can-i-take-over-dns
→ View on GitHubAI Summary: The “Can I Take Over DNS?” tool is a resource for security researchers that identifies DNS providers and assesses their vulnerability to DNS takeover attacks. It features a comprehensive list of DNS providers, along with their statuses, fingerprints, and guidance for conducting takeover attempts, facilitating informed bug bounty reporting. The project encourages community contributions to enhance its coverage and accuracy in identifying potential vulnerabilities.
README
Can I Take Over DNS?
A list of DNS providers and whether their zones are vulnerable to DNS takeover!
Maintained by 
Inspired by the popular Can I Take Over XYZ? project by @EdOverflow this project is uniquely oriented towards DNS takeovers. DNS takeovers pose a high threat to companies, warrant high bounties, and are easy to find. We are trying to make this list comprehensive, so please contribute!
Reporting to Bug Bounty Programs
Here’s a public $500 bounty report for a DNS takeover that I wrote with a thorough explanation to help you understand the issue and give you a template for how to write your own report.
Remember, always create a valid proof of concept (like the text record I added to the DNS zone in this report) before you report an issue to a bug bounty program, this will save time and get you paid faster. This list is updated infrequently (due to the fact things don’t change that fast), so it is possible something listed below as Vulnerable is now Not Vulnerable. To that end, be sure to always perform a proof of concept takeover before reporting.
DNS Providers
These companies provide DNS nameserver services to the general public. In this list you will find out whether domains pointing to these nameservers are vulnerable to DNS takeover and where you can learn more about them.
| Provider | Status | Fingerprint | Takeover Instructions |
|---|---|---|---|
| 000Domains | Not Vulnerable | ns1.000domains.com ns2.000domains.com fwns1.000domains.com fwns2.000domains.com | Issue #19 |
| AWS Route 53 | Not Vulnerable | ns-****.awsdns-**.org ns-****.awsdns-**.co.uk ns-***.awsdns-**.com ns-***.awsdns-**.net | Issue #1 |
| Azure (Microsoft) | Edge Case | ns1-**.azure-dns.com ns2-**.azure-dns.net ns3-**.azure-dns.org ns4-**.azure-dns.info | Issue #5 |
| BigCommerce | Not Vulnerable | ns1.bigcommerce.com ns2.bigcommerce.com ns3.bigcommerce.com | Issue #35 |
| Bizland | Not Vulnerable | ns1.bizland.com ns2.bizland.com clickme.click2site.com clickme2.click2site.com | Issue #3 |
| ClouDNS | Not Vulnerable | *.cloudns.net | |
| Cloudflare | Not Vulnerable | *.ns.cloudflare.com | Issue #10 |
| Digital Ocean | Vulnerable | ns1.digitalocean.com ns2.digitalocean.com ns3.digitalocean.com | Issue #22 |
| DNSMadeEasy | Vulnerable | ns**.dnsmadeeasy.com | Issue #6 |
| DNSimple | Vulnerable | ns1.dnsimple.com ns2.dnsimple.com ns3.dnsimple.com ns4.dnsimple.com | Issue #16 |
| Domain.com | Vulnerable (w/ purchase) | ns1.domain.com ns2.domain.com | Issue #17 |
| DomainPeople | Not Vulnerable | ns1.domainpeople.com ns2.domainpeople.com | Issue #14 |
| Dotster | Not Vulnerable | ns1.dotster.com ns2.dotster.com ns1.nameresolve.com ns2.nameresolve.com | Issue #18 |
| Dreamhost | Edge Case | ns1.dreamhost.com ns2.dreamhost.com ns3.dreamhost.com | Issue #40 |
| EasyDNS | Not Vulnerable | dns1.easydns.com dns2.easydns.net dns3.easydns.org dns4.easydns.info | Issue #9 |
| Gandi.net | Not Vulnerable | a.dns.gandi.net b.dns.gandi.net c.dns.gandi.net | |
| Google Cloud | Edge Case | ns-cloud-**.googledomains.com | Issue #2 |
