At the DNS Community Day organized by DNS-OARC at the APRICOT 2024/APNIC 57 conference, we released ShadowFindr, a web tool to detect potential domain shadowing attacks.
Who is living off your domain name?
ShadowFindr is a web tool built for domain name registrants that helps identify potential domain shadowing attacks.
We have written about domain shadowing in the past and also uncovered how threat actors leverage the domain shadowing technique and abuse legitimate domain names under .LK
Monitoring DNS records or the DNS zone using ShadowFindr
In a generic sense, most domain name registrants rely on the registrar’s DNS infrastructure, which, in most cases, is a web-based DNS control panel for adding/deleting or modifying DNS records.
Most importantly, the registrar’s services do not include an email alerting/notification feature which can inform the registrant if any changes to the DNS zone have occurred.
The other important security feature that most registrars do not have or do not enable by default is 2FA. The lack of 2FA empowers a threat actor to brute-force a registrant’s login or reuse login details found in data breaches.
Deviations from the parent zone
From a detection perspective, ShadowFindr looks for the following deviations,
- Subdomain names pointing to a different Autonomous System Network (ASN) than the parent domain name
- Subdomain names pointing to an IP address geolocated to a different country than the parent domain name
- Subdomain names pointing at known threat actor network infrastructure
ShadowFindr Community access
A domain name registrant can register and create a free account at https://shadowfindr.shreshtait.com/register
The addition of a single domain per account in Shadowfindr is free. Please don’t hesitate to ask if you need to add additional domain names.
If you encounter a bug or have an idea or suggestion, please get in touch with us at shadowfindr@shreshtait.com. We would love to hear from you!
