DNSMadeEasy #6
Comments
|
this is a case where the number is set to ns5-ns7. I was trying to add to secondary dns.
Does this mean it's not vulnerable ? |
|
@royalcoder-sudo This error means that an account on DNSMadeEasy already has the (sub)domain in a zone. The domain is currently returning an NXDOMAIN error (which typically is not vulnerable to this attack vector). Despite the fact that |
|
Hi @indianajson |
|
@xsh1synack I discussed this specific issue with another researcher a while back. They even asked DNSMadeEasy's customer service about delegating to those servers and were told that zones are only delegated to them if the main servers are having difficulty dealing with the load. At the moment, I don't have a method for forcing zone delegation to those name servers. If anyone comes up with something please share! |
|
if it's between ns1-ns4 should I report that I claimed it ? without any poc will it be enough? |
|
@Sn0wd3nn You definitely want a POC, but you don't need to host a website. For DNS takeover POCs, you should add a TXT record to the hosted zone, something like |
|
The thing is I found the subdomain is available in dnsmadeeasy to register it , and I did register it but I still feel like it's not vulnerable , like I cant do anything with it |
|
I did , chcek ur dm @indianajson |
|
Hi everyone, hope you doing great. Just a recap what i did and then my question. So forgive me if missed something. So i found a subdomain that is possible to takeover. I went to dnsmadeeasy and took that domain (so i think ):
I add txt Record yesterday, but nothing came up. Do i have to purchase the domain to take it over at this point ? Probably ....right, because in that point i configure the dns before i purchase it?!? Thank you in advance everyone :-) |
|
Hi @UN1337KN0WN - If the subdomain is vulnerable and you added it to DNSMadeEasy the takeover should work and you should not need to purchase any domains. To clarify though you need to add the subdomain to DNSMadeEasy, not the domain. For example, if test.example.com is vulnerable you need to add test.example.com, not example.com. I'm going to add an explanation on how to test a domain for vulnerability and add it to this issue, but in the meantime feel free to DM me on Twitter (@indianajson) and I'll try to help you troubleshoot this. Since it's already in your DNSMadeEasy account you've got it locked in if it is indeed vulnerable. |
|
Hi @indianajson, thanks for the quick response. 1. Okay, because i thought the txt record that i add it should give me a response but nothing happened there. 2. hahah i know about the subdomain takeover, i was not sure about subdomain takeover on dnsmadeeasy. It was just odd that i not receive my txt record. Looked around the setup and found the following message: No delegated name servers were found for your domain. These name servers are usually supplied to the registrar.Any clue here ? |
|
@UN1337KN0WN - That sounds like the nameservers for the domain aren't actually pointing to DNSMadeEasy. Go run a trace on the domain using this tool (enter the affected subdomain and click Tell me what appears after the |
Check this out indianajson/can-i-take-over-dns#6
|
Recently Digicert bought DNSMadeEasy, now the default NS are
|
|
@pdelteil So that it means it's not vulnerable anymore? Can we update this in the readme? |
|
I did not see that comment from nine months ago. 😬 That said if they only changed the domain and not the service's code it would work with the new domain. Also possible that the new domain still forwards traffic for the old domain. We need to do some testing. |
indianajson
added
the
Investigation Needed
NOTE: The company changed hands almost a year ago and their domain name changed for their NS servers. I'm not sure how this has affected vulnerability. This needs testing.
ServiceDNSMadeEasyStatusNeeds Testing (previously Vulnerable)NameserverManaged DNS
ns1.dnsmadeeasy.com
ns2.dnsmadeeasy.com
ns3.dnsmadeeasy.com
ns4.dnsmadeeasy.com
Secondary DNS
ns5.dnsmadeeasy.com
ns6.dnsmadeeasy.com
ns7.dnsmadeeasy.com
Alternate Managed DNS --> (not easily obtainable)
ns10.dnsmadeeasy.com
ns11.dnsmadeeasy.com
ns12.dnsmadeeasy.com
ns13.dnsmadeeasy.com
ns14.dnsmadeeasy.com
ns15.dnsmadeeasy.com
ExplanationHead over to the registration page on DNSMadeEasy. Since accounts are only active for 30 days I recommend you use an alteration to your primary email (e.g.
hacker+dns@wearehackerone.com). Now, the number in the nameservers in your vulnerable domain will determine which service you use.If the number is
ns1-ns4use Managed DNS to create the zone. After you enter your domain and submit the form it will assign you several nameservers. At least one of your assigned nameservers must match with your vulnerable domain. Theoretically, they all will match, but sometimes they don't.If the number is
ns5-ns7things get a bit more complicated. First, use Secondary DNS to create the zone. You will need to add a Secondary IP Set before you can configure the zone. Add192.135.223.10as the IP address. For the takeover to work, you need to set up a primary DNS first, which will push records to the secondary DNS provided by DNSMadeEasy. I recommend you use NS1 as the primary in this instance, its free and easily configurable. This article will explain the steps to configure your NS1 zone. It will take a minute for everything to getin sync, but afterward you should receive aNOERRORresponse from the vulnerable server. Now configure the DNS records for the takeover on NS1.If the number is
ns10-ns15you're probably not going to get this takeover. According to comments by DNSMadeEasy staff these nameservers are only delegated to a zone if the primary nameservers (ns1-ns4) are bogged down at that particular moment. There is no known reliable way to get thens10-ns15nameservers. Additionally, it has been discovered that these zones are used forwhitelabelDNS services provided by DNSMadeEasy.The text was updated successfully, but these errors were encountered: