A lightweight Python utility to detect dns records that are suspected as dangling.
Do you have a large cloud environment with many services and VMs? Then probably some of your domain names are pointing to unclaimed IP addresses due to improper deprecation of services/VMs.
DDFR to the rescue!
Basically, the tool gets a list of your DNS records and checks if the pointed IPs belongs to your cloud accounts.
-
You provide DDFR with a list of your DNS records (see Usage section).
-
You provide DDFR with a list of all your registered cloud IPs in one of the following ways:
- Allow DDFR to automatically collect all of your registered IPs from Palo Alto's Prisma Cloud product.
- Manually provide a file with your registered cloud IPs.
-
DDFR compares the lists to see if there are domains pointing to IPs not owned by you and therefore suspected as dangling.
NOTE: DDFR also provides you with a mechanism to reduce false positives, read more about it below.
-
DDFR generates a report of the suspected DNS records.
- [Optional] To pull records from Prisma Cloud, fill in the required environment variables:
export PRISMA_API_KEYID = your-value-here
export PRISMA_API_SECRET = your-value-here
export PRISMA_URL = your-value-herepip install ddfrgit clone https://github.com/playtika/DDFR.git
cd DDFR
pip install .DDFR was developed and tested only with Python3.
| Short Form | Long Form | Description |
|---|---|---|
| -d | --domains | Full path to a file contains your DNS records |
| -i | --ips | Full path to a file contains your owned ips (if non-existent will pull from prisma) |
| -cn | --ssl-common-names | Full path to a file contains key words that should appear in your CNs (for reducing false positives) |
| -r | --ranges | Full path to a file contains AWS ip ranges |
| -o | --output | Full path to output directory |
Domains file needs to be in the following format (JSON):
[{"name": "domain name", "record_type": "DNS type (CNAME,A)", "record_value": "(ip,ec2 domain name)", "source": "dns management system/provider"}]- Pull ips form prisma
ddfr -d "domains.json" -r "aws-ranges.txt" -cn "common-names.txt" - Receive ips from a file
ddfr -d "domains.json" -r "aws-ranges.txt" -cn "common-names.txt" -i "my-ips.txt"
Subdomains takeovers have become a popular technique used by attackers and bug bounty hunters.
DNS records that points to unclaimed IP addresses is a specific use case of this attack that is pretty hard to catch (for both blue and red teams).
As a red-teamer, this kind of takeovers are hard to find as they require many resources to perform a successful attack (bruteforcing VMs IP addresses attached by the cloud providers) and reverse DNS lookup.
As a blue-teamer, companies nowadays have thousands of DNS records which makes it extremely hard to find manually.
By being able to pull your company's DNS records from your DNS management system be it AWS Route53 or any other, you can proactively look for those dangling records with this tool and mitigate these takeovers.
- Automate AWS ranges fetching
- Support for more cloud providers
Feel free to fork the repository and submit pull-requests.
