DreamHost

[neirbowj]

Service DreamHost

Status Vulnerable (with purchase)

Nameserver

ns1.dreamhost.com
ns2.dreamhost.com
ns3.dreamhost.com

Explanation

DreamHost offers shared and dedicated web hosting, cloud storage, and registrar services, mainly. Obtaining an account with the ability to add domains requires purchasing service (minimum ~$5 for one month of hosting as of the time of this writing). It is possible to add a domain that is registered elsewhere by ticking a box during the procedure that says, roughly, "Yes, I really own this domain". A corresponding zone is automatically provisioned on the authoritative servers and arbitrary records can be added subsequent to that for supported record types.

I demonstrated this on an existing, long-established account by adding reddit.ru and creating reddit.ru/TXT with the contents "can-i-take-over-dns". The record started becoming visible on the nameservers within a few minutes.

The DreamHost Knowledge Base article about Adding a website and hosting details the procedure.

[indianajson]

Sorry this took so long for me to get back to you on. I did check at the time and didn't see reddit.ru pointing to Dreamhost and in the past I have not had success with takeovers via Dreamhost. Do you have a public bug bounty report or active proof of concept you could share?

[neirbowj]

$ for ns in ns{1,2,3}; do dig +noall +ans @$ns.dreamhost.com reddit.ru txt; done
reddit.ru.		300	IN	TXT	"can-i-take-over-dns"
reddit.ru.		300	IN	TXT	"can-i-take-over-dns"
reddit.ru.		300	IN	TXT	"can-i-take-over-dns"

Maybe I've failed to grasp something fundamental about this. Isn't the idea that I can create a zone and publish arbitrary records without actually demonstrating that I control the domain? Clearly, that doesn't amount to much in this example because this particular domain isn't delegated to DreamHost's servers.

[indianajson]

I understand what you were trying to do now. And yes, you did create a DNS zone on Dreamhost that Dreamhost is now delivering, which demonstrates that arbitrary domains can be added to their system (a very important step). However, there is a second part to DNS takeovers as many providers are now implementing safety checks that ensure domains previously delegated to them cannot be re-delegated without verification.

In the case of Dreamhost my experience has been they will stop you from delegating a zone for a domain that was previously delegated to them unless you can verify you own the domain, thus most (if not all) vulnerable domains pointed to Dreamhost cannot actually be attacked.

So, for a service to be Vulnerable for DNS takeovers, we would need to find a domain currently delegated to Dreamhost, but no zone exists with Dreamhost, and be able to add the zone to Dreamhost without verifying ownership of the domain (thus proving vulnerabilities in the wild can be exploited). There are many domains with dangling records pointing toward AWS Route 53 but most are not vulnerable due to the safety check they have implemented, which is why Route 53 is considered edge case.

At the very least, I can assign this Edge Case for now until we can verify some in-the-wild examples.