| Hostinger (old NS) | Not Vulnerable | ns1.hostinger.com ns2.hostinger.com | |
| Hover | Not Vulnerable | ns1.hover.com ns2.hover.com | Issue #21 |
| Hurricane Electric | Vulnerable | ns5.he.net ns4.he.net ns3.he.net ns2.he.net ns1.he.net | Issue #25 |
| Linode | Vulnerable | ns1.linode.com ns2.linode.com | Issue #26 |
| MediaTemple (mt) | Not Vulnerable | ns1.mediatemple.net ns2.mediatemple.net | Issue #23 |
| MyDomain | Not Vulnerable | ns1.mydomain.com ns2.mydomain.com | Issue #4 |
| Name.com | Vulnerable (w/ purchase) | ns1***.name.com ns2***.name.com ns3***.name.com ns4***.name.com | Issue #8 |
| namecheap | Not Vulnerable | *.namecheaphosting.com *.registrar-servers.com | |
| Network Solutions | Not Vulnerable | ns**.worldnic.com | Issue #15 |
| NS1 | Registration Closed I can help, comment on the linked issue. | dns1.p**.nsone.net dns2.p**.nsone.net dns3.p**.nsone.net dns4.p**.nsone.net | Issue #7 |
| TierraNet | Vulnerable | ns1.domaindiscover.com ns2.domaindiscover.com | Issue #24 |
| Reg.ru | Vulnerable (sanctions may stop payments) | ns1.reg.ru ns2.reg.ru | Issue #28 |
| UltraDNS | Not Vulnerable | pdns***.ultradns.com udns***.ultradns.com sdns***.ultradns.com | Issue #29 |
| Yahoo Small Business | Vulnerable (w/ purchase) | yns1.yahoo.com yns2.yahoo.com | Issue #20 |
Private DNS
These are private nameservers operated by various companies. The general public cannot create zones on these nameservers and thus takeovers are not possible. Knowning nameservers that are private and not vulnerable can be helpful to eliminate false positives from your testing.
| Owner | Status | Fingerprint |
|---|---|---|
| Activision | Not Vulnerable | ns*.activision.com |
| Adobe | Not Vulnerable | adobe-dns-0*.adobe.com |
| Apple | Not Vulnerable | a.ns.apple.com b.ns.apple.com c.ns.apple.com d.ns.apple.com |
| Automattic | Not Vulnerable | ns*.automattic.com |
| Capital One | Not Vulnerable | ns*.capitalone.com |
| Disney | Not Vulnerable | ns*.twdcns.com ns*.twdcns.info ns*.twdcns.co.uk |
| Not Vulnerable | ns*.google.com | |
| Lowe’s | Not Vulnerable | authns*.lowes.com |
| T-Mobile | Not Vulnerable | ns10.tmobileus.com ns10.tmobileus.net |
What is a DNS takeover?
DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a request for DNS records the server responds with a
SERVFAILerror. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.
You can read more at: https://0xpatrik.com/subdomain-takeover-ns/
A python implementation of DNS takeovers: https://github.com/pwnesia/dnstake
Contributions
We need more DNS providers added to the database with information about their services.
If you want to help out, please check out the getting started guide here.
Press
“How does one know whether a DNS provider is exploitable? There is a frequently updated list published on GitHub called “Can I take over DNS,” which has been documenting exploitability by DNS provider over the past several years."
Brian Krebs
“I honestly think this is a great resource for security researchers and bug bounty hunters."
@0xpatrik
“A new, but incredibly useful resource.. Essentially, a more modern/accurate can-i-take-over list for the STO you likely don’t yet know about”
Michael Skelton, Director of Security @ BugCrowd
“Still trying to find your first domain/subdomain takeover vulnerability? Go to indianajson/can-i-take-over-dns for a curated DNS takeover list. “
Intigriti, Bug Bounty Platform
“There’s this excellent resource on GitHub… which has a list of nameservers… that you can perform takeovers on, so I think this is an excellent resource”
Shubham Shah, CTO of Assetnote
.