can-i-take-over-dns
can-i-take-over-dns copied to clipboard
indianajson
"Can I take over DNS?" — a list of DNS providers and how to claim (sub)domains via missing hosted zones
Can I Take Over DNS?
A list of DNS providers and whether their zones are vulnerable to DNS takeover!
Maintained by 
Inspired by the popular Can I Take Over XYZ? project by @EdOverflow this project is uniquely oriented towards DNS takeovers. While dangling DNS records pose a high threat to companies and warrant high bounties, DNS takeovers pose even greater risks and are sometimes even easier to find. We are trying to make this list comprehensive, so please contribute!
DNS Providers
These companies provide DNS nameserver services to the general public. In this list you will find out whether domains pointing to these nameservers are vulnerable to DNS takeover and where you can learn more about them.
| Provider | Status | Fingerprint | Takeover Instructions |
|---|---|---|---|
| 000Domains | Vulnerable (w/ purchase) | ns1.000domains.com ns2.000domains.com fwns1.000domains.com fwns2.000domains.com |
Issue #19 |
| AWS Route 53 | Not Vulnerable | ns-****.awsdns-**.org ns-****.awsdns-**.co.uk ns-***.awsdns-**.com ns-***.awsdns-**.net |
Issue #1 |
| Azure (Microsoft) | Edge Case | ns1-**.azure-dns.com ns2-**.azure-dns.net ns3-**.azure-dns.org ns4-**.azure-dns.info |
Issue #5 |
| Bizland | Vulnerable | ns1.bizland.com ns2.bizland.com clickme.click2site.com clickme2.click2site.com |
Issue #3 |
| Cloudflare | Edge Case | *.ns.cloudflare.com | Issue #10 |
| Digital Ocean | Vulnerable | ns1.digitalocean.com ns2.digitalocean.com ns3.digitalocean.com |
Issue #22 |
| DNSMadeEasy | Vulnerable | ns**.dnsmadeeasy.com | Issue #6 |
| DNSimple | Vulnerable | ns1.dnsimple.com ns2.dnsimple.com ns3.dnsimple.com ns4.dnsimple.com |
Issue #16 |
| Domain.com | Vulnerable (w/ purchase) | ns1.domain.com ns2.domain.com |
Issue #17 |
| DomainPeople | Not Vulnerable | ns1.domainpeople.com ns2.domainpeople.com |
Issue #14 |
| Dotster | Vulnerable (w/ purchase) | ns1.dotster.com ns2.dotster.com ns1.nameresolve.com ns2.nameresolve.com |
Issue #18 |
| EasyDNS | Vulnerable | dns1.easydns.com dns2.easydns.net dns3.easydns.org dns4.easydns.info |
Issue #9 |
| Gandi.net | Not Vulnerable | a.dns.gandi.net b.dns.gandi.net c.dns.gandi.net |
|
| Google Cloud | Vulnerable | ns-cloud-**.googledomains.com | Issue #2 |
| Hostinger (old NS) | Not Vulnerable | ns1.hostinger.com ns2.hostinger.com |
|
| Hover | Not Vulnerable | ns1.hover.com ns2.hover.com |
Issue #21 |
| Hurricane Electric | Vulnerable | ns5.he.net ns4.he.net ns3.he.net ns2.he.net ns1.he.net |
Issue #25 |
| Linode | Vulnerable | ns1.linode.com ns2.linode.com |
Issue #26 |
| MediaTemple (mt) | Not Vulnerable | ns1.mediatemple.net ns2.mediatemple.net |
Issue #23 |
| MyDomain | Vulnerable (w/ purchase) | ns1.mydomain.com ns2.mydomain.com |
Issue #4 |
| Name.com | Vulnerable (w/ purchase) | ns1***.name.com ns2***.name.com ns3***.name.com ns4***.name.com |
Issue #8 |
| namecheap | Not Vulnerable | *.namecheaphosting.com *.registrar-servers.com |
|
| Network Solutions | Not Vulnerable | ns**.worldnic.com | Issue #15 |
| NS1 | Vulnerable | dns1.p**.nsone.net dns2.p**.nsone.net dns3.p**.nsone.net dns4.p**.nsone.net |
Issue #7 |
| TierraNet | Vulnerable | ns1.domaindiscover.com ns2.domaindiscover.com |
Issue #24 |
| Reg.ru | Vulnerable (w/ purchase) | ns1.reg.ru ns2.reg.ru |
Issue #28 |
| UltraDNS | Not Vulnerable | pdns***.ultradns.com udns***.ultradns.com sdns***.ultradns.com |
Issue #29 |
| Yahoo Small Business | Vulnerable (w/ purchase) | yns1.yahoo.com yns2.yahoo.com |
Issue #20 |
Private DNS
These are private nameservers operated by various companies. The general public cannot create zones on these nameservers and thus takeovers are not possible. Knowning nameservers that are not vulnerable can be helpful to eliminate false positives from your testing.
| Owner | Status | Fingerprint |
|---|---|---|
| Activision | Not Vulnerable | ns*.activision.com |
| Adobe | Not Vulnerable | adobe-dns-0*.adobe.com |
| Apple | Not Vulnerable | a.ns.apple.com b.ns.apple.com c.ns.apple.com d.ns.apple.com |
| Automattic | Not Vulnerable | ns*.automattic.com |
| Capital One | Not Vulnerable | ns*.capitalone.com |
| Disney | Not Vulnerable | ns*.twdcns.com ns*.twdcns.info ns*.twdcns.co.uk |
| Not Vulnerable | ns*.google.com | |
| Lowe's | Not Vulnerable | authns*.lowes.com |
| T-Mobile | Not Vulnerable | ns10.tmobileus.com ns10.tmobileus.net |
What is a DNS takeover?
DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a request for DNS records the server responds with a
SERVFAILerror. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.
You can read more at: https://0xpatrik.com/subdomain-takeover-ns/
Contributions
We welcome contributions!
We need new DNS providers added with information of their vulernability status. You can submit new services here! We have a list of DNS providers that need to be investigated here.
We also need to identify as many DNS providers as possible. We have compiled and begun to organize a list of DNS servers. If you want to help read more about it here.
Metadata
Owner
indianajson
Metadata
"Can I take over DNS?" — a list of DNS providers and how to claim (sub)domains via missing hosted zones