/can-i-take-over-dns

"Can I take over DNS?" — a list of DNS providers and how to claim (sub)domains via missing hosted zones

Can I Take Over DNS?
A list of DNS providers and whether their zones are vulnerable to DNS takeover!
Maintained by  

Inspired by the popular Can I Take Over XYZ? project by @EdOverflow this project is uniquely oriented towards DNS takeovers. While dangling DNS records pose a high threat to companies and warrant high bounties, DNS takeovers pose even greater risks and are sometimes even easier to find. We are trying to make this list comprehensive, so please contribute!

DNS Providers

These companies provide DNS nameserver services to the general public. In this list you will find out whether domains pointing to these nameservers are vulnerable to DNS takeover and where you can learn more about them.

Provider Status Fingerprint Takeover Instructions
000Domains Vulnerable (w/ purchase) ns1.000domains.com
ns2.000domains.com
fwns1.000domains.com
fwns2.000domains.com
Issue #19
AWS Route 53 Not Vulnerable ns-****.awsdns-**.org
ns-****.awsdns-**.co.uk
ns-***.awsdns-**.com
ns-***.awsdns-**.net
Issue #1
Azure (Microsoft) Vulnerable ns1-**.azure-dns.com
ns2-**.azure-dns.net
ns3-**.azure-dns.org
ns4-**.azure-dns.info
Issue #5
Bizland Vulnerable ns1.bizland.com
ns2.bizland.com
clickme.click2site.com
clickme2.click2site.com
Issue #3
Cloudflare Edge Case *.ns.cloudflare.com Issue #10
Digital Ocean Vulnerable ns1.digitalocean.com
ns2.digitalocean.com
ns3.digitalocean.com
Issue #22
DNSMadeEasy Vulnerable ns**.dnsmadeeasy.com Issue #6
DNSimple Vulnerable ns1.dnsimple.com
ns2.dnsimple.com
ns3.dnsimple.com
ns4.dnsimple.com
Issue #16
Domain.com Vulnerable (w/ purchase) ns1.domain.com
ns2.domain.com
Issue #17
DomainPeople Not Vulnerable ns1.domainpeople.com
ns2.domainpeople.com
Issue #14
Dotster Vulnerable (w/ purchase) ns1.dotster.com
ns2.dotster.com
ns1.nameresolve.com
ns2.nameresolve.com
Issue #18
EasyDNS Vulnerable dns1.easydns.com
dns2.easydns.net
dns3.easydns.org
dns4.easydns.info
Issue #9
Gandi.net Not Vulnerable a.dns.gandi.net
b.dns.gandi.net
c.dns.gandi.net
Google Cloud Vulnerable ns-cloud-**.googledomains.com Issue #2
Hover Not Vulnerable ns1.hover.com
ns2.hover.com
Issue #21
Hurricane Electric Vulnerable ns5.he.net
ns4.he.net
ns3.he.net
ns2.he.net
ns1.he.net
Issue #25
Linode Vulnerable ns1.linode.com
ns2.linode.com
Issue #26
MediaTemple (mt) Vulnerable (w/ purchase) ns1.mediatemple.net
ns2.mediatemple.net
Issue #23
MyDomain Vulnerable (w/ purchase) ns1.mydomain.com
ns2.mydomain.com
Issue #4
Name.com Vulnerable (w/ purchase) ns1***.name.com
ns2***.name.com
ns3***.name.com
ns4***.name.com
Issue #8
Network Solutions Not Vulnerable ns**.worldnic.com Issue #15
NS1 Vulnerable dns1.p**.nsone.net
dns2.p**.nsone.net
dns3.p**.nsone.net
dns4.p**.nsone.net
Issue #7
TierraNet Vulnerable ns1.domaindiscover.com
ns2.domaindiscover.com
Issue #24
Reg.ru Vulnerable (w/ purchase) ns1.reg.ru
ns2.reg.ru
Issue #28
UltraDNS Not Vulnerable pdns***.ultradns.com
udns***.ultradns.com
sdns***.ultradns.com
Issue #29
Yahoo Small Business Vulnerable (w/ purchase) yns1.yahoo.com
yns2.yahoo.com
Issue #20

Private DNS

These are private nameservers operated by various companies. The general public cannot create zones on these nameservers and thus takeovers are not possible. Knowning nameservers that are not vulnerable can be helpful to eliminate false positives from your testing.

Owner Status Fingerprint
Activision Not Vulnerable ns*.activision.com
Adobe Not Vulnerable adobe-dns-01.adobe.com
adobe-dns-02.adobe.com
adobe-dns-03.adobe.com
adobe-dns-04.adobe.com
adobe-dns-05.adobe.com
Apple Not Vulnerable a.ns.apple.com
b.ns.apple.com
c.ns.apple.com
d.ns.apple.com
Automattic Not Vulnerable ns1.automattic.com
ns2.automattic.com
Capital One Not Vulnerable ns1.capitalone.com
ns2.capitalone.com
ns3.capitalone.com
CSU.ST Not Vulnerable 0xd0a1.csust.net
0xd0a2.csust.net
0xd0a3.csust.net
0xd0a4.csust.net
The Walt Disney Company Not Vulnerable ns1.twdcns.com
ns2.twdcns.com
ns3.twdcns.info
ns4.twdcns.info
ns5.twdcns.co.uk
ns6.twdcns.co.uk
Lowe's Not Vulnerable authns1.lowes.com
authns2.lowes.com
T-Mobile Not Vulnerable ns10.tmobileus.com
ns10.tmobileus.net

What is a DNS takeover?

DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a request for DNS records the server responds with a SERVFAIL error. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.

You can read more at: https://0xpatrik.com/subdomain-takeover-ns/

Contributions

We welcome contributions!

We need new DNS providers added with information of their vulernability status. You can submit new services here! We have a list of DNS providers that need to be investigated here.

We also need to identify as many DNS providers as possible. We have compiled and begun to organize a list of DNS servers. If you want to help read more about it here.