<p><a href="https://github.com/yahoo/SubdomainSleuth" target="_blank" rel="noreferrer">Subdomain Sleuth</a> is a new open source project built by the Yahoo DNS team, designed to help you defend your infrastructure against subdomain takeover attacks. This type of attack is especially dangerous for phishing attacks and cookie theft. It reads your zone files, identifies multiple types of possible takeovers, and generates a report of the dangerous records. If you work with DNS or security, I encourage you to keep reading.</p> <p>A subdomain takeover is when an attacker is able to take control of the target of an existing DNS record. This is normally the result of what is called a “dangling record”, which is a record that points to something that doesn’t exist. That could be a broken CNAME or a bad NS record. It could also be a reference to a service that resolves but that you don’t manage. In either case, a successful takeover can allow the attacker to serve any content they want under that name. The surface area for these attacks grows proportionally to the adoption of cloud and other managed services.</p> <p>Let’s consider an example. One of your teams creates an exciting new app called groundhog, with the web site at groundhog.example.com. The content for the site is hosted in a public AWS S3 bucket, and groundhog.example.com is a CNAME to the bucket name. Now the product gets rebranded, and the team creates all new web site content. The old S3 bucket gets deleted, but nobody remembers to remove the CNAME. If an attacker finds it, they can register the old bucket name in their account and host their own content under groundhog.example.com. They could then launch a phishing campaign against the users, using the original product name.</p> <p>We’ve always had some subdomain takeover reports come through our Bug Bounty program. We couldn’t find many tools intended for defenders - most were built for either security researchers or attackers, focused on crawling web sites or other data sources for hostnames to check, or focused on specific cloud providers. We asked ourselves “how hard could it be to automatically detect these?”. That question ultimately led to Subdomain Sleuth.</p> <p>Subdomain Sleuth reads your zone files and performs a series of checks against each individual record. It can handle large zone files with hundreds of thousands of records, as well as tens of thousands of individual zones. We regularly scan several million records at a time. The scan produces a JSON report, which includes the name of each failed record, the target resource, which check it failed, and a description of the failure.</p> <p>We currently support three different check types. The CNAME check looks for broken CNAMEs. CNAMEs can be chained together, so the check will identify a break at any CNAME in the chain. The NS check looks for bad delegations where the server doesn’t exist, isn’t reachable, or doesn’t answer for the particular zone that was delegated. The HTTP check looks for references to known external resources that could be claimed by an attacker. It does this by sending an HTTP request and looking for known signatures of unclaimed resources. For example, if it sees a CNAME that points to an AWS S3 bucket, it will send an HTTP request to the name. If the response contains “no such bucket”, it is a target for an attacker.</p> <p>Subdomain Sleuth is easy to use. All you need is a recent Go compiler and a copy of your zone files. The extra utilities require a Python 3 interpreter. The README contains details about how to build the tools and examples of how to use them.</p> <p>If you’re interested in contributing to the project, we’d love to hear from you. We’re always open to detecting new variations of subdomain takeovers, whether by new checks or new HTTP fingerprints. If you participate in a bug bounty program, we’d especially love to have you feeding your findings back to the project. We’re also open to improvements in the core code, whether it’s bug fixes, unit tests, or efficiency improvements. We would also welcome improvements to the supporting tools.</p> <p>We hope that you take a few minutes to give the tools a try. The increase in cloud-based services calls for more vigilance than ever. Together we can put an end to subdomain takeovers.</p><p><a href="https://github.com/yahoo/SubdomainSleuth" target="_blank" rel="noreferrer">https://github.com/yahoo/SubdomainSleuth</a></p>