GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
GCP Subdomain NS Delegations Vulnerable
More Info:
Ensure that Subdomain NS delegations are not vulnerable.
Risk Level
High
Address
Security
Compliance Standards
SOC2, NISTCSF
Triage and Remediation
Remediation
To remediate the GCP Subdomain NS Delegations Vulnerable misconfiguration in GCP DNS using the GCP console, follow these steps:
-
Open the Google Cloud Console (https://console.cloud.google.com) and log in to your GCP account.
-
Navigate to the “Cloud DNS” page by clicking on the navigation menu and selecting “Networking” > “Cloud DNS”.
-
On the Cloud DNS page, you will see a list of your DNS zones. Select the zone that contains the subdomain with the NS delegation vulnerability.
-
In the zone details, you will see a list of DNS records. Look for the NS (Name Server) records related to the vulnerable subdomain. These records specify the authoritative name servers for the subdomain.
-
Click on the checkbox next to each NS record related to the vulnerable subdomain to select them.
-
Once the NS records are selected, click on the “Delete” button at the top of the page to remove them.
-
A confirmation dialog will appear. Review the selected records and click on the “Delete” button to confirm the deletion.
-
After deleting the NS records, the subdomain will no longer have any NS delegation. The DNS resolution for the subdomain will now be handled by the parent domain’s name servers.
-
Verify the changes by performing a DNS lookup for the subdomain using a tool like “dig” or “nslookup”. Ensure that the NS records for the subdomain no longer exist.
By following these steps, you will be able to remediate the GCP Subdomain NS Delegations Vulnerable misconfiguration in GCP DNS using the GCP console.
To remediate the GCP Subdomain NS Delegations Vulnerability using GCP CLI, follow these step-by-step instructions:
-
Install and set up the GCP CLI:
- Download and install the GCP CLI from the official documentation: https://cloud.google.com/sdk/docs/install
- Run
gcloud initto authenticate and set up the CLI with your GCP account.
-
Identify the vulnerable subdomain:
- Identify the subdomain that has NS delegations pointing to external DNS servers. This can be done by reviewing your DNS records or by using a DNS enumeration tool.
-
Update the NS records:
- Open your terminal or command prompt and run the following command to update the NS records for the vulnerable subdomain:
Replace the placeholders in the above commands with the following values:
gcloud dns record-sets transaction start --zone=[ZONE_NAME] gcloud dns record-sets transaction remove --zone=[ZONE_NAME] --name=[SUBDOMAIN_NAME] --type=NS [EXTERNAL_DNS_SERVER_1] gcloud dns record-sets transaction remove --zone=[ZONE_NAME] --name=[SUBDOMAIN_NAME] --type=NS [EXTERNAL_DNS_SERVER_2] gcloud dns record-sets transaction add --zone=[ZONE_NAME] --name=[SUBDOMAIN_NAME] --type=NS --ttl=[TTL] [GCP_DNS_SERVER_1] gcloud dns record-sets transaction add --zone=[ZONE_NAME] --name=[SUBDOMAIN_NAME] --type=NS --ttl=[TTL] [GCP_DNS_SERVER_2] gcloud dns record-sets transaction execute --zone=[ZONE_NAME]- [ZONE_NAME]: The name of the DNS zone where the subdomain exists.
- [SUBDOMAIN_NAME]: The name of the vulnerable subdomain.
- [EXTERNAL_DNS_SERVER_1], [EXTERNAL_DNS_SERVER_2]: The external DNS server addresses that need to be removed.
- [GCP_DNS_SERVER_1], [GCP_DNS_SERVER_2]: The GCP DNS server addresses that need to be added.
- [TTL]: The Time To Live value for the NS records (e.g., 300).
- Open your terminal or command prompt and run the following command to update the NS records for the vulnerable subdomain:
-
Verify the changes:
- After executing the transaction, wait for a few minutes to allow the changes to propagate.
- Use the following command to verify the NS records for the subdomain:
Ensure that only the GCP DNS server addresses are listed.
gcloud dns record-sets list --zone=[ZONE_NAME] --name=[SUBDOMAIN_NAME] --type=NS
By following these steps, you can remediate the GCP Subdomain NS Delegations Vulnerability for GCP DNS using the GCP CLI.
To remediate the GCP Subdomain NS Delegations Vulnerability, you can follow these step-by-step instructions using Python:
-
Install the required libraries:
- Install the
google-cloud-dnslibrary by running the commandpip install google-cloud-dnsin your Python environment.
- Install the
-
Authenticate with GCP:
- Generate a service account key for your project in GCP.
- Download the JSON key file for the service account.
- Set the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable to the path of the JSON key file.
-
Retrieve the list of managed zones:
-
Import the necessary modules in your Python script:
from google.cloud import dns -
Create a DNS client instance:
client = dns.Client() -
List all the managed zones in your project:
zones = client.list_zones()
-
-
Identify vulnerable subdomains:
- Iterate through the list of managed zones and check for subdomains with NS delegations:
for zone in zones: subdomains = zone.list_resource_record_sets() for subdomain in subdomains: if subdomain.record_type == 'NS': # Check if NS records are pointing to external nameservers if subdomain.rrdatas != ['ns-cloud-d1.googledomains.com.', 'ns-cloud-d2.googledomains.com.', 'ns-cloud-d3.googledomains.com.', 'ns-cloud-d4.googledomains.com.']: print(f"Vulnerable subdomain: {subdomain.name}")
- Iterate through the list of managed zones and check for subdomains with NS delegations:
-
Remediate the vulnerable subdomains:
- For each vulnerable subdomain, update the NS records to point to the correct Google Cloud DNS nameservers:
for zone in zones: subdomains = zone.list_resource_record_sets() for subdomain in subdomains: if subdomain.record_type == 'NS' and subdomain.name == 'vulnerable-subdomain.example.com.': # Update the NS records to use the correct Google Cloud DNS nameservers subdomain.rrdatas = ['ns-cloud-d1.googledomains.com.', 'ns-cloud-d2.googledomains.com.', 'ns-cloud-d3.googledomains.com.', 'ns-cloud-d4.googledomains.com.'] # Update the changes zone.changes().create(additions=[subdomain]).commit() print(f"Remediated subdomain: {subdomain.name}")
- For each vulnerable subdomain, update the NS records to point to the correct Google Cloud DNS nameservers:
-
Run the script:
- Save the Python script and run it using
python script_name.py. - The script will identify and remediate the vulnerable subdomains by updating the NS records to use the correct Google Cloud DNS nameservers.
- Save the Python script and run it using
Note: Ensure that you have the necessary permissions and access to the GCP project and DNS resources to perform these actions.