Hurricane Electric

[indianajson]

Yes, you can perform DNS takeovers of domains pointing to Hurricane Electric's DNS service.

Service Hurricane Electric

Status Vulnerable

Nameserver

ns5.he.net
ns4.he.net
ns3.he.net
ns2.he.net
ns1.he.net

Explanation

To perform a takeover, simply create a free account on Hurricane Electric and head to the DNS manager. Click "Add a new domain" and enter the vulnerable domain. The zone will be created and the takeover successful.

[emerzon]

Seems to be not possible: "Domain already exists error". Solved, I believe?

[indianajson]

@emerzon - I just tested Hurricane Electric and it is still vulnerable. In your case, if you had run dig example.com @ns1.he.net it would not have returned a REFUSED error because the domain already existed in Hurricane Electric's zone.

[emerzon]

Is it possible that this is a specific account issue rather than a global issue?
I am unable to reproduce. Attempting to add an already hosted domain to a new account fails with "Zone addition failed. The zone <domainname.com> already exists." There is no impact on the domain resolution during the process.

[indianajson]

@emerzon - As I said, I think the domain already exists on Hurricane Electric and your process for determining vulnerability returned a false positive. I can look further into this, but I'd need the domain name, feel free to DM me on Twitter (@indianajson) if you'd like, but Hurricane Electric is still 100% vulnerable.

[emerzon]

Thanks! Please feel free to attempt it with my domain chita.com.br -> It's intended for such usages :)

[indianajson]

@emerzon - According to the dig requests, chita.com.br is pointed to Hurricane Electric's DNS services and returns a status NOERROR, which means it is not vulnerable to takeover... so you can't add it to another Hurricane Electric account, which is expected.

[emerzon]

@indianajson: Thank you for the explanation. So as I assumed, it seems that this is not a service-wide issue, but seems specific to some domains/accounts, correct?
Makes me wonder what would trigger this condition.

[indianajson]

@emerzon - I'm confused as to what you mean, but the way all DNS providers work is that if a domain already exists in the zone (in an account) it cannot be added a second time in a different account. If you're asking what triggers a vulnerable domain, then that is when the domain's authoritative nameservers are Hurricane Electric, but no one added the domain to their Hurricane Electric account.

[emerzon]

Okay, I finally grasped the concept now. For me, it was obvious all along that if a domain points its authoritative nameservers to HE without owning an account there, the zone ownership would be up for grabs by anyone.

I personally don't see this as a vulnerability of the service - but as a mishandling of the domain itself.

My initial understanding was that HE would under some conditions allow a second user to transfer the ownership of another zone to his own account, even when there was already some accounting owning the zone - That would have been terribly ugly, but fortunately only a misunderstanding on my side.

Nevertheless thanks again for clearing this up.