id: dns-saas-service-detection info: name: DNS SaaS Service Detection author: noah @thesubtlety,pdteam severity: info description: A CNAME DNS record was discovered reference: - https://ns1.com/resources/cname - https://www.theregister.com/2021/02/24/dns_cname_tracking/ - https://www.ionos.com/digitalguide/hosting/technical-matters/cname-record/ metadata: max-request: 2 tags: dns,service dns: - name: "{{FQDN}}" type: CNAME - name: "{{FQDN}}" type: A extractors: - type: regex group: 1 regex: - 'IN\t(?:A|CNAME)\t([A-Za-z0-9-_.]*([a-zA-Z]+[0-9]+|[0-9.]+[a-zA-Z]+))' matchers-condition: or matchers: - type: word name: ms-office words: - outlook.com - office.com - type: word name: azure words: - "azure-api.net" - "azure.com" - "azure-mobile.net" - "azurecontainer.io" - "azurecr.io" - "azuredatalakestore.net" - "azureedge.net" - "azurefd.net" - "azurehdinsight.net" - "azurewebsites.net" - "azurewebsites.windows.net" - "blob.core.windows.net" - "cloudapp.azure.com" - "cloudapp.net" - "database.windows.net" - "redis.cache.windows.net" - "search.windows.net" - "servicebus.windows.net" - "visualstudio.com" - "-msedge.net" - "trafficmanager.net" - type: word name: zendesk words: - "zendesk.com" - type: word name: announcekit words: - "cname.announcekit.app" - type: word name: wix words: - "wixdns.net" - type: word name: akamai-cdn condition: or words: - akadns.net - akagtm.org - akahost.net - akam.net - akamai.com - akamai.net - akamaiedge-staging.net - akamaiedge.net - akamaientrypoint.net - akamaihd.net - akamaistream.net - akamaitech.net - akamaitechnologies.com - akamaitechnologies.fr - akamaized.net - akaquill.net - akasecure.net - akasripcn.net - edgekey.net - edgesuite.net - type: word name: cloudflare-cdn words: - cloudflare.net - cloudflare-dm-cmpimg.com - cloudflare-ipfs.com - cloudflare-quic.com - cloudflare-terms-of-service-abuse.com - cloudflare.com - cloudflare.net - cloudflare.tv - cloudflareaccess.com - cloudflareclient.com - cloudflareinsights.com - cloudflareok.com - cloudflareportal.com - cloudflareresolve.com - cloudflaressl.com - cloudflarestatus.com - sn-cloudflare.com - type: word name: amazon-cloudfront words: - cloudfront.net - type: word name: salesforce words: - salesforce.com - siteforce.com - force.com - type: word name: amazon-aws words: - amazonaws.com - elasticbeanstalk.com - awsglobalaccelerator.com - type: word name: fastly-cdn words: - fastly.net - type: word name: netlify words: - netlify.app - netlify.com - netlifyglobalcdn.com - type: word name: vercel words: - vercel.app - type: word name: sendgrid words: - sendgrid.net - sendgrid.com - type: word name: qualtrics words: - qualtrics.com - type: word name: heroku words: - herokuapp.com - herokucdn.com - herokudns.com - herokussl.com - herokuspace.com - type: word name: gitlab words: - gitlab.com - gitlab.io - type: word name: perforce-akana words: - akana.com - apiportal.akana.com - type: word name: skilljar words: - skilljarapp.com - type: word name: datagrail words: - datagrail.io - type: word name: platform.sh words: - platform.sh - type: word name: folloze words: - folloze.com - type: word name: pendo-receptive words: - receptive.io - pendo.io - type: word name: discourse words: - bydiscourse.com - discourse-cdn.com - discourse.cloud - discourse.org - hosted-by-discourse.com - type: word name: adobe-marketo words: - marketo.com - marketo.co.uk - mktoweb.com - mktossl.com - mktoweb.com - type: regex name: adobe-marketo - 'mkto-.{5,8}\.com' - type: word name: adobe-marketo words: - marketo.com - type: word name: rock-content words: - postclickmarketing.com - rockcontent.com - rockstage.io - type: word name: rocketlane words: - rocketlane.com - type: word name: webflow words: - proxy-ssl.webflow.com - type: word name: stacker-hq words: - stacker.app - type: word name: hubspot words: - hs-analytics.net - hs-banner.com - hs-scripts.com - hsappstatic.net - hscollectedforms.net - hscoscdn00.net - hscoscdn10.net - hscoscdn20.net - hscoscdn30.net - hscoscdn40.net - hsforms.com - hsforms.net - hubapi.com - hubspot.com - hubspot.es - hubspot.net - hubspotemail.net - hubspotlinks.com - hubspotusercontent-na1.net - sidekickopen90.com - usemessages.com - type: word name: gitbook words: - gitbook.com - gitbook.io - type: word name: google-firebase words: - fcm.googleapis.com - firebase.com - firebase.google.com - firebase.googleapis.com - firebaseapp.com - firebaseappcheck.googleapis.com - firebasedynamiclinks-ipv4.googleapis.com - firebasedynamiclinks-ipv6.googleapis.com - firebasedynamiclinks.googleapis.com - firebaseinappmessaging.googleapis.com - firebaseinstallations.googleapis.com - firebaseio.com - firebaselogging-pa.googleapis.com - firebaselogging.googleapis.com - firebaseperusertopics-pa.googleapis.com - firebaseremoteconfig.googleapis.com - type: word name: zendesk words: - zdassets.com - zdorigin.com - zendesk.com - zopim.com - type: word name: imperva words: - incapdns.net - incapsula.com - type: word name: proofpoint words: - infoprtct.com - metanetworks.com - ppe-hosted.com - pphosted.com - proofpoint.com - type: word name: q4-investor-relations words: - q4inc.com - q4ir.com - q4web.com - type: word name: google-hosted words: - appspot.com - cloudfunctions.net - ghs.googlehosted.com - ghs4.googlehosted.com - ghs46.googlehosted.com - ghs6.googlehosted.com - googlehosted.com - googlehosted.l.googleusercontent.com - run.app - type: word name: wp-engine words: - wpengine.com - type: word name: github words: - github.com - github.io - githubusercontent.com - type: word name: ghost words: - ghost.io - type: word name: digital-ocean words: - ondigitalocean.app - type: word name: typedream words: - ontypedream.com - type: word name: oracle-eloqua-marketing words: - hs.eloqua.com - type: word words: - "IN\tCNAME"