[](<https://1.bp.blogspot.com/-LGMSUcdo2JM/YUK0T3V-wmI/AAAAAAAAumU/6VQzYIHfowQkYRjUfQivB78oB7xET-I8QCNcBGAsYHQ/s1218/DNSTake.png>)
A fast tool to check missing hosted DNS zones that can lead to subdomain takeover.
**What is a DNS takeover?**
DNS takeover [vulnerabilities](<https://www.kitploit.com/search/label/vulnerabilities> "vulnerabilities" ) occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a [request for DNS records](<https://www.diggui.com/#type=A&hostname=github.technology&nameserver=public&public=8.8.8.8&specify=&clientsubnet=&tcp=def&transport=def&mapped=def&nssearch=def&trace=def&recurse=def&edns=def&dnssec=def&subnet=def&cookie=def&all=def&cmd=def&question=def&answer=def&authority=def&additional=def&comments=def&stats=def&multiline=def&short=def&colorize=on> "request for DNS records" ) the server responds with a `SERVFAIL` error. This allo ws an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.¹
**Installation**
**from Binary**
The ez way! You can download a pre-built binary from [releases page](<https://github.com/pwnesia/dnstake/releases> "releases page" ), just unpack and run!
**from Source**
**NOTE:** [Go 1.16+ compiler](<https://golang.org/doc/install> "Go 1.16+ compiler" ) should be installed & configured!
---
Very quick & clean!
▶ go install github.com/pwnesia/dnstake/cmd/some-email@example.com
**— or**
Manual building executable from source code:
▶ git clone https://github.com/pwnesia/dnstake
▶ cd dnstake/cmd/dnstake
▶ go build .
▶ (sudo) mv dnstake /usr/local/bin
**Usage**
$ dnstake -h
·▄▄▄▄ ▐ ▄ .▄▄ ·▄▄▄▄▄ ▄▄▄· ▄ •▄ ▄▄▄ .
██▪ ██ •█▌▐█▐█ ▀.•██ ▐█ ▀█ █▌▄▌▪▀▄.▀·
▐█· ▐█▌▐█▐▐▌▄▀▀▀█▄▐█.▪▄█▀▀█ ▐▀▀▄·▐▀▀▪▄
██. ██ ██▐█▌▐█▄▪▐█▐█▌·▐█ ▪▐▌▐█.█▌▐█▄▄▌
▀▀▀▀▀• ▀▀ ; █▪ ▀▀▀▀ ▀▀▀ ▀ ▀ ·▀ ▀ ▀▀▀
(c) pwnesia.org — v0.0.1
Usage:
[stdin] | dnstake [options]
dnstake -t HOSTNAME [options]
Options:
-t, --target <HOST/FILE> Define single target host/list to check
-c, --concurrent <i> Set the concurrency level (default: 25)
-s, --silent Suppress errors and/or clean output
-h, --help Display its help
Examples:
dnstake -t (sub.)domain.tld
dnstake -t hosts.txt
cat hosts.txt | dnstake
subfinder -silent -d domain.tld | dnstake
**Workflow**
**DNSTake** use [RetryableDNS client library](<https://github.com/projectdiscovery/retryabledns> "RetryableDNS client library" ) to send DNS queries. Initial engagement using Google & Cloudflare DNS as the resolver, then check & [fingerprinting](<https://www.kitploit.com/search/label/Fingerprinting> "fingerprinting" ) the nameservers of target host — if there is one, it will resolving the target host again with its nameserver IPs as resolver, if it gets weird DNS status response (other than `NOERROR`/`NXDOMAIN`), then it's [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> "vulnerable" ) to be taken over. More or less [like this](<https://0xpatrik.com/content/images/2018/08/ns_automation-2.png> "like this" ) in form of a diagram.
Currently supported DNS providers, see [here](<https://github.com/indianajson/can-i-take-over-dns/blob/97104102c8ce911fd978521c703f26e1c547c613/README.md#dns-providers> "here" ).
