More Info:
Ensure Subdomain NS Records are not VulnerableRisk Level
HighAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the vulnerability of AWS Subdomain NS Records in AWS Route53 using the AWS console, follow these steps:
- Log in to the AWS Management Console.
- Open the Route53 service.
- In the navigation pane, select “Hosted zones”.
- Choose the hosted zone that contains the vulnerable subdomain NS records.
- Select the checkbox next to the vulnerable subdomain NS record(s) that you want to remediate.
- Click on the “Delete record set” button at the top of the page.
- Confirm the deletion by clicking on the “Delete” button in the pop-up window.
- Repeat steps 5-7 for all the vulnerable subdomain NS records.
- Once the vulnerable subdomain NS records are deleted, click on the “Create record set” button at the top of the page.
- In the “Name” field, enter the name of the subdomain for which you want to create NS records.
- Select “NS - Name Server” from the “Type” dropdown menu.
- In the “Value” field, enter the name servers (NS records) provided by your DNS hosting provider.
- Click on the “Create” button to create the new NS records.
- Repeat steps 10-13 for each subdomain that requires NS records.
- Once all the necessary NS records are created, verify that the subdomain NS records are no longer vulnerable by performing a vulnerability scan or using a DNS tool.
Using CLI
Using CLI
To remediate the vulnerable NS records in AWS Route53 using AWS CLI, follow these steps:
- Install and configure the AWS CLI on your local machine if you haven’t already. Ensure that you have appropriate permissions to manage Route53 resources.
- Verify the domain ownership in the AWS Route53 console. This step is crucial to ensure that you have the necessary permissions to make changes to the DNS records.
-
Open the AWS CLI on your local machine and run the following command to list all hosted zones in your AWS account:
Identify the hosted zone that contains the vulnerable NS records you want to remediate. Note down the
Id
of the hosted zone. -
Run the following command to retrieve the existing NS records for the hosted zone:
Replace
<hosted-zone-id>
with the actualId
of the hosted zone obtained in the previous step. -
Review the output and identify the NS records that need to be removed or updated. Note down the
Name
of each vulnerable NS record. -
Run the following command to delete each vulnerable NS record:
Replace
<hosted-zone-id>
with the actualId
of the hosted zone,<vulnerable-ns-record-name>
with the name of the vulnerable NS record, and<vulnerable-ns-record-value>
with the value of the vulnerable NS record. Repeat this command for each vulnerable NS record identified in step 5. -
After deleting the vulnerable NS records, you can optionally add or update the NS records with the correct values. Run the following command to add or update an NS record:
Replace
<hosted-zone-id>
with the actualId
of the hosted zone,<ns-record-name>
with the name of the NS record, and<ns-record-value>
with the value of the NS record. Repeat this command for each NS record you want to add or update. - Verify the changes by running the command in step 4 again. Ensure that the vulnerable NS records are no longer present, and the correct NS records are added or updated.
Using Python
Using Python
To remediate the vulnerability of vulnerable NS records in AWS Route53 using Python, follow these steps:
-
Install the required libraries:
- Install the AWS SDK for Python (Boto3) using the command:
pip install boto3
- Install the AWS SDK for Python (Boto3) using the command:
-
Set up AWS credentials:
- Configure AWS CLI using the command:
aws configure
- Enter your AWS Access Key ID and Secret Access Key.
- Set the default region name and output format.
- Configure AWS CLI using the command:
-
Write a Python script to remediate the vulnerability:
-
Save the script to a file, for example,
remediate_ns_records.py
. -
Execute the Python script:
- Open a terminal or command prompt.
- Navigate to the directory where the script is saved.
- Run the command:
python remediate_ns_records.py