More Info:

Ensure Subdomain NS Records are not Vulnerable

Risk Level

High

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the vulnerability of AWS Subdomain NS Records in AWS Route53 using the AWS console, follow these steps:
  1. Log in to the AWS Management Console.
  2. Open the Route53 service.
  3. In the navigation pane, select “Hosted zones”.
  4. Choose the hosted zone that contains the vulnerable subdomain NS records.
  5. Select the checkbox next to the vulnerable subdomain NS record(s) that you want to remediate.
  6. Click on the “Delete record set” button at the top of the page.
  7. Confirm the deletion by clicking on the “Delete” button in the pop-up window.
  8. Repeat steps 5-7 for all the vulnerable subdomain NS records.
  9. Once the vulnerable subdomain NS records are deleted, click on the “Create record set” button at the top of the page.
  10. In the “Name” field, enter the name of the subdomain for which you want to create NS records.
  11. Select “NS - Name Server” from the “Type” dropdown menu.
  12. In the “Value” field, enter the name servers (NS records) provided by your DNS hosting provider.
  13. Click on the “Create” button to create the new NS records.
  14. Repeat steps 10-13 for each subdomain that requires NS records.
  15. Once all the necessary NS records are created, verify that the subdomain NS records are no longer vulnerable by performing a vulnerability scan or using a DNS tool.
By following these steps, you will be able to remediate the vulnerability of AWS Subdomain NS Records in AWS Route53 using the AWS console.

To remediate the vulnerable NS records in AWS Route53 using AWS CLI, follow these steps:
  1. Install and configure the AWS CLI on your local machine if you haven’t already. Ensure that you have appropriate permissions to manage Route53 resources.
  2. Verify the domain ownership in the AWS Route53 console. This step is crucial to ensure that you have the necessary permissions to make changes to the DNS records.
  3. Open the AWS CLI on your local machine and run the following command to list all hosted zones in your AWS account: 
    aws route53 list-hosted-zones
    Identify the hosted zone that contains the vulnerable NS records you want to remediate. Note down the Id of the hosted zone.
  4. Run the following command to retrieve the existing NS records for the hosted zone: 
    aws route53 list-resource-record-sets --hosted-zone-id <hosted-zone-id>
    Replace <hosted-zone-id> with the actual Id of the hosted zone obtained in the previous step.
  5. Review the output and identify the NS records that need to be removed or updated. Note down the Name of each vulnerable NS record.
  6. Run the following command to delete each vulnerable NS record: 
    aws route53 change-resource-record-sets --hosted-zone-id <hosted-zone-id> --change-batch '{
  "Changes": [
    {
      "Action": "DELETE",
      "ResourceRecordSet": {
        "Name": "<vulnerable-ns-record-name>",
        "Type": "NS",
        "TTL": 300,
        "ResourceRecords": [
          {
            "Value": "<vulnerable-ns-record-value>"
          }
        ]
      }
    }
  ]
}'
    Replace <hosted-zone-id> with the actual Id of the hosted zone, <vulnerable-ns-record-name> with the name of the vulnerable NS record, and <vulnerable-ns-record-value> with the value of the vulnerable NS record. Repeat this command for each vulnerable NS record identified in step 5.
  7. After deleting the vulnerable NS records, you can optionally add or update the NS records with the correct values. Run the following command to add or update an NS record: 
    aws route53 change-resource-record-sets --hosted-zone-id <hosted-zone-id> --change-batch '{
  "Changes": [
    {
      "Action": "UPSERT",
      "ResourceRecordSet": {
        "Name": "<ns-record-name>",
        "Type": "NS",
        "TTL": 300,
        "ResourceRecords": [
          {
            "Value": "<ns-record-value>"
          }
        ]
      }
    }
  ]
}'
    Replace <hosted-zone-id> with the actual Id of the hosted zone, <ns-record-name> with the name of the NS record, and <ns-record-value> with the value of the NS record. Repeat this command for each NS record you want to add or update.
  8. Verify the changes by running the command in step 4 again. Ensure that the vulnerable NS records are no longer present, and the correct NS records are added or updated.
By following these steps, you can remediate the vulnerable NS records in AWS Route53 using the AWS CLI.
To remediate the vulnerability of vulnerable NS records in AWS Route53 using Python, follow these steps:
  1. Install the required libraries:
    • Install the AWS SDK for Python (Boto3) using the command: pip install boto3
  2. Set up AWS credentials:
    • Configure AWS CLI using the command: aws configure
    • Enter your AWS Access Key ID and Secret Access Key.
    • Set the default region name and output format.
  3. Write a Python script to remediate the vulnerability: 
    import boto3

def remediate_vulnerable_ns_records():
    # Create a Route53 client
    route53_client = boto3.client('route53')

    # List all hosted zones
    response = route53_client.list_hosted_zones()

    # Iterate through each hosted zone
    for hosted_zone in response['HostedZones']:
        hosted_zone_id = hosted_zone['Id']
        hosted_zone_name = hosted_zone['Name']

        # Get the NS records for the hosted zone
        ns_records = route53_client.list_resource_record_sets(
            HostedZoneId=hosted_zone_id,
            StartRecordType='NS',
            MaxItems='1'
        )

        # Check if NS records are vulnerable
        if ns_records['ResourceRecordSets'][0]['Name'] == hosted_zone_name and len(ns_records['ResourceRecordSets']) > 1:
            vulnerable_ns_record_set = ns_records['ResourceRecordSets'][0]

            # Delete the vulnerable NS record set
            route53_client.change_resource_record_sets(
                HostedZoneId=hosted_zone_id,
                ChangeBatch={
                    'Changes': [
                        {
                            'Action': 'DELETE',
                            'ResourceRecordSet': vulnerable_ns_record_set
                        }
                    ]
                }
            )

            print(f"Vulnerable NS record set deleted for hosted zone: {hosted_zone_name}")

# Run the function to remediate the vulnerability
remediate_vulnerable_ns_records()
  4. Save the script to a file, for example, remediate_ns_records.py.
  5. Execute the Python script:
    • Open a terminal or command prompt.
    • Navigate to the directory where the script is saved.
    • Run the command: python remediate_ns_records.py
    The script will connect to AWS Route53, identify the vulnerable NS records, and delete them. It will print a message for each hosted zone where the vulnerability is remediated.
Note: Make sure you have appropriate permissions to access and modify Route53 resources in your AWS account.