GCP CName Records Vulnerable
More Info:
Ensure GCP CName records are not vulnerable.Risk Level
CriticalAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the CName Records vulnerability in GCP DNS using the GCP console, follow these step-by-step instructions:
- Log in to the GCP console (https://console.cloud.google.com) using your credentials.
- Navigate to the “DNS” page by selecting the appropriate project from the project dropdown menu and clicking on “DNS” under the “Network services” section.
- On the “DNS” page, you will see a list of managed zones. Click on the name of the zone where the CName Record vulnerability exists.
- In the zone details, you will find a list of DNS records. Locate the CName record that needs to be remediated.
- Click on the three vertical dots at the end of the CName record row and select “Edit”.
- In the edit record dialog box, you will see the existing configuration of the CName record. Modify the CName record to point to a valid and secure target. It is recommended to use an A record instead of a CName record whenever possible.
- After making the necessary changes, click on the “Save” button to save the modified CName record.
- Verify that the CName record has been successfully updated and is pointing to the desired target.
- Repeat the above steps for any other CName records that need to be remediated.
Using CLI
Using CLI
To remediate the CName Records vulnerability in GCP DNS using GCP CLI, follow these step-by-step instructions:
-
Install and set up the GCP CLI:
- Download and install the Cloud SDK from the official Google Cloud website.
- Open a terminal or command prompt and authenticate with your GCP account using the
gcloud auth logincommand. - Set your project ID as the default project using the
gcloud config set project [PROJECT_ID]command.
-
Identify the vulnerable CName Records:
- Use the following command to list all the DNS managed zones in your project:
- Identify the managed zone that contains the vulnerable CName Records.
- Use the following command to list all the DNS managed zones in your project:
-
Remove the vulnerable CName Records:
- Replace
[MANAGED_ZONE_NAME]with the name of the vulnerable managed zone in the following command: - Remove the vulnerable CName Records using the following command:
Replace
[CNAME_RECORD_NAME]with the name of the vulnerable CName record and[TTL]with the desired Time To Live value. - Execute the following command to apply the changes and commit the transaction:
- Replace
-
Verify the changes:
- Use the following command to verify that the vulnerable CName Records have been removed:
- Ensure that the vulnerable CName Records are no longer listed.
- Use the following command to verify that the vulnerable CName Records have been removed:
Using Python
Using Python
To remediate the CName Records vulnerability in GCP DNS using Python, follow these step-by-step instructions:
-
Install the required dependencies:
- Install the
google-cloud-dnslibrary by running the following command: - Make sure you have the Google Cloud SDK installed and authenticated with your GCP account.
- Install the
-
Import the necessary modules in your Python script:
-
Authenticate with your GCP account by setting the environment variable
GOOGLE_APPLICATION_CREDENTIALSto the path of your service account key file: -
Create a DNS client:
-
Retrieve the existing CName records:
-
Filter and delete the vulnerable CName records:
-
Apply the changes to the DNS zone:
-
Confirm the changes:
your-zone-name with the actual name of your DNS zone and provide the path to your service account key file.