Can I Take Over DNS?
_{^{A list of DNS providers and whether their zones are vulnerable to DNS takeover!
Maintained by}}  

Inspired by the popular Can I Take Over XYZ? project by @EdOverflow this project is uniquely oriented towards DNS takeovers. DNS takeovers pose a high threat to companies, warrant high bounties, and are easy to find. We are trying to make this list comprehensive, so please contribute!

Here's a public $500 bounty report for a DNS takeover that I wrote with a thorough explanation to help you understand the issue.

DNS Providers

These companies provide DNS nameserver services to the general public. In this list you will find out whether domains pointing to these nameservers are vulnerable to DNS takeover and where you can learn more about them.

Provider	Status	Fingerprint	Takeover Instructions
000Domains	Vulnerable (w/ purchase)	ns1.000domains.com ns2.000domains.com fwns1.000domains.com fwns2.000domains.com	Issue #19
AWS Route 53	Not Vulnerable	ns-****.awsdns-**.org ns-****.awsdns-**.co.uk ns-***.awsdns-**.com ns-***.awsdns-**.net	Issue #1
Azure (Microsoft)	Edge Case	ns1-**.azure-dns.com ns2-**.azure-dns.net ns3-**.azure-dns.org ns4-**.azure-dns.info	Issue #5
BigCommerce	Not Vulnerable	ns1.bigcommerce.com ns2.bigcommerce.com ns3.bigcommerce.com	Issue #35
Bizland	No New Accounts	ns1.bizland.com ns2.bizland.com clickme.click2site.com clickme2.click2site.com	Issue #3
ClouDNS	Not Vulnerable	*.cloudns.net
Cloudflare	Not Vulnerable	*.ns.cloudflare.com	Issue #10
Digital Ocean	Vulnerable	ns1.digitalocean.com ns2.digitalocean.com ns3.digitalocean.com	Issue #22
DNSMadeEasy	Vulnerable	ns**.dnsmadeeasy.com	Issue #6
DNSimple	Vulnerable	ns1.dnsimple.com ns2.dnsimple.com ns3.dnsimple.com ns4.dnsimple.com	Issue #16
Domain.com	Vulnerable (w/ purchase)	ns1.domain.com ns2.domain.com	Issue #17
DomainPeople	Not Vulnerable	ns1.domainpeople.com ns2.domainpeople.com	Issue #14
Dotster	No New Accounts	ns1.dotster.com ns2.dotster.com ns1.nameresolve.com ns2.nameresolve.com	Issue #18
EasyDNS	Not Vulnerable	dns1.easydns.com dns2.easydns.net dns3.easydns.org dns4.easydns.info	Issue #9
Gandi.net	Not Vulnerable	a.dns.gandi.net b.dns.gandi.net c.dns.gandi.net
Google Cloud	Vulnerable	ns-cloud-**.googledomains.com	Issue #2
Hostinger (old NS)	Not Vulnerable	ns1.hostinger.com ns2.hostinger.com
Hover	Not Vulnerable	ns1.hover.com ns2.hover.com	Issue #21
Hurricane Electric	Vulnerable	ns5.he.net ns4.he.net ns3.he.net ns2.he.net ns1.he.net	Issue #25
Linode	Vulnerable	ns1.linode.com ns2.linode.com	Issue #26
MediaTemple (mt)	Not Vulnerable	ns1.mediatemple.net ns2.mediatemple.net	Issue #23
MyDomain	Vulnerable (w/ purchase)	ns1.mydomain.com ns2.mydomain.com	Issue #4
Name.com	Vulnerable (w/ purchase)	ns1***.name.com ns2***.name.com ns3***.name.com ns4***.name.com	Issue #8
namecheap	Not Vulnerable	*.namecheaphosting.com *.registrar-servers.com
Network Solutions	Not Vulnerable	ns**.worldnic.com	Issue #15
NS1	Registration Closed I can help, comment on the linked issue.	dns1.p**.nsone.net dns2.p**.nsone.net dns3.p**.nsone.net dns4.p**.nsone.net	Issue #7
TierraNet	Vulnerable	ns1.domaindiscover.com ns2.domaindiscover.com	Issue #24
Reg.ru	Vulnerable (sanctions may stop payments)	ns1.reg.ru ns2.reg.ru	Issue #28
UltraDNS	Not Vulnerable	pdns***.ultradns.com udns***.ultradns.com sdns***.ultradns.com	Issue #29
Yahoo Small Business	Vulnerable (w/ purchase)	yns1.yahoo.com yns2.yahoo.com	Issue #20

Private DNS

These are private nameservers operated by various companies. The general public cannot create zones on these nameservers and thus takeovers are not possible. Knowning nameservers that are private and not vulnerable can be helpful to eliminate false positives from your testing.

Owner	Status	Fingerprint
Activision	Not Vulnerable	ns*.activision.com
Adobe	Not Vulnerable	adobe-dns-0*.adobe.com
Apple	Not Vulnerable	a.ns.apple.com b.ns.apple.com c.ns.apple.com d.ns.apple.com
Automattic	Not Vulnerable	ns*.automattic.com
Capital One	Not Vulnerable	ns*.capitalone.com
Disney	Not Vulnerable	ns*.twdcns.com ns*.twdcns.info ns*.twdcns.co.uk
Google	Not Vulnerable	ns*.google.com
Lowe's	Not Vulnerable	authns*.lowes.com
T-Mobile	Not Vulnerable	ns10.tmobileus.com ns10.tmobileus.net

What is a DNS takeover?

DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a request for DNS records the server responds with a SERVFAIL error. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.

You can read more at: https://0xpatrik.com/subdomain-takeover-ns/

A python implementation of DNS takeovers: https://github.com/pwnesia/dnstake

Contributions

We need more DNS providers added to the database with information about their services.

If you want to help out, please check out the getting started guide here.

Press

"How does one know whether a DNS provider is exploitable? There is a frequently updated list published on GitHub called “Can I take over DNS,” which has been documenting exploitability by DNS provider over the past several years."
Brian Krebs

"I honestly think this is a great resource for security researchers and bug bounty hunters."
@0xpatrik

"A new, but incredibly useful resource.. Essentially, a more modern/accurate can-i-take-over list for the STO you likely don't yet know about"
Michael Skelton, Director of Security @ BugCrowd

"Still trying to find your first domain/subdomain takeover vulnerability? Go to indianajson/can-i-take-over-dns for a curated DNS takeover list. "
Intigriti, Bug Bounty Platform

"There's this excellent resource on GitHub... which has a list of nameservers... that you can perform takeovers on, so I think this is an excellent resource"
Shubham Shah, CTO of Assetnote

.