**References**
* [1] <https://github.com/indianajson/can-i-take-over-dns#what-is-a-dns-takeover>
* <https://0xpatrik.com/subdomain-takeover-ns/>
**License**
**DNSTake** is [distributed](<https://www.kitploit.com/search/label/Distributed> "distributed" ) under MIT. See `LICENSE`.
**[Download Dnstake](<https://github.com/pwnesia/dnstake> "Download Dnstake" )**
{"id": "KITPLOIT:5550923684662771880", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "DNSTake - A Fast Tool To Check Missing Hosted DNS Zones That Can Lead To Subdomain Takeover", "description": "[](<https://1.bp.blogspot.com/-LGMSUcdo2JM/YUK0T3V-wmI/AAAAAAAAumU/6VQzYIHfowQkYRjUfQivB78oB7xET-I8QCNcBGAsYHQ/s1218/DNSTake.png>)\n\n \n\n\nA fast tool to check missing hosted DNS zones that can lead to subdomain takeover.\n\n \n**What is a DNS takeover?** \n\n\nDNS takeover [vulnerabilities](<https://www.kitploit.com/search/label/vulnerabilities> \"vulnerabilities\" ) occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a [request for DNS records](<https://www.diggui.com/#type=A&hostname=github.technology&nameserver=public&public=8.8.8.8&specify=&clientsubnet=&tcp=def&transport=def&mapped=def&nssearch=def&trace=def&recurse=def&edns=def&dnssec=def&subnet=def&cookie=def&all=def&cmd=def&question=def&answer=def&authority=def&additional=def&comments=def&stats=def&multiline=def&short=def&colorize=on> \"request for DNS records\" ) the server responds with a `SERVFAIL` error. This allo ws an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.\u00b9\n\n \n\n\n**Installation** \n \n**from Binary** \n\n\nThe ez way! You can download a pre-built binary from [releases page](<https://github.com/pwnesia/dnstake/releases> \"releases page\" ), just unpack and run!\n\n \n**from Source** \n**NOTE:** [Go 1.16+ compiler](<https://golang.org/doc/install> \"Go 1.16+ compiler\" ) should be installed & configured! \n--- \n \nVery quick & clean!\n \n \n \u25b6 go install github.com/pwnesia/dnstake/cmd/some-email@example.com\n\n \n**\u2014 or** \n\n\nManual building executable from source code:\n \n \n \u25b6 git clone https://github.com/pwnesia/dnstake \n \u25b6 cd dnstake/cmd/dnstake \n \u25b6 go build . \n \u25b6 (sudo) mv dnstake /usr/local/bin\n\n \n**Usage** \n\n \n \n $ dnstake -h \n \n \u00b7\u2584\u2584\u2584\u2584 \u2590 \u2584 .\u2584\u2584 \u00b7\u2584\u2584\u2584\u2584\u2584 \u2584\u2584\u2584\u00b7 \u2584 \u2022\u2584 \u2584\u2584\u2584 . \n \u2588\u2588\u25aa \u2588\u2588 \u2022\u2588\u258c\u2590\u2588\u2590\u2588 \u2580.\u2022\u2588\u2588 \u2590\u2588 \u2580\u2588 \u2588\u258c\u2584\u258c\u25aa\u2580\u2584.\u2580\u00b7 \n \u2590\u2588\u00b7 \u2590\u2588\u258c\u2590\u2588\u2590\u2590\u258c\u2584\u2580\u2580\u2580\u2588\u2584\u2590\u2588.\u25aa\u2584\u2588\u2580\u2580\u2588 \u2590\u2580\u2580\u2584\u00b7\u2590\u2580\u2580\u25aa\u2584 \n \u2588\u2588. \u2588\u2588 \u2588\u2588\u2590\u2588\u258c\u2590\u2588\u2584\u25aa\u2590\u2588\u2590\u2588\u258c\u00b7\u2590\u2588 \u25aa\u2590\u258c\u2590\u2588.\u2588\u258c\u2590\u2588\u2584\u2584\u258c \n \u2580\u2580\u2580\u2580\u2580\u2022 \u2580▀ ; \u2588\u25aa \u2580\u2580\u2580\u2580 \u2580\u2580\u2580 \u2580 \u2580 \u00b7\u2580 \u2580 \u2580\u2580\u2580 \n \n (c) pwnesia.org \u2014 v0.0.1 \n \n Usage: \n [stdin] | dnstake [options] \n dnstake -t HOSTNAME [options] \n \n Options: \n -t, --target <HOST/FILE> Define single target host/list to check \n -c, --concurrent <i> Set the concurrency level (default: 25) \n -s, --silent Suppress errors and/or clean output \n -h, --help Display its help \n \n Examples: \n dnstake -t (sub.)domain.tld \n dnstake -t hosts.txt \n cat hosts.txt | dnstake \n subfinder -silent -d domain.tld | dnstake\n\n \n**Workflow** \n\n\n**DNSTake** use [RetryableDNS client library](<https://github.com/projectdiscovery/retryabledns> \"RetryableDNS client library\" ) to send DNS queries. Initial engagement using Google & Cloudflare DNS as the resolver, then check & [fingerprinting](<https://www.kitploit.com/search/label/Fingerprinting> \"fingerprinting\" ) the nameservers of target host \u2014 if there is one, it will resolving the target host again with its nameserver IPs as resolver, if it gets weird DNS status response (other than `NOERROR`/`NXDOMAIN`), then it's [vulnerable](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) to be taken over. More or less [like this](<https://0xpatrik.com/content/images/2018/08/ns_automation-2.png> \"like this\" ) in form of a diagram.\n\nCurrently supported DNS providers, see [here](<https://github.com/indianajson/can-i-take-over-dns/blob/97104102c8ce911fd978521c703f26e1c547c613/README.md#dns-providers> \"here\" ).\n\n \n**References** \n\n\n * [1] <https://github.com/indianajson/can-i-take-over-dns#what-is-a-dns-takeover>\n * <https://0xpatrik.com/subdomain-takeover-ns/>\n \n**License** \n\n\n**DNSTake** is [distributed](<https://www.kitploit.com/search/label/Distributed> \"distributed\" ) under MIT. See `LICENSE`.\n\n \n \n\n\n**[Download Dnstake](<https://github.com/pwnesia/dnstake> \"Download Dnstake\" )**\n", "published": "2021-09-16T20:30:00", "modified": "2021-09-16T20:30:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.kitploit.com/2021/09/dnstake-fast-tool-to-check-missing.html", "reporter": "KitPloit", "references": ["https://github.com/indianajson/can-i-take-over-dns#what-is-a-dns-takeover", "https://github.com/pwnesia/dnstake", "https://github.com/projectdiscovery/retryabledns", "https://github.com/pwnesia/dnstake/releases", "https://github.com/indianajson/can-i-take-over-dns/blob/97104102c8ce911fd978521c703f26e1c547c613/README.md#dns-providers", "https://www.diggui.com/#type=A&hostname=github.technology&nameserver=public&public=8.8.8.8&specify=&clientsubnet=&tcp=def&transport=def&mapped=def&nssearch=def&trace=def&recurse=def&edns=def&dnssec=def&subnet=def&cookie=def&all=def&cmd=def&question=def&answer=def&authority=def&additional=def&comments=def&stats=def&multiline=def&short=def&colorize=on"], "cvelist": [], "immutableFields": [], "lastseen": "2022-09-18T12:05:00", "viewCount": 132, "enchantments": {"dependencies": {}, "score": {"value": -0.0, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.0}, "_state": {"dependencies": 1663502787, "score": 1663502850}, "_internal": {"score_hash": "8686e7e27546b8b56786900124e46e08"}, "toolHref": "https://github.com/pwnesia/dnstake"}