1. DNS/hijacking/thehackerblog
| /Floating Domains /Orphaned /broken |
Contents
https://news.ycombinator.com/from?site=thehackerblog.com
1.1. thehackerblog
/Floating Domains – Taking Over 20K DigitalOcean Domains via a Lax Domain Import System August 25, 2016 https://thehackerblog.com/floating-domains-taking-over-20k-digitalocean-domains-via-a-lax-domain-import-system/index.html
Respect My Authority – Hijacking Broken Nameservers to Compromise Your Target https://thehackerblog.com/respect-my-authority-hijacking-broken-nameservers-to-compromise-your-target/
The Orphaned Internet –
- Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean
December 05, 2016
1.2. The Managed DNS Vulnerability
The issue occurs when a domain name is used with one of these cloud services and the zone is later deleted without also changing the domain’s nameservers.
This means that the domain is still fully set up for use in the cloud service but has no account with a zone file to control it. In many cloud providers this means that anyone can create a DNS zone for that domain and take full control over the domain.
This allows an attacker to take full control over the domain to set up a website, issue SSL/TLS certificates, host email, etc. Worse yet, after combining the results from the various providers affected by this problem over 120,000 domains were vulnerable (likely many more).
1.3. Detecting Vulnerable Domains via DNS
If the domain is vulnerable then the nameservers will return either a SERVFAIL or REFUSED DNS error.
Google Cloud DNS (~2.5K Domains Affected, Patched)
- どう対応したかは不明。
Amazon Web Services – Route53 (~54K Domains Affected, Multiple Mitigations Performed)
- Route53 documentation, notifies users of this issue;;
- You now get the following warning when you delete a zone in Route53:
Rackspace (~44K Domains Affected, Won’t Fix)