Domain-Protect: Protect Against Subdomain Takeover

Domain-Protect is an easy-to-use tool that protects your sites from subdomain takeovers. A subdomain takeover is when someone uses a URL that is similar to your domain and tries to redirect it to your website. This hurts your site’s SEO and is a major security issue. Domain-Protect checks to see if any sites on your server are being abused. If so, it will inform you about it.

• scan Amazon Route53 across an AWS Organization for domain records vulnerable to takeover
• scan Cloudflare for vulnerable DNS records
• take over vulnerable subdomains yourself before attackers and bug bounty researchers
• automatically create known issues in Bugcrowd
• vulnerable domains in Google Cloud DNS can be detected by Domain Protect for GCP

Requirements

• Security audit account within AWS Organizations
• Security audit read-only role with an identical name in every AWS account of the Organization
• Storage bucket for Terraform state file
• Terraform 1.0.x

Requirements for takeover

• Creation of takeover resources in security account must not be blocked in some regions by SCP
• S3 Block Public Access must not be turned on at the account level in the security account
• Production workspace must be named prd or set to an alternate using a Terraform variable
• See automated takeover for further details

Organisations with over 1,000 AWS accounts

• A separate scanning Lambda function is started for every AWS account in the organisation
• If you have over 1,000 AWS accounts, request an increase to the Lambda default concurrent execution limit

Installation

• replace the Terraform state S3 bucket fields in the command below as appropriate
• for local testing, duplicate terraform.tfvars.example, rename without the .example suffix
• enter details appropriate to your organization and save
• alternatively enter Terraform variables within your CI/CD pipeline
• deploy development environment for detection only
• default scan schedule for dev environment is 12 hours

terraform init -backend-config=bucket=TERRAFORM_STATE_BUCKET -backend-config=key=TERRAFORM_STATE_KEY -backend-config=region=TERRAFORM_STATE_REGION
terraform workspace new dev
terraform plan
terraform apply

• deploy production environment for detection and automated takeover
• default scan schedule for prd environment is 60 minutes

terraform workspace new prd
terraform plan
terraform apply

Adding notifications to extra Slack channels

• add an extra channel to your slack_channels variable list
• add an extra webhook URL or repeat the same webhook URL to your slack_webhook_urls variable list
• apply Terraform

Architecture

Domain Protect Architecture

Domain Protect implements a completely serverless architecture:

How Domain Protect scans all AWS accounts in Organization:

Limitations

• this tool cannot guarantee 100% protection against subdomain takeover
• it currently only scans Amazon Route53 and Cloudflare, and only checks a limited number of takeover types
• vulnerable domains in Google Cloud DNS can be detected by Domain Protect for GCP

Manual scans – AWS
Manual scans – CloudFlare