More Info:

Ensure GCP CName records are not vulnerable.

Risk Level

Critical

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the CName Records vulnerability in GCP DNS using the GCP console, follow these step-by-step instructions:
  1. Log in to the GCP console (https://console.cloud.google.com) using your credentials.
  2. Navigate to the “DNS” page by selecting the appropriate project from the project dropdown menu and clicking on “DNS” under the “Network services” section.
  3. On the “DNS” page, you will see a list of managed zones. Click on the name of the zone where the CName Record vulnerability exists.
  4. In the zone details, you will find a list of DNS records. Locate the CName record that needs to be remediated.
  5. Click on the three vertical dots at the end of the CName record row and select “Edit”.
  6. In the edit record dialog box, you will see the existing configuration of the CName record. Modify the CName record to point to a valid and secure target. It is recommended to use an A record instead of a CName record whenever possible.
  7. After making the necessary changes, click on the “Save” button to save the modified CName record.
  8. Verify that the CName record has been successfully updated and is pointing to the desired target.
  9. Repeat the above steps for any other CName records that need to be remediated.
By following these steps, you will be able to remediate the CName Records vulnerability in GCP DNS using the GCP console.

To remediate the CName Records vulnerability in GCP DNS using GCP CLI, follow these step-by-step instructions:
  1. Install and set up the GCP CLI:
    • Download and install the Cloud SDK from the official Google Cloud website.
    • Open a terminal or command prompt and authenticate with your GCP account using the gcloud auth login command.
    • Set your project ID as the default project using the gcloud config set project [PROJECT_ID] command.
  2. Identify the vulnerable CName Records:
    • Use the following command to list all the DNS managed zones in your project: 
      gcloud dns managed-zones list
    • Identify the managed zone that contains the vulnerable CName Records.
  3. Remove the vulnerable CName Records:
    • Replace [MANAGED_ZONE_NAME] with the name of the vulnerable managed zone in the following command: 
      gcloud dns record-sets transaction start --zone=[MANAGED_ZONE_NAME]
    • Remove the vulnerable CName Records using the following command: 
      gcloud dns record-sets transaction remove --zone=[MANAGED_ZONE_NAME] --name=[CNAME_RECORD_NAME] --type=CNAME --ttl=[TTL]
      Replace [CNAME_RECORD_NAME] with the name of the vulnerable CName record and [TTL] with the desired Time To Live value.
    • Execute the following command to apply the changes and commit the transaction: 
      gcloud dns record-sets transaction execute --zone=[MANAGED_ZONE_NAME]
  4. Verify the changes:
    • Use the following command to verify that the vulnerable CName Records have been removed: 
      gcloud dns record-sets list --zone=[MANAGED_ZONE_NAME]
    • Ensure that the vulnerable CName Records are no longer listed.
By following these steps, you can remediate the CName Records vulnerability in GCP DNS using GCP CLI.
To remediate the CName Records vulnerability in GCP DNS using Python, follow these step-by-step instructions:
  1. Install the required dependencies:
    • Install the google-cloud-dns library by running the following command: 
      pip install google-cloud-dns
    • Make sure you have the Google Cloud SDK installed and authenticated with your GCP account.
  2. Import the necessary modules in your Python script: 
    from google.cloud import dns
  3. Authenticate with your GCP account by setting the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path of your service account key file: 
    import os
os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "/path/to/service-account-key.json"
  4. Create a DNS client: 
    client = dns.Client()
  5. Retrieve the existing CName records: 
    zone_name = "your-zone-name"
zone = client.zone(zone_name)
existing_records = zone.list_resource_record_sets()
  6. Filter and delete the vulnerable CName records: 
    vulnerable_records = [record for record in existing_records if record.record_type == "CNAME"]
for record in vulnerable_records:
    zone.delete_record_set(record)
  7. Apply the changes to the DNS zone: 
    changes = zone.changes()
for record in vulnerable_records:
    changes.delete_record_set(record)
changes.create()
  8. Confirm the changes: 
    changes = zone.changes()
changes.wait_for_change_to_apply()
By following these steps, you will be able to remediate the CName Records vulnerability in GCP DNS using Python. Make sure to replace your-zone-name with the actual name of your DNS zone and provide the path to your service account key file.