Google Cloud DNS #2
Comments
ghost
added
the
|
Is reaching the a* ns server impossible now? |
|
@indianajson Can |
|
@molitona I am not sure about this, though the "GC" stands for "Google Cloud" and it may be only for internal testing. |
|
Can anyone confirm if this still works? I am getting an error saying to verify the domain ownership. |
|
@b1bek This means the parent domain is already taken, so all subdomains of this domain should not be vulnerable. I just found a subdomain, where the zone can be created. But I also have the problem that I do not get the needed letter "c" in the NS servers. So I think Google has some mitigation in place similar to AWS, where you cannot get the same NS, when they were previously used. |
|
Yeah, which tool are you using btw? |
|
Ah that's just a "hacky" bash script I created which uses Gcloud CLI @b1bek . Just pushed it on Github you can check it out: |
|
Thanks for the tool @RogueSMG , just confirmed it is still vulnerable. Got the expected shards after 75 tries + few manual creation. Get all the c1, d1, e1 and finally b1.
|
Thanks for verifying this is still vulnerable as of July 2023. |
|
I was trying to hit e1 shards. After more than 4000 attempts I never got them, only a1, b1, c1, d1. I'll keep looking into it. |
|
Are you sure this still works? Google dns doesn't let you delete a zone unless you delete all the record in it first. Maybe im just being dumb here but idk. |
|
From the docs: https://cloud.google.com/dns/quotas#name-server-limits |
Yes, most GCP takeovers are edge-cases. It's also possible "in theory" to take over. subdomain via dangling A records if the DNS record is pointing to an ephemerally assigned GCP owned IP address. Once that IP gets released back into the GCP ephemeral IP pool, you "in theory" can take it over by generating VM instances over and over until you get assigned the IP that is still in the targets DNS panel in the Google Cloud Platform management panel. It's very difficult. I wrote some scripts to do this. But I have yet to "prove" that it actually works. |
Interesting, I've just been doing the same in AWS but I'm approaching it from the angle of looking what traffic I get for an Elastic IP and seeing if the host header is valid domain then working backwards from that. Happy to collab if you are still working on this. |
ServiceGoogle Cloud DNSStatusVulnerable (as of July 2023)Nameserverns-cloud-**.googledomains.com
ExplanationIf a domain points to one of the nameservers listed above it is using Google Cloud DNS, a free service. A
SERVFAILerror indicates the domain is vulnerable to take over. To perform the takeover set up a free Google Cloud account then navigate to Cloud DNS. ClickCreate Zoneand then enter the (sub)domain name in the field namedDNS name. Your new zone will be given four random Google nameservers. These must match the ones on the vulnerable domain. If they do not match simply delete the zone and create another one, you should be assigned a different random set of Google nameservers. It can take a few attempts to get them to match.Errors / IssuesThe text was updated successfully, but these errors were encountered: