More Info:

Ensure that Subdomain NS delegations are not vulnerable.

Risk Level

High

Address

Security

Compliance Standards

SOC2, NISTCSF

Triage and Remediation

Remediation

Using Console

To remediate the GCP Subdomain NS Delegations Vulnerable misconfiguration in GCP DNS using the GCP console, follow these steps:
  1. Open the Google Cloud Console (https://console.cloud.google.com) and log in to your GCP account.
  2. Navigate to the “Cloud DNS” page by clicking on the navigation menu and selecting “Networking” > “Cloud DNS”.
  3. On the Cloud DNS page, you will see a list of your DNS zones. Select the zone that contains the subdomain with the NS delegation vulnerability.
  4. In the zone details, you will see a list of DNS records. Look for the NS (Name Server) records related to the vulnerable subdomain. These records specify the authoritative name servers for the subdomain.
  5. Click on the checkbox next to each NS record related to the vulnerable subdomain to select them.
  6. Once the NS records are selected, click on the “Delete” button at the top of the page to remove them.
  7. A confirmation dialog will appear. Review the selected records and click on the “Delete” button to confirm the deletion.
  8. After deleting the NS records, the subdomain will no longer have any NS delegation. The DNS resolution for the subdomain will now be handled by the parent domain’s name servers.
  9. Verify the changes by performing a DNS lookup for the subdomain using a tool like “dig” or “nslookup”. Ensure that the NS records for the subdomain no longer exist.
By following these steps, you will be able to remediate the GCP Subdomain NS Delegations Vulnerable misconfiguration in GCP DNS using the GCP console.

To remediate the GCP Subdomain NS Delegations Vulnerability using GCP CLI, follow these step-by-step instructions:
  1. Install and set up the GCP CLI:
  2. Identify the vulnerable subdomain:
    • Identify the subdomain that has NS delegations pointing to external DNS servers. This can be done by reviewing your DNS records or by using a DNS enumeration tool.
  3. Update the NS records:
    • Open your terminal or command prompt and run the following command to update the NS records for the vulnerable subdomain:
      gcloud dns record-sets transaction start --zone=[ZONE_NAME]
      gcloud dns record-sets transaction remove --zone=[ZONE_NAME] --name=[SUBDOMAIN_NAME] --type=NS [EXTERNAL_DNS_SERVER_1]
      gcloud dns record-sets transaction remove --zone=[ZONE_NAME] --name=[SUBDOMAIN_NAME] --type=NS [EXTERNAL_DNS_SERVER_2]
      gcloud dns record-sets transaction add --zone=[ZONE_NAME] --name=[SUBDOMAIN_NAME] --type=NS --ttl=[TTL] [GCP_DNS_SERVER_1]
      gcloud dns record-sets transaction add --zone=[ZONE_NAME] --name=[SUBDOMAIN_NAME] --type=NS --ttl=[TTL] [GCP_DNS_SERVER_2]
      gcloud dns record-sets transaction execute --zone=[ZONE_NAME]
      
      Replace the placeholders in the above commands with the following values:
      • [ZONE_NAME]: The name of the DNS zone where the subdomain exists.
      • [SUBDOMAIN_NAME]: The name of the vulnerable subdomain.
      • [EXTERNAL_DNS_SERVER_1], [EXTERNAL_DNS_SERVER_2]: The external DNS server addresses that need to be removed.
      • [GCP_DNS_SERVER_1], [GCP_DNS_SERVER_2]: The GCP DNS server addresses that need to be added.
      • [TTL]: The Time To Live value for the NS records (e.g., 300).
  4. Verify the changes:
    • After executing the transaction, wait for a few minutes to allow the changes to propagate.
    • Use the following command to verify the NS records for the subdomain:
      gcloud dns record-sets list --zone=[ZONE_NAME] --name=[SUBDOMAIN_NAME] --type=NS
      
      Ensure that only the GCP DNS server addresses are listed.
By following these steps, you can remediate the GCP Subdomain NS Delegations Vulnerability for GCP DNS using the GCP CLI.
To remediate the GCP Subdomain NS Delegations Vulnerability, you can follow these step-by-step instructions using Python:
  1. Install the required libraries:
    • Install the google-cloud-dns library by running the command pip install google-cloud-dns in your Python environment.
  2. Authenticate with GCP:
    • Generate a service account key for your project in GCP.
    • Download the JSON key file for the service account.
    • Set the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the JSON key file.
  3. Retrieve the list of managed zones:
    • Import the necessary modules in your Python script:
      from google.cloud import dns
      
    • Create a DNS client instance:
      client = dns.Client()
      
    • List all the managed zones in your project:
      zones = client.list_zones()
      
  4. Identify vulnerable subdomains:
    • Iterate through the list of managed zones and check for subdomains with NS delegations:
      for zone in zones:
          subdomains = zone.list_resource_record_sets()
          for subdomain in subdomains:
              if subdomain.record_type == 'NS':
                  # Check if NS records are pointing to external nameservers
                  if subdomain.rrdatas != ['ns-cloud-d1.googledomains.com.', 'ns-cloud-d2.googledomains.com.',
                                           'ns-cloud-d3.googledomains.com.', 'ns-cloud-d4.googledomains.com.']:
                      print(f"Vulnerable subdomain: {subdomain.name}")
      
  5. Remediate the vulnerable subdomains:
    • For each vulnerable subdomain, update the NS records to point to the correct Google Cloud DNS nameservers:
      for zone in zones:
          subdomains = zone.list_resource_record_sets()
          for subdomain in subdomains:
              if subdomain.record_type == 'NS' and subdomain.name == 'vulnerable-subdomain.example.com.':
                  # Update the NS records to use the correct Google Cloud DNS nameservers
                  subdomain.rrdatas = ['ns-cloud-d1.googledomains.com.', 'ns-cloud-d2.googledomains.com.',
                                       'ns-cloud-d3.googledomains.com.', 'ns-cloud-d4.googledomains.com.']
                  # Update the changes
                  zone.changes().create(additions=[subdomain]).commit()
                  print(f"Remediated subdomain: {subdomain.name}")
      
  6. Run the script:
    • Save the Python script and run it using python script_name.py.
    • The script will identify and remediate the vulnerable subdomains by updating the NS records to use the correct Google Cloud DNS nameservers.
Note: Ensure that you have the necessary permissions and access to the GCP project and DNS resources to perform these actions.