STARS
A multi-cloud DNS record scanner that aims to help cybersecurity/IT analysts identify dangling CNAME records in their cloud DNS services that could possibly lead to subdomain takeover scenarios.
Install / Use
/learn @Macmod/STARSREADME
STARS
⭐ STARS ⭐ is a multi-cloud DNS record scanner that aims to help cybersecurity/IT analysts identify dangling CNAME records in their cloud DNS services that could possibly lead to subdomain takeover scenarios.
This is a small tool that uses some of the takeover ideas from can-i-take-over-xyz for defensive purposes in cloud environments. For each CNAME domain registered in a cloud environment, the tool generates takeover factors (factors that could indicate a subdomain takeover scenario) and mitigation factors (factors that possibly mitigate that scenario). The factors identified by this tool should not be taken as definitive proof of a subdomain takeover scenario on a domain, but rather that a domain should be reviewed.
Subdomain takeovers are complex issues that often happen because of a lack of appropriate processes of management/review in DNS zones, which is a common issue in large corporations. This tool can be used to find possible takeover issues in cloud DNS environments which host multiple zones with large record sets.
📚 To learn more about subdomain takeovers:
Checks
Currently the tool performs the following checks:
Takeover Factors
- DNS_NXDOMAIN - The target domain resolves as NXDOMAIN
- WEB_NOTFOUND - The target domain returns a 404
- WEB_FINGERPRINT - The page at the target domain contains patterns related to a decomissioned page (such as "isn't available" or "doesn't exist")
Mitigation Factors
- PRIVATE_ZONE - The zone where the source domain is hosted is private
- AZURE_VERIFICATION_TXT - There is a TXT entry for an Azure verification code at
asuid.source_domain
Prerequisites
If scanning Azure, AWS or GCP records, the appropriate CLI from the cloud you intend to scan needs to be installed before running the tool:
- Azure CLI
- AWS CLI
- GCloud CLI
- DigitalOcean - no need for CLI
- CloudFlare - no need for CLI
After that, run the following command to install the Python dependencies before running the tool:
$ pip install -r requirements.txt
Usage
AWS Route53
$ aws configure
(Authenticate with your AWS credentials)
$ python stars.py --aws
PS. The recommended way of authenticating to AWS is using AWS IAM Identity Center to authenticate using aws sso login instead of providing an access key with aws configure, but the legacy way is easier to use and more widespread. You can also use IAM roles directly if you intend to run the tool from AWS services such as an EC2 attached to a role via an instance profile.
Azure DNS
$ az login
(Authenticate with your Azure credentials)
$ python stars.py --azure --subscription <SUBSCRIPTION ID>
Google DNS
$ gcloud init
$ gcloud auth application-default login
(Authenticate with your GCP credentials and select your project)
$ python stars.py --gcp
DigitalOcean DNS
$ export DIGITALOCEAN_ACCESS_TOKEN="<YOUR API TOKEN>"
$ python stars.py --digitalocean
CloudFlare DNS
$ export CLOUDFLARE_API_TOKEN="<YOUR API TOKEN>"
$ python stars.py --cloudflare
File DNS
A CSV file can also be used as input for the scan, if your DNS provider is not yet supported and you have a CSV with your CNAME records. The CSV should have the following columns (without a header line):
ZoneName,IsPrivate,RecordType,RecordName,RecordValue
$ python stars.py --file <FILENAME>
Optional flags
--all-cnames- Run the checks for all CNAME records in the environment, not just the ones in-scope (those known for subdomain takeover risks).--dump-records- Just dump all the records without performing any analysis.--no-banners- Don't show banners, just the results.--no-colors- Disable colorized output.--no-table- Disable building results table (just show results line-by-line).--output FILE- Write results to FILE.--google-dns- Use Google DoH for NXDOMAIN checks (by default it uses your local DNS resolver).--nameservers NS1,NS2- Use custom nameservers for NXDOMAIN checks.
Example
Extending functionality
The scanners package can be used in a standalone manner by other modules by importing the scanner classes from it (e.g. from scanners.awsdns import AWSDNSScanner), instantiating them and running their fetch_records method. The fetch_records of each scanner class is a generator that yields a dictionary for each DNS record in the specified environment in each iteration. Example:
from scanners.awsdns import AWSDNSScanner
scanner = AWSDNSScanner()
for record in scanner.fetch_records():
print(record)
"""
"record" is a dict in the format:
{
"ZoneName": "DNS name of the zone",
"Private": True or False indicating whether the zone is private or not,
"Type": "Type of the record",
"Name": "Name of the record",
"Value": "Value of the record",
...other environment-specific values...
}
"""
Other checks against individual cloud DNS records (not just CNAME records) can be implemented using these classes, but since this project is aimed at the specific issue of domain takeover it will be left as future work if anyone is interested in developing other use cases.
Contributing
Contributions are welcome by opening an issue or by submitting a pull request. If you find any bugs please let me know - I don't have many test environments to validate every edge case.
Todo
Some ideas of new features to add that weren't included originally but would be nice to have in the future:
- Option to return the details of the record sets in CSV format
- Improve efficiency by providing an option of doing requests / lookups in parallel
- Option to only dump specific record types
- Also dump more advanced attributes of DNS records and zones in the scanners (TTL, weight, priority, provider-specific attributes, etc)
- Implement a local DB with results from previous executions (maybe)
- Check previously-scanned zones for DNS Takeover (maybe)
- Taking screenshots with a headless browser (maybe)
- Verify whether a domain is public knowledge by scraping with passive tools like Sublist3r (maybe)
Domains Scope
If you run the tool without the --all-cnames flag, it will only report results on CNAMEs pointing to domains in the following scope:
| Kind | Domain | |----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Azure Services | *.cloudapp.net<br> *.cloudapp.azure.com<br> *.azurewebsites.net<br> *.blob.core.windows.net<br> *.azure-api.net<br> *.azurehdinsight.net<br> *.azureedge.net<br> *.azurecontainer.io<br> *.database.windows.net<br> *.azuredatalakestore.net<br> *.search.windows.net<br> *.azurecr.io<br> *.redis.cache.windows.net<br> *.azurehdinsight.net<br> *.servicebus.windows.net<br> *.visualstudio.com<br> | | AWS S3 Buckets | *.s3.amazonaws.com<br> *.s3-website.region.amazonaws.com<br> *.s3.region.amazonaws.com<br> *.s3.dualstack.region.amazonaws.com | | Wordpress | *.wordpress.com | | Agile CRM | cname.agilecrm.com
Related Skills
healthcheck
335.8kHost security hardening and risk-tolerance configuration for OpenClaw deployments
node-connect
335.8kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
prose
335.8kOpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.
claude-opus-4-5-migration
82.7kMigrate prompts and code from Claude Sonnet 4.0, Sonnet 4.5, or Opus 4.1 to Opus 4.5
