

.

Open Source Agenda is not affiliated with "Can I Take Over Dns" Project. README Source: indianajson/can-i-take-over-dns

Open Source Agenda Badge

Open Source Agenda Rating