DNSTake

A fast tool to check missing hosted DNS zones that can lead to subdomain takeover.

What is a DNS takeover?

DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a request for DNS records the server responds with a SERVFAIL error. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.¹

Installation

from Binary

The ez way! You can download a pre-built binary from releases page, just unpack and run!

from Source

NOTE: Go 1.16+ compiler should be installed & configured!

Very quick & clean!

▶ go install github.com/pwnesia/dnstake/cmd/dnstake@latest

— or

Manual building executable from source code:

▶ git clone https://github.com/pwnesia/dnstake
▶ cd dnstake/cmd/dnstake
▶ go build .
▶ (sudo) mv dnstake /usr/local/bin

Usage

$ dnstake -h

  ·▄▄▄▄   ▐ ▄ .▄▄ ·▄▄▄▄▄ ▄▄▄· ▄ •▄ ▄▄▄ .
  ██▪ ██ •█▌▐█▐█ ▀.•██  ▐█ ▀█ █▌▄▌▪▀▄.▀·
  ▐█· ▐█▌▐█▐▐▌▄▀▀▀█▄▐█.▪▄█▀▀█ ▐▀▀▄·▐▀▀▪▄
  ██. ██ ██▐█▌▐█▄▪▐█▐█▌·▐█ ▪▐▌▐█.█▌▐█▄▄▌
  ▀▀▀▀▀• ▀▀ █▪ ▀▀▀▀ ▀▀▀  ▀  ▀ ·▀  ▀ ▀▀▀

        (c) pwnesia.org — v0.0.1

Usage:
  [stdin] | dnstake [options]
  dnstake -t HOSTNAME [options]

Options:
  -t, --target <HOST/FILE>    Define single target host/list to check
  -c, --concurrent <i>        Set the concurrency level (default: 25)
  -s, --silent                Suppress errors and/or clean output
  -o, --output <FILE>         Save vulnerable hosts to FILE
  -h, --help                  Display its help

Examples:
  dnstake -t (sub.)domain.tld
  dnstake -t hosts.txt
  dnstake -t hosts.txt -o ./dnstake.out
  cat hosts.txt | dnstake
  subfinder -silent -d domain.tld | dnstake

Workflow

DNSTake use RetryableDNS client library to send DNS queries. Initial engagement using Google & Cloudflare DNS as the resolver, then check & fingerprinting the nameservers of target host — if there is one, it will resolving the target host again with its nameserver IPs as resolver, if it gets weird DNS status response (other than NOERROR/NXDOMAIN), then it's vulnerable to be taken over. More or less like this in form of a diagram.

Currently supported DNS providers, see here.

References

License

DNSTake is distributed under MIT. See LICENSE.

Project Name	Stars	Packages Using This	Most Recent Commit	Total Releases	Latest Release	Open Issues	License	Language
Amass	10,139	3	11 days ago	116	June 20, 2023	145	other	Go
In-depth attack surface mapping and asset discovery
Iodine	5,454		13 days ago		June 16, 2014	13	isc	C
Official git repo for iodine dns tunnel
Js.org	4,896		2 days ago					JavaScript
Dedicated to JavaScript and its awesome community since 2015
Reconftw	4,700		2 days ago			25	mit	HTML
reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities
Massdns	2,746		2 months ago	1	March 03, 2021	12	gpl-3.0	C
A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
Awesome Bugbounty Tools	2,580		5 months ago			2	cc0-1.0
A curated list of various bug bounty tools
Altdns	1,900		9 months ago	3	September 09, 2021	12	apache-2.0	Python
Generates permutations, alterations and mutations of subdomains and then resolves them
Xray	1,792		a year ago		May 26, 2021	4	gpl-3.0	Go
XRay is a tool for recon, mapping and OSINT gathering from public networks.
Acme Dns	1,756		a month ago	5	January 11, 2021	136	mit	Go
Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
Dnsx	1,727	29	2 days ago	24	April 30, 2023	10	mit	Go
dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.

Dnstake