Inspired by the popular Can I Take Over XYZ? project by @EdOverflow this project is uniquely oriented towards DNS takeovers. While dangling DNS records pose a high threat to companies and warrant high bounties, DNS takeovers pose even greater risks and are sometimes even easier to find. We are trying to make this list comprehensive, so please contribute!
These companies provide DNS nameserver services to the general public. In this list you will find out whether domains pointing to these nameservers are vulnerable to DNS takeover and where you can learn more about them.
| Provider | Status | Fingerprint | Takeover Instructions |
|---|---|---|---|
| 000Domains | Vulnerable | ns1.000domains.com ns2.000domains.com fwns1.000domains.com fwns2.000domains.com |
Issue #19 |
| AWS Route 53 | Not Vulnerable | ns-****.awsdns-**.org ns-****.awsdns-**.co.uk ns-***.awsdns-**.com ns-***.awsdns-**.net |
Issue #1 |
| Azure (Microsoft) | Vulnerable | ns1-**.azure-dns.com ns2-**.azure-dns.net ns3-**.azure-dns.org ns4-**.azure-dns.info |
Issue #5 |
| Bizland | Vulnerable | ns1.bizland.com ns2.bizland.com |
Issue #3 |
| Cloudflare | Vulnerable | *.ns.cloudflare.com | Issue #10 |
| Digital Ocean | Vulnerable | ns1.digitalocean.com ns2.digitalocean.com ns3.digitalocean.com |
Issue #22 |
| DNSMadeEasy | Vulnerable | ns**.dnsmadeeasy.com | Issue #6 |
| DNSimple | Vulnerable | ns1.dnsimple.com ns2.dnsimple.com ns3.dnsimple.com ns4.dnsimple.com |
Issue #16 |
| Domain.com | Vulnerable | ns1.domain.com ns2.domain.com |
Issue #17 |
| DomainPeople | Not Vulnerable | ns1.domainpeople.com ns2.domainpeople.com |
Issue #14 |
| Dotster | Vulnerable | ns1.dotster.com ns2.dotster.com |
Issue #18 |
| EasyDNS | Vulnerable | dns1.easydns.com dns2.easydns.net dns3.easydns.org dns4.easydns.info |
Issue #9 |
| Google Cloud | Vulnerable | ns-cloud-**.googledomains.com | Issue #2 |
| Hover | Not Vulnerable | ns1.hover.com ns2.hover.com |
Issue #21 |
| Hurricane Electric | Vulnerable | ns5.he.net ns4.he.net ns3.he.net ns2.he.net ns1.he.net |
Issue #25 |
| Linode | Vulnerable | ns1.linode.com ns2.linode.com |
Issue #26 |
| MediaTemple (mt) | Vulnerable (w/ purchase) | ns1.mediatemple.net ns2.mediatemple.net |
Issue #23 |
| MyDomain | Vulnerable (w/ purchase) | ns1.mydomain.com ns2.mydomain.com |
Issue #4 |
| Name.com | Vulnerable (w/ purchase) | ns1***.name.com ns2***.name.com ns3***.name.com ns4***.name.com |
Issue #8 |
| Network Solutions | Not Vulnerable | ns**.worldnic.com | Issue #15 |
| NS1 | Vulnerable | dns1.p**.nsone.net dns2.p**.nsone.net dns3.p**.nsone.net dns4.p**.nsone.net |
Issue #7 |
| TierraNet | Vulnerable | ns1.domaindiscover.com ns2.domaindiscover.com |
Issue #24 |
| Yahoo Small Business | Vulnerable (w/ purchase) | yns1.yahoo.com yns2.yahoo.com |
Issue #20 |
These are private nameservers operated by various companies. The general public cannot create zones on these nameservers and thus takeovers are not possible. Knowning nameservers that are not vulnerable can be helpful to eliminate false positives from your testing.
| Owner | Status | Fingerprint |
|---|---|---|
| Activision | Not Vulnerable | ns*.activision.com |
| Apple | Not Vulnerable | a.ns.apple.com b.ns.apple.com c.ns.apple.com d.ns.apple.com |
| Capital One | Not Vulnerable | ns1.capitalone.com ns2.capitalone.com ns3.capitalone.com |
| CSU.ST | Not Vulnerable | 0xd0a1.csust.net 0xd0a2.csust.net 0xd0a3.csust.net 0xd0a4.csust.net |
| The Walt Disney Company | Not Vulnerable | ns1.twdcns.com ns2.twdcns.com ns3.twdcns.info ns4.twdcns.info ns5.twdcns.co.uk ns6.twdcns.co.uk |
| Lowe's | Not Vulnerable | authns1.lowes.com authns2.lowes.com |
| T-Mobile | Not Vulnerable | ns10.tmobileus.com ns10.tmobileus.net |
DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a request for DNS records the server responds with a
SERVFAILerror. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.
You can read more at: https://0xpatrik.com/subdomain-takeover-ns/
We welcome contributions!
We need new DNS providers added with information of their vulernability status. You can submit new services here! We have a list of DNS providers that need to be investigated here.
We also need to identify as many DNS providers as possible. We have compiled and begun to organize a list of DNS servers. If you want to help read more about it here.