Your DNS, my DNS

In this humble article, we are going to talk about what is known as DNS Takeover, a technique used in Bug Bounty and similar to Subdomain Takeover, which allow us to take posession a domain’s DNS.


All of the tests below are for educational and informational purposes only, so any malicious use of them is not our responsibility.


The first step will be to identify domains returning SERVFAIL status (in our case we will talk about the fictitious domain as shown below when using the dig tool:

A SERVFAIL response can indicate both that there is a problem reaching the domain’s DNS server or that it’s not configured correctly.

As we know that there is a problem in with the DNS, we are going to check which ones have delegates

In this case in the whois output, we see that delegated DNS belongs to Amazon AWS. This feature, together with the previous one, indicate that it is possible to create a DNS zone in Amazon AWS account and we will be able to create registries in it.


But identifying the zone in which the DNS zone must be created is a complicated task simply because we do not know it. For this, there is a script at the URL

This script, after passing our Amazon AWS account ‘s keys and our domain as parameters, will create DNS zones until it finds the correct one, as seen below:

DNS zone created !!! . Next step, we will connect to the Amazon AWS account and access the Route 53 option from menu:

Once inside, we access the Hosted Zones option:

As we can see, we have a new DNS zone entry (marked in red) for our domain


It would only be necessary to create a new entry in the DNS. We can create a CNAME record to redirect a subdomain to another website or create a TXT record with a message to show that the DNS of the domain is ours.


To create a CNAME registry, we will click on Create a recordset button to introduce the following data as example:

  • Subdomain’s name:
  • Registry type: CNAME
  • Value:

Reusing the dig tool, we observe that the domain’s status changed from SERVFAIL to NOERROR and CNAME record shows the entered value

It is important to know that redirection will be done if domain is owned by ourself. As example, if you set a domain in DigitalOcean as CNAME value, it won’t redirect.


To create a TXT registry, we will click on Create a recordset button to introduce the following data:

  • Subdomain’s name:
  • Registry type: TXT
  • Value: Takeover by darkandroider

Reusing the dig tool, we observe that the TXT record shows the entered message Takeover by darkandroider:

I hope you liked it (thanks to Mr. Takeover).

“Don’t give up, great things take time.”

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *