Domain-Protect is an easy-to-use tool that protects your sites from subdomain takeovers. A subdomain takeover is when someone uses a URL that is similar to your domain and tries to redirect it to your website. This hurts your site’s SEO and is a major security issue. Domain-Protect checks to see if any sites on your server are being abused. If so, it will inform you about it.
- scan Amazon Route53 across an AWS Organization for domain records vulnerable to takeover
- scan Cloudflare for vulnerable DNS records
- take over vulnerable subdomains yourself before attackers and bug bounty researchers
- automatically create known issues in Bugcrowd
- vulnerable domains in Google Cloud DNS can be detected by Domain Protect for GCP
Requirements
- Security audit account within AWS Organizations
- Security audit read-only role with an identical name in every AWS account of the Organization
- Storage bucket for Terraform state file
- Terraform 1.0.x
- Creation of takeover resources in security account must not be blocked in some regions by SCP
- S3 Block Public Access must not be turned on at the account level in the security account
- Production workspace must be named
prd
or set to an alternate using a Terraform variable - See automated takeover for further details
Organisations with over 1,000 AWS accounts
- A separate scanning Lambda function is started for every AWS account in the organisation
- If you have over 1,000 AWS accounts, request an increase to the Lambda default concurrent execution limit
Installation
- replace the Terraform state S3 bucket fields in the command below as appropriate
- for local testing, duplicate terraform.tfvars.example, rename without the .example suffix
- enter details appropriate to your organization and save
- alternatively enter Terraform variables within your CI/CD pipeline
- deploy development environment for detection only
- default scan schedule for dev environment is 12 hours
terraform init -backend-config=bucket=TERRAFORM_STATE_BUCKET -backend-config=key=TERRAFORM_STATE_KEY -backend-config=region=TERRAFORM_STATE_REGION
terraform workspace new dev
terraform plan
terraform apply
- deploy production environment for detection and automated takeover
- default scan schedule for prd environment is 60 minutes
terraform workspace new prd
terraform plan
terraform apply
Adding notifications to extra Slack channels
- add an extra channel to your slack_channels variable list
- add an extra webhook URL or repeat the same webhook URL to your slack_webhook_urls variable list
- apply Terraform
Architecture
Domain Protect Architecture
Domain Protect implements a completely serverless architecture:
How Domain Protect scans all AWS accounts in Organization:
Limitations
- this tool cannot guarantee 100% protection against subdomain takeover
- it currently only scans Amazon Route53 and Cloudflare, and only checks a limited number of takeover types
- vulnerable domains in Google Cloud DNS can be detected by Domain Protect for GCP
Manual scans – AWS
Manual scans – CloudFlare
domain-protect (this link opens in a new window) by ovotech (this link opens in a new window)
Protect against subdomain takeover