Owl hiding in a tree symbolizing the concept of Who is living off your domain name

ShadowFindr – Uncover domain shadowing attacks

At the DNS Community Day organized by DNS-OARC at the APRICOT 2024/APNIC 57 conference, we released ShadowFindr, a web tool to detect potential domain shadowing attacks.

dns-oarc meeting shadowfindr

Who is living off your domain name?

Owl hiding in a tree symbolizing the concept of Who is living off your domain name

ShadowFindr is a web tool built for domain name registrants that helps identify potential domain shadowing attacks.

We have written about domain shadowing in the past and also uncovered how threat actors leverage the domain shadowing technique and abuse legitimate domain names under .LK

Monitoring DNS records or the DNS zone using ShadowFindr

In a generic sense, most domain name registrants rely on the registrar’s DNS infrastructure, which, in most cases, is a web-based DNS control panel for adding/deleting or modifying DNS records.

Most importantly, the registrar’s services do not include an email alerting/notification feature which can inform the registrant if any changes to the DNS zone have occurred.

domain shadowing attack

The other important security feature that most registrars do not have or do not enable by default is 2FA. The lack of 2FA empowers a threat actor to brute-force a registrant’s login or reuse login details found in data breaches.

Deviations from the parent zone

detection

From a detection perspective, ShadowFindr looks for the following deviations,

  • Subdomain names pointing to a different Autonomous System Network (ASN) than the parent domain name
  • Subdomain names pointing to an IP address geolocated to a different country than the parent domain name
  • Subdomain names pointing at known threat actor network infrastructure

ShadowFindr Community access

A domain name registrant can register and create a free account at https://shadowfindr.shreshtait.com/register

The addition of a single domain per account in Shadowfindr is free. Please don’t hesitate to ask if you need to add additional domain names.

If you encounter a bug or have an idea or suggestion, please get in touch with us at shadowfindr@shreshtait.com. We would love to hear from you!

Website | + posts