GCP Subdomain NS Delegations Vulnerable

Using Console

Using CLI

To remediate the GCP Subdomain NS Delegations Vulnerability using GCP CLI, follow these step-by-step instructions:

Install and set up the GCP CLI:
- Download and install the GCP CLI from the official documentation: https://cloud.google.com/sdk/docs/install
- Run gcloud init to authenticate and set up the CLI with your GCP account.
Identify the vulnerable subdomain:
- Identify the subdomain that has NS delegations pointing to external DNS servers. This can be done by reviewing your DNS records or by using a DNS enumeration tool.

Update the NS records:

Open your terminal or command prompt and run the following command to update the NS records for the vulnerable subdomain:

gcloud dns record-sets transaction start --zone=[ZONE_NAME]
gcloud dns record-sets transaction remove --zone=[ZONE_NAME] --name=[SUBDOMAIN_NAME] --type=NS [EXTERNAL_DNS_SERVER_1]
gcloud dns record-sets transaction remove --zone=[ZONE_NAME] --name=[SUBDOMAIN_NAME] --type=NS [EXTERNAL_DNS_SERVER_2]
gcloud dns record-sets transaction add --zone=[ZONE_NAME] --name=[SUBDOMAIN_NAME] --type=NS --ttl=[TTL] [GCP_DNS_SERVER_1]
gcloud dns record-sets transaction add --zone=[ZONE_NAME] --name=[SUBDOMAIN_NAME] --type=NS --ttl=[TTL] [GCP_DNS_SERVER_2]
gcloud dns record-sets transaction execute --zone=[ZONE_NAME]

Replace the placeholders in the above commands with the following values:

[ZONE_NAME]: The name of the DNS zone where the subdomain exists.
[SUBDOMAIN_NAME]: The name of the vulnerable subdomain.
[EXTERNAL_DNS_SERVER_1], [EXTERNAL_DNS_SERVER_2]: The external DNS server addresses that need to be removed.
[GCP_DNS_SERVER_1], [GCP_DNS_SERVER_2]: The GCP DNS server addresses that need to be added.
[TTL]: The Time To Live value for the NS records (e.g., 300).

Verify the changes:
- After executing the transaction, wait for a few minutes to allow the changes to propagate.
- Use the following command to verify the NS records for the subdomain:
  gcloud dns record-sets list --zone=[ZONE_NAME] --name=[SUBDOMAIN_NAME] --type=NS
  Ensure that only the GCP DNS server addresses are listed.

By following these steps, you can remediate the GCP Subdomain NS Delegations Vulnerability for GCP DNS using the GCP CLI.

Using Python

To remediate the GCP Subdomain NS Delegations Vulnerability, you can follow these step-by-step instructions using Python:

Install the required libraries:
- Install the google-cloud-dns library by running the command pip install google-cloud-dns in your Python environment.
Authenticate with GCP:
- Generate a service account key for your project in GCP.
- Download the JSON key file for the service account.
- Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the JSON key file.
Retrieve the list of managed zones:
- Import the necessary modules in your Python script:
  from google.cloud import dns
- Create a DNS client instance:
  client = dns.Client()
- List all the managed zones in your project:
  zones = client.list_zones()

Identify vulnerable subdomains:

Iterate through the list of managed zones and check for subdomains with NS delegations:

for zone in zones:
    subdomains = zone.list_resource_record_sets()
    for subdomain in subdomains:
        if subdomain.record_type == 'NS':
            # Check if NS records are pointing to external nameservers
            if subdomain.rrdatas != ['ns-cloud-d1.googledomains.com.', 'ns-cloud-d2.googledomains.com.',
                                     'ns-cloud-d3.googledomains.com.', 'ns-cloud-d4.googledomains.com.']:
                print(f"Vulnerable subdomain: {subdomain.name}")

Remediate the vulnerable subdomains:

For each vulnerable subdomain, update the NS records to point to the correct Google Cloud DNS nameservers:

for zone in zones:
    subdomains = zone.list_resource_record_sets()
    for subdomain in subdomains:
        if subdomain.record_type == 'NS' and subdomain.name == 'vulnerable-subdomain.example.com.':
            # Update the NS records to use the correct Google Cloud DNS nameservers
            subdomain.rrdatas = ['ns-cloud-d1.googledomains.com.', 'ns-cloud-d2.googledomains.com.',
                                 'ns-cloud-d3.googledomains.com.', 'ns-cloud-d4.googledomains.com.']
            # Update the changes
            zone.changes().create(additions=[subdomain]).commit()
            print(f"Remediated subdomain: {subdomain.name}")

Run the script:
- Save the Python script and run it using python script_name.py.
- The script will identify and remediate the vulnerable subdomains by updating the NS records to use the correct Google Cloud DNS nameservers.

Note: Ensure that you have the necessary permissions and access to the GCP project and DNS resources to perform these actions.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

GCP Subdomain NS Delegations Vulnerable

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation