Hijacking DNS with GitHub and Cloudflare

Pay attention to your MX records

A couple of weeks ago, searching for links to one of my projects, I stumbled upon an interesting GitHub profile. It was full of repositories named dc-###########.[domain.com] and with a CNAME file to them. And my domain was present in there, and it was working.

There are currently no restrictions at GitHub about the ownership of the domains and who can set up a CNAME for a given domain.

They strongly recommend not using wildcard domains pointing to their servers for this specific purpose.

An attack vector

Using Cloudflare, as any other service, requires special attention in the configuration to avoid security issues.

Cloudflare Support: Why do I have a dc-######### subdomain?

The dc-##### subdomain is added to overcome a conflict created when your SRV or MX record resolves to a domain configured to proxy to Cloudflare.

Therefore, Cloudflare will create a dc-##### DNS record that resolves to the origin IP address. The dc-##### record ensures that traffic for your MX or SRV record isn’t proxied (it directly resolves to your origin IP) while the Cloudflare proxy works for all other traffic.

Exploitation in the wild

Anyone can start looking around for domains pointing to GitHub at root level, a simple search in GitHub will suffice. Once you find a domain, i.e. menduz.com we can look for MX or SRV records to test if there is an exploitable subdomain: 

$ dig MX menduz.com

menduz.com.             300     IN      MX      10 mail.protonmail.ch.
menduz.com.             300     IN      MX      20 mailsec.protonmail.ch.
menduz.com.             300     IN      MX      0 dc-01175666cd49.menduz.com.

There we go, this is the interesting part:

menduz.com.             300     IN      MX      0 dc-01175666cd49.menduz.com

$ dig A dc-01175666cd49.menduz.com

dc-01175666cd49.menduz.com. 300 IN      A       192.30.252.153
dc-01175666cd49.menduz.com. 300 IN      A       192.30.252.154

192.30.252.153 & 192.30.252.154 are GitHub's IP addresses, those IPs were supposed to be proxied by Cloudflare.

Someone abused this behavior and created a repository and they got access to a subdomain of my own for months. The same technique was used for several other GitHub domains.

Summary

  1. Origin IPs may be exposed by MX records in Cloudflare.
  2. Even though you do not use a wildcard domain, people can still use the Cloudflare-generated domains for GitHub pages.

This technique rarely results in dangerous outcomes, but having third parties publishing things in your domains is definitely not good.