BadDNS: Open-source tool checks for subdomain takeovers

BadDNS is an open-source Python DNS auditing tool designed to detect domain and subdomain takeovers of all types.

BadDNS modules

• cname – Check for dangling CNAME records and interrogate them for subdomain takeover opportunities
• ns – Check for dangling NS records and interrogate them for takeover opportunities
• mx – Check for dangling MX records and assess their base domains for availability
• nsec – Enumerate subdomains by NSEC-walking
• references – Check HTML content for links or other references that contain a hijackable domain
• txt – Check TXT record contents for hijackable domains
• zonetransfer – Attempt a DNS zone transfer

Features

“BadDNS does cover some well-explored ground, such as detecting dangling CNAME and NS records—these are areas many other tools also address. However, several features make BadDNS stand out,” Paul Mueller, the developer of BadDNS, told Help Net Security.

BadDNS doesn’t just stop at detecting subdomain takeovers. The references module goes a step further by looking at any domains the target website trusts to find “second-order” takeovers. For example:

• Checking domains hosting client-side JavaScript or CSS files referenced on the target. If these domains are vulnerable to takeover, they could be abused to host malicious client-side scripts or stylesheets.
• Analyzing the Content Security Policy (CSP) and CORS headers for vulnerable domains trusted by the target. If we can take over any of these trusted domains, it opens the door to abusing that trust and injecting malicious client-side code.
• BadDNS also scans TXT records for domains and checks them for potential subdomain takeover vulnerabilities. The impact of this varies widely – usually nothing, but TXT records can be used almost anything, so there is potential for some very nasty effects if they are doing anything important.

“One major challenge in the infosec community is the lack of centralized maintenance for subdomain takeover signatures. The closest thing we have is the repository can-i-take-over-xyz, where researchers share techniques via the GitHub issues page. However, there’s no single entity maintaining a comprehensive, up-to-date signature database,” Mueller explained.

“BadDNS addresses this gap by automating signature updates from the best-known sources. We’ve set up GitHub pipelines to automatically pull new signatures from Nuclei and DNS Reaper, convert them to BadDNS-compatible formats, test them, and create pull requests for review. This allows us to not fall behind, but also not take on the responsibility ourselves (which we don’t have the manpower for) of being the sole authority for the latest signatures. In addition to confirmed takeover techniques, BadDNS flags any dangling records—whether a known exploitation technique exists or not. This provides a foundation for further research into new takeovers which might not have signatures yet, or which may exist in custom internal company infrastructures,” he concluded.

Future plans and download

“We will likely eventually support additional DNS record types, such as PTR, CAA, and SRV records, to address the unique risks associated with misconfigured record types. We may also add features to detect DNSSEC-related vulnerabilities like weak or improperly configured DNSSEC signatures,” Mueller concluded.

BadDNS is available for free on GitHub.

Must read:

• GitHub CISO on security strategy and collaborating with the open-source community
• Don’t let these open-source cybersecurity tools slip under your radar
• 33 open-source cybersecurity solutions you didn’t know you needed

I have read and agree to the terms & conditions

Leave this field empty if you're human: