Home

Awesome

<h1 align="center">Can I Take Over DNS?<br><sup><sub>A list of DNS providers and whether their zones are vulnerable to DNS takeover!<br><sup> Maintained by</sup> <a target="_blank" href="https://twitter.com/intent/user?screen_name=indianajson"><img src="https://img.shields.io/twitter/follow/indianajson?style=social&label=%40indianajson"/></a>&nbsp;</sub></sup> </h1>

Inspired by the popular Can I Take Over XYZ? project by @EdOverflow this project is uniquely oriented towards DNS takeovers. DNS takeovers pose a high threat to companies, warrant high bounties, and are easy to find. We are trying to make this list comprehensive, so please contribute!

Here's a public $500 bounty report for a DNS takeover that I wrote with a thorough explanation to help you understand the issue.

DNS Providers

These companies provide DNS nameserver services to the general public. In this list you will find out whether domains pointing to these nameservers are vulnerable to DNS takeover and where you can learn more about them.

ProviderStatusFingerprintTakeover Instructions
000DomainsVulnerable <sub><sup>(w/ purchase)</sub></sup>ns1.000domains.com<br>ns2.000domains.com<br>fwns1.000domains.com<br>fwns2.000domains.comIssue #19
AWS Route 53Not Vulnerablens-****.awsdns-**.org<br>ns-****.awsdns-**.co.uk<br>ns-***.awsdns-**.com<br>ns-***.awsdns-**.netIssue #1
Azure (Microsoft)Edge Casens1-**.azure-dns.com<br>ns2-**.azure-dns.net<br>ns3-**.azure-dns.org<br>ns4-**.azure-dns.infoIssue #5
BigCommerceNot Vulnerablens1.bigcommerce.com<br>ns2.bigcommerce.com<br>ns3.bigcommerce.comIssue #35
BizlandNo New Accountsns1.bizland.com<br>ns2.bizland.com<br>clickme.click2site.com<br>clickme2.click2site.comIssue #3
ClouDNSNot Vulnerable*.cloudns.net
CloudflareNot Vulnerable*.ns.cloudflare.comIssue #10
Digital OceanVulnerablens1.digitalocean.com<br>ns2.digitalocean.com<br>ns3.digitalocean.comIssue #22
DNSMadeEasyVulnerablens**.dnsmadeeasy.comIssue #6
DNSimpleVulnerablens1.dnsimple.com<br>ns2.dnsimple.com<br>ns3.dnsimple.com<br>ns4.dnsimple.comIssue #16
Domain.comVulnerable <sub><sup>(w/ purchase)</sub></sup>ns1.domain.com<br>ns2.domain.comIssue #17
DomainPeopleNot Vulnerablens1.domainpeople.com<br>ns2.domainpeople.comIssue #14
DotsterNo New Accountsns1.dotster.com<br>ns2.dotster.com<br>ns1.nameresolve.com<br>ns2.nameresolve.comIssue #18
EasyDNSNot Vulnerabledns1.easydns.com<br>dns2.easydns.net<br>dns3.easydns.org<br>dns4.easydns.infoIssue #9
Gandi.netNot Vulnerablea.dns.gandi.net<br>b.dns.gandi.net<br>c.dns.gandi.net
Google CloudVulnerablens-cloud-**.googledomains.comIssue #2
Hostinger (old NS)Not Vulnerablens1.hostinger.com<br>ns2.hostinger.com
HoverNot Vulnerablens1.hover.com<br>ns2.hover.comIssue #21
Hurricane ElectricVulnerablens5.he.net<br>ns4.he.net<br>ns3.he.net<br>ns2.he.net<br>ns1.he.netIssue #25
LinodeVulnerablens1.linode.com<br>ns2.linode.comIssue #26
MediaTemple (mt)Not Vulnerablens1.mediatemple.net<br>ns2.mediatemple.netIssue #23
MyDomainVulnerable <sub><sup>(w/ purchase)</sub></sup>ns1.mydomain.com<br>ns2.mydomain.comIssue #4
Name.comVulnerable <sub><sup>(w/ purchase)</sub></sup>ns1***.name.com<br>ns2***.name.com<br>ns3***.name.com<br>ns4***.name.comIssue #8
namecheapNot Vulnerable</sup>*.namecheaphosting.com<br>*.registrar-servers.com
Network SolutionsNot Vulnerablens**.worldnic.comIssue #15
NS1Registration Closed <br><sub>I can help, comment on the linked issue.</sub>dns1.p**.nsone.net<br>dns2.p**.nsone.net<br>dns3.p**.nsone.net<br>dns4.p**.nsone.netIssue #7
TierraNetVulnerablens1.domaindiscover.com<br>ns2.domaindiscover.comIssue #24
Reg.ruVulnerable <sub><sup><br>(sanctions may stop payments)</sub></sup>ns1.reg.ru<br>ns2.reg.ruIssue #28
UltraDNSNot Vulnerablepdns***.ultradns.com<br>udns***.ultradns.com<br>sdns***.ultradns.comIssue #29
Yahoo Small BusinessVulnerable <sub><sup>(w/ purchase)</sub></sup>yns1.yahoo.com<br>yns2.yahoo.comIssue #20

Private DNS

These are private nameservers operated by various companies. The general public cannot create zones on these nameservers and thus takeovers are not possible. Knowning nameservers that are private and not vulnerable can be helpful to eliminate false positives from your testing.

OwnerStatusFingerprint
ActivisionNot Vulnerablens*.activision.com
AdobeNot Vulnerableadobe-dns-0*.adobe.com
AppleNot Vulnerablea.ns.apple.com<br>b.ns.apple.com<br>c.ns.apple.com<br>d.ns.apple.com
AutomatticNot Vulnerablens*.automattic.com
Capital OneNot Vulnerablens*.capitalone.com
DisneyNot Vulnerablens*.twdcns.com<br>ns*.twdcns.info<br>ns*.twdcns.co.uk
GoogleNot Vulnerablens*.google.com
Lowe'sNot Vulnerableauthns*.lowes.com
T-MobileNot Vulnerablens10.tmobileus.com<br>ns10.tmobileus.net

What is a DNS takeover?

DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a request for DNS records the server responds with a SERVFAIL error. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain. <!--For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com.-->

You can read more at: https://0xpatrik.com/subdomain-takeover-ns/

A python implementation of DNS takeovers: https://github.com/pwnesia/dnstake

Contributions

We need more DNS providers added to the database with information about their services.

If you want to help out, please check out the getting started guide here.

Press

"How does one know whether a DNS provider is exploitable? There is a frequently updated list published on GitHub called “Can I take over DNS,” which has been documenting exploitability by DNS provider over the past several years."<br>Brian Krebs

"I honestly think this is a great resource for security researchers and bug bounty hunters."<br> @0xpatrik

"A new, but incredibly useful resource.. Essentially, a more modern/accurate can-i-take-over list for the STO you likely don't yet know about"<br> Michael Skelton, Director of Security @ BugCrowd

"Still trying to find your first domain/subdomain takeover vulnerability? Go to indianajson/can-i-take-over-dns for a curated DNS takeover list. "<br>Intigriti, Bug Bounty Platform

"There's this excellent resource on GitHub... which has a list of nameservers... that you can perform takeovers on, so I think this is an excellent resource" <br>Shubham Shah, CTO of Assetnote

.