A new open-source Python tool called BadDNS has been developed for DNS auditing in order to detect domain and subdomain takeovers. This tool is equipped with various modules that allow for comprehensive analysis of DNS records for potential vulnerabilities.
The BadDNS tool includes modules such as cname, ns, mx, nsec, references, txt, and zonetransfer. These modules specialize in checking for different types of DNS records and assessing them for takeover opportunities. For example, the cname module checks for dangling CNAME records, while the ns module focuses on identifying dangling NS records. The mx module evaluates dangling MX records, and the nsec module enumerates subdomains using NSEC-walking. The references module scans HTML content for links or references that may contain hijackable domains, while the txt module looks for potential subdomain takeover vulnerabilities in TXT records. Finally, the zonetransfer module attempts a DNS zone transfer to gather additional information.
One of the key features that sets BadDNS apart from other tools is its ability to look for “second-order” takeovers. This means that in addition to detecting subdomain takeovers, BadDNS also analyzes domains trusted by the target website. For example, it checks domains hosting client-side JavaScript or CSS files referenced on the target, as well as examines Content Security Policy (CSP) and CORS headers for vulnerable domains. By detecting potential vulnerabilities in these trusted domains, BadDNS helps prevent the abuse of client-side scripts or stylesheets for malicious purposes.
One of the challenges in the infosec community is the lack of centralized maintenance for subdomain takeover signatures. To address this issue, BadDNS automates signature updates from reputable sources such as Nuclei and DNS Reaper. This ensures that the tool remains up-to-date with the latest takeover techniques and can flag any dangling records for further research.
In terms of future plans, the developer of BadDNS, Paul Mueller, mentioned that there are plans to support additional DNS record types like PTR, CAA, and SRV records. These additions will help address unique risks associated with misconfigured record types and detect DNSSEC-related vulnerabilities such as weak or improperly configured DNSSEC signatures. BadDNS is currently available for free on GitHub for those interested in testing out its capabilities.
Overall, BadDNS offers a comprehensive solution for auditing DNS records and detecting potential takeover vulnerabilities. By automating signature updates and staying abreast of the latest techniques, this tool helps enhance the security posture of organizations by identifying and mitigating threats related to domain and subdomain takeovers.