Skip to main content

Sub doMine: Dangling DNS

The Sub doMine origin story

0 mins read

Public websites that are managed and hosted on a  public cloud provider (like AWS) can be prone to dangling DNS if the files and servers hosting the website can be replaced by an attacker’s server — resulting in a subdomain takeover. Sub doMine is the dangling DNS villain that commonly results in subdomain takeovers.

wordpress-sync/series-aws-security-sub-domine-small

Common causes

Sub doMine often rears its ugly head when an AWS user forgets to remove both the DNS entry and a linked resource at the same time. Another reason for this is, despite using infrastructure as code (IaC), some services don’t allow for immediate deletion, which results in entries being left behind or requires manual intervention to delete the forgotten resource.

Problems caused by dangling DNS

At its best, the compromised website of a reputed organization can be replaced with publicly embarrassing content, resulting in the loss of customer faith and damage to the public reputation of the organization. At its worst, it can result in a data breach if the resource being hosted has private content and the missing DNS entry itself is something that the hacker replaces. Another worst-case outcome would be if an attacker replaced the website with a nearly identical website that was used to siphon customer logins.

3 places in AWS where Sub doMine hides

  1. AWS Route53 is a highly available and scalable DNS web service from AWS. Amazon allows for domains to be registered and hosted using an AWS S3 bucket. If the hosted zone in the registered domain is missing, they can be migrated to the attacker’s AWS Account. The same is true if the routing policy is linked to a deleted AWS S3 bucket.

  2. AWS ElasticBeanstalk assigns CNAMEs (canonical name, a type of DNS record that shows that a domain name is the nickname or alias for another domain) to the environment it creates and manages. The same CNAME can be a custom registered website CNAME. If the CNAME itself is removed from the website hosting provider, the AWS ElasticBeanstalk can be linked to any hosting provider registering the same CNAME as the AWS ElasticBeanstalk.

  3. AWS Cloudfront is a CDN service from AWS which allows customers to host and render a website from anywhere in the world quickly. AWS Cloudfront can use an AWS S3 bucket as a website source, if the AWS S3 bucket is deleted and replaced with an attacker’s AWS S3 bucket with the same CNAME as the deleted AWS S3 bucket, then the attacker finds our Sub doMine villain.

3 ways to stop Sub doMine

Thankfully, AWS is an API-enabled public cloud provider which allows for most things in the public cloud to be automated if you know what you are looking to create, modify or delete. IaC is a good framework to use for creating infrastructure and resources in AWS using a pre-defined configuration file. Using IaC would ensure that all resources are deleted when using the delete action as long as the resources were created by the IaC tool to begin with.

Another thing that customers of AWS can do is maintain an inventory of all active DNS records that their organization should have. In addition, having a regular audit process to ensure that if any DNS are no longer required that their resources are deleted too.

Continuously monitor for when an AWS S3 bucket is accidentally exposed to the internet, or an S3 bucket with the static website hosting config enabled is deleted, so relevant remediation can be performed. Automated alerting should be a component of this continuous monitoring.

Next in the series

MisCred: Leaked credentials

Learn the common causes of leaked credentials and how to stop it from happening.

Keep reading