Hijacking DNS with GitHub and Cloudflare
A couple of weeks ago, searching for links to one of my projects, I stumbled upon an
interesting GitHub profile. It was full of repositories named
dc-###########.[domain.com]
and with a CNAME file to them. And my domain was
present in there, and it was working.
There are currently no restrictions at GitHub about the ownership of the domains and who can set up a CNAME for a given domain.
They strongly recommend not using wildcard domains pointing to their servers for this specific purpose.
An attack vector
Using Cloudflare, as any other service, requires special attention in the configuration to avoid security issues.
Cloudflare Support: Why do I have a dc-######### subdomain?
The dc-##### subdomain is added to overcome a conflict created when your SRV or MX record resolves to a domain configured to proxy to Cloudflare.
Therefore, Cloudflare will create a dc-##### DNS record that resolves to the origin IP address. The dc-##### record ensures that traffic for your MX or SRV record isn’t proxied (it directly resolves to your origin IP) while the Cloudflare proxy works for all other traffic.
Exploitation in the wild
Anyone can start looking around for domains pointing to GitHub at root level, a simple
search in GitHub will suffice. Once you find a domain, i.e. menduz.com
we can
look for MX or SRV records to test if there is an exploitable subdomain:
$ dig MX menduz.com
menduz.com. 300 IN MX 10 mail.protonmail.ch.
menduz.com. 300 IN MX 20 mailsec.protonmail.ch.
menduz.com. 300 IN MX 0 dc-01175666cd49.menduz.com.
There we go, this is the interesting part:
menduz.com. 300 IN MX 0 dc-01175666cd49.menduz.com
$ dig A dc-01175666cd49.menduz.com
dc-01175666cd49.menduz.com. 300 IN A 192.30.252.153
dc-01175666cd49.menduz.com. 300 IN A 192.30.252.154
192.30.252.153
& 192.30.252.154
are GitHub's IP addresses,
those IPs were supposed to be proxied by Cloudflare.
Someone abused this behavior and created a repository and they got access to a subdomain of my own for months. The same technique was used for several other GitHub domains.
Summary
- Origin IPs may be exposed by MX records in Cloudflare.
- Even though you do not use a wildcard domain, people can still use the Cloudflare-generated domains for GitHub pages.
This technique rarely results in dangerous outcomes, but having third parties publishing things in your domains is definitely not good.