Domain-Protect Protect Against Subdomain Takeover
Domain-Protect Protect Against Subdomain Takeover

Domain-Protect: Protect Against Subdomain Takeover

Domain-Protect is an easy-to-use tool that protects your sites from subdomain takeovers. A subdomain takeover is when someone uses a URL that is similar to your domain and tries to redirect it to your website. This hurts your site’s SEO and is a major security issue. Domain-Protect checks to see if any sites on your server are being abused. If so, it will inform you about it.

  • scan Amazon Route53 across an AWS Organization for domain records vulnerable to takeover
  • scan Cloudflare for vulnerable DNS records
  • take over vulnerable subdomains yourself before attackers and bug bounty researchers
  • automatically create known issues in Bugcrowd
  • vulnerable domains in Google Cloud DNS can be detected by Domain Protect for GCP
Screenshot of Domain-Protect usage
Screenshot of Domain-Protect usage

Requirements

  • Security audit account within AWS Organizations
  • Security audit read-only role with an identical name in every AWS account of the Organization
  • Storage bucket for Terraform state file
  • Terraform 1.0.x

Requirements for takeover

  • Creation of takeover resources in security account must not be blocked in some regions by SCP
  • S3 Block Public Access must not be turned on at the account level in the security account
  • Production workspace must be named prd or set to an alternate using a Terraform variable
  • See automated takeover for further details

Organisations with over 1,000 AWS accounts

  • A separate scanning Lambda function is started for every AWS account in the organisation
  • If you have over 1,000 AWS accounts, request an increase to the Lambda default concurrent execution limit

Installation

  • replace the Terraform state S3 bucket fields in the command below as appropriate
  • for local testing, duplicate terraform.tfvars.example, rename without the .example suffix
  • enter details appropriate to your organization and save
  • alternatively enter Terraform variables within your CI/CD pipeline
  • deploy development environment for detection only
  • default scan schedule for dev environment is 12 hours
terraform init -backend-config=bucket=TERRAFORM_STATE_BUCKET -backend-config=key=TERRAFORM_STATE_KEY -backend-config=region=TERRAFORM_STATE_REGION
terraform workspace new dev
terraform plan
terraform apply
  • deploy production environment for detection and automated takeover
  • default scan schedule for prd environment is 60 minutes
terraform workspace new prd
terraform plan
terraform apply

Adding notifications to extra Slack channels

"
"
Receive alerts by Slack or email
Receive alerts by Slack or email
  • add an extra channel to your slack_channels variable list
  • add an extra webhook URL or repeat the same webhook URL to your slack_webhook_urls variable list
  • apply Terraform

Architecture

Domain Protect Architecture

Domain Protect implements a completely serverless architecture:

Domain protect serverless architecture
Domain protect serverless architecture

How Domain Protect scans all AWS accounts in Organization:

Domain Protect scans all AWS accounts
Domain Protect scans all AWS accounts

Limitations

  • this tool cannot guarantee 100% protection against subdomain takeover
  • it currently only scans Amazon Route53 and Cloudflare, and only checks a limited number of takeover types
  • vulnerable domains in Google Cloud DNS can be detected by Domain Protect for GCP

Manual scans – AWS
Manual scans – CloudFlare