AWS Subdomain NS Records are Vulnerable

Using Console

Using CLI

To remediate the vulnerable NS records in AWS Route53 using AWS CLI, follow these steps:

Install and configure the AWS CLI on your local machine if you haven’t already. Ensure that you have appropriate permissions to manage Route53 resources.
Verify the domain ownership in the AWS Route53 console. This step is crucial to ensure that you have the necessary permissions to make changes to the DNS records.
Open the AWS CLI on your local machine and run the following command to list all hosted zones in your AWS account:
```
aws route53 list-hosted-zones
```
Identify the hosted zone that contains the vulnerable NS records you want to remediate. Note down the Id of the hosted zone.
Run the following command to retrieve the existing NS records for the hosted zone:
```
aws route53 list-resource-record-sets --hosted-zone-id <hosted-zone-id>
```
Replace <hosted-zone-id> with the actual Id of the hosted zone obtained in the previous step.
Review the output and identify the NS records that need to be removed or updated. Note down the Name of each vulnerable NS record.

Run the following command to delete each vulnerable NS record:

aws route53 change-resource-record-sets --hosted-zone-id <hosted-zone-id> --change-batch '{
  "Changes": [
    {
      "Action": "DELETE",
      "ResourceRecordSet": {
        "Name": "<vulnerable-ns-record-name>",
        "Type": "NS",
        "TTL": 300,
        "ResourceRecords": [
          {
            "Value": "<vulnerable-ns-record-value>"
          }
        ]
      }
    }
  ]
}'

Replace <hosted-zone-id> with the actual Id of the hosted zone, <vulnerable-ns-record-name> with the name of the vulnerable NS record, and <vulnerable-ns-record-value> with the value of the vulnerable NS record. Repeat this command for each vulnerable NS record identified in step 5.

After deleting the vulnerable NS records, you can optionally add or update the NS records with the correct values. Run the following command to add or update an NS record:

aws route53 change-resource-record-sets --hosted-zone-id <hosted-zone-id> --change-batch '{
  "Changes": [
    {
      "Action": "UPSERT",
      "ResourceRecordSet": {
        "Name": "<ns-record-name>",
        "Type": "NS",
        "TTL": 300,
        "ResourceRecords": [
          {
            "Value": "<ns-record-value>"
          }
        ]
      }
    }
  ]
}'

Replace <hosted-zone-id> with the actual Id of the hosted zone, <ns-record-name> with the name of the NS record, and <ns-record-value> with the value of the NS record. Repeat this command for each NS record you want to add or update.

Verify the changes by running the command in step 4 again. Ensure that the vulnerable NS records are no longer present, and the correct NS records are added or updated.

By following these steps, you can remediate the vulnerable NS records in AWS Route53 using the AWS CLI.

Using Python

To remediate the vulnerability of vulnerable NS records in AWS Route53 using Python, follow these steps:

Install the required libraries:
- Install the AWS SDK for Python (Boto3) using the command: pip install boto3
Set up AWS credentials:
- Configure AWS CLI using the command: aws configure
- Enter your AWS Access Key ID and Secret Access Key.
- Set the default region name and output format.

Write a Python script to remediate the vulnerability:

import boto3

def remediate_vulnerable_ns_records():
    # Create a Route53 client
    route53_client = boto3.client('route53')

    # List all hosted zones
    response = route53_client.list_hosted_zones()

    # Iterate through each hosted zone
    for hosted_zone in response['HostedZones']:
        hosted_zone_id = hosted_zone['Id']
        hosted_zone_name = hosted_zone['Name']

        # Get the NS records for the hosted zone
        ns_records = route53_client.list_resource_record_sets(
            HostedZoneId=hosted_zone_id,
            StartRecordType='NS',
            MaxItems='1'
        )

        # Check if NS records are vulnerable
        if ns_records['ResourceRecordSets'][0]['Name'] == hosted_zone_name and len(ns_records['ResourceRecordSets']) > 1:
            vulnerable_ns_record_set = ns_records['ResourceRecordSets'][0]

            # Delete the vulnerable NS record set
            route53_client.change_resource_record_sets(
                HostedZoneId=hosted_zone_id,
                ChangeBatch={
                    'Changes': [
                        {
                            'Action': 'DELETE',
                            'ResourceRecordSet': vulnerable_ns_record_set
                        }
                    ]
                }
            )

            print(f"Vulnerable NS record set deleted for hosted zone: {hosted_zone_name}")

# Run the function to remediate the vulnerability
remediate_vulnerable_ns_records()

Save the script to a file, for example, remediate_ns_records.py.
Execute the Python script:
- Open a terminal or command prompt.
- Navigate to the directory where the script is saved.
- Run the command: python remediate_ns_records.py
The script will connect to AWS Route53, identify the vulnerable NS records, and delete them. It will print a message for each hosted zone where the vulnerability is remediated.

Note: Make sure you have appropriate permissions to access and modify Route53 resources in your AWS account.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

AWS Subdomain NS Records are Vulnerable

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation