ehsandeep / can-i-take-over-dns

"Can I take over DNS?" — a list of DNS providers and how to claim (sub)domains via missing hosted zones

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Can I Take Over DNS?
A list of DNS providers and whether their zones are vulnerable to DNS takeover!

Inspired by the popular Can I Take Over XYZ? project by @EdOverflow this project is uniquely oriented towards DNS takeovers. While dangling DNS records pose a high threat to companies and warrant high bounties, DNS takeovers pose even greater risks and are sometimes even easier to find. We are trying to make this list comprehensive, so please contribute!

DNS Providers

These companies provide DNS nameserver services to the general public. In this list you will find out whether domains pointing to these nameservers are vulnerable to DNS takeover and where you can learn more about them.

Provider Status Fingerprint Takeover Instructions
000Domains Vulnerable
Issue #19
AWS Route 53 Not Vulnerable ns-****.awsdns-**.org
Issue #1
Azure (Microsoft) Vulnerable ns1-**
Issue #5
Bizland Vulnerable
Issue #3
Cloudflare Vulnerable * Issue #10
Digital Ocean Vulnerable
Issue #22
DNSMadeEasy Vulnerable ns** Issue #6
DNSimple Vulnerable
Issue #16 Vulnerable
Issue #17
DomainPeople Not Vulnerable
Issue #14
Dotster Vulnerable
Issue #18
EasyDNS Vulnerable
Issue #9
Google Cloud Vulnerable ns-cloud-** Issue #2
Hover Not Vulnerable
Issue #21
Hurricane Electric Vulnerable
Issue #25
Linode Vulnerable
Issue #26
MediaTemple (mt) Vulnerable (w/ purchase)
Issue #23
MyDomain Vulnerable (w/ purchase)
Issue #4 Vulnerable (w/ purchase) ns1***
Issue #8
Network Solutions Not Vulnerable ns** Issue #15
NS1 Vulnerable dns1.p**
Issue #7
TierraNet Vulnerable
Issue #24
Yahoo Small Business Vulnerable (w/ purchase)
Issue #20

Private DNS

These are private nameservers operated by various companies. The general public cannot create zones on these nameservers and thus takeovers are not possible. Knowning nameservers that are not vulnerable can be helpful to eliminate false positives from your testing.

Owner Status Fingerprint
Activision Not Vulnerable ns*
Apple Not Vulnerable
Capital One Not Vulnerable
CSU.ST Not Vulnerable
The Walt Disney Company Not Vulnerable
Lowe's Not Vulnerable
T-Mobile Not Vulnerable

What is a DNS takeover?

DNS takeover vulnerabilities occur when a subdomain ( or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a request for DNS records the server responds with a SERVFAIL error. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.

You can read more at:


We welcome contributions!

We need new DNS providers added with information of their vulernability status. You can submit new services here! We have a list of DNS providers that need to be investigated here.

We also need to identify as many DNS providers as possible. We have compiled and begun to organize a list of DNS servers. If you want to help read more about it here.

ezoic increase your site revenue


"Can I take over DNS?" — a list of DNS providers and how to claim (sub)domains via missing hosted zones