s3dns – DNS‑based discovery of cloud storage buckets
Introduction
s3dns is a lightweight DNS server written in Python designed for infosec professionals. Rather than probing each candidate bucket via HTTP or API, it intercepts DNS lookups and flags domains pointing to cloud storage services like AWS S3, Google Cloud Storage, and Azure Blob Storage. It provides early, low‑noise detection of potentially exposed buckets during recon workflows.
GitHub Repository: https://github.com/olizimmermann/s3dns
Motivation & Use Case
Cloud storage misconfigurations remain a frequent cause of data exposure. Often, domains or subdomains in DNS implicitly reveal backing storage buckets via CNAME chains, even if the bucket itself is unknown. s3dns leverages that — by monitoring DNS resolution, it detects buckets without triggering direct HTTP access or brute‑force scans.
How It Works
- DNS Resolver: Run
s3dns (default on port 53/UDP). Point your system or tool's DNS to it.
- Forwarding: It forwards queries to upstream resolvers (like 1.1.1.1), so standard resolution works.
- CNAME Chaining: It inspects and follows CNAME chains recursively.
- Pattern Matching: Hostnames in the chain are matched against known patterns of cloud buckets (e.g.,
*.s3.amazonaws.com, *.storage.googleapis.com, *.blob.core.windows.net).
- IP Detection: Flags known cloud provider IPs associated with storage services.
- Logging: Logs each detection to console or file, including type (CNAME/IP), full chain, and matched pattern.
Example
If cdn.example.com resolves like this:
cdn.example.com → CNAME → media.s3.amazonaws.com → A → AWS IP
s3dns will output:
[+] Bucket detected: media.s3.amazonaws.com (from cdn.example.com)
This happens passively without hitting the storage service directly.
Advantages
| Method | Pros | Cons |
|--------------------------|-------------------------------------------|-------------------------------------------|
| s3dns | Stealthy, real-time, multi-cloud capable | Requires real DNS traffic |
| Brute-force tools | Can find unreferenced buckets | Noisy, time-intensive, AWS-focused |
| CT Logs / OSINT tools | Zero interaction, passive discovery | May miss private or unindexed buckets |
s3dns complements brute-force and OSINT tools, catching buckets revealed through infrastructure.
Supported Cloud Providers
- Amazon S3
- Google Cloud Storage
- Azure Blob Storage
Patterns and IP ranges for each provider are maintained in patterns.json.
Setup & Installation
git clone https://github.com/olizimmermann/s3dns.git
cd s3dns
pip install -r requirements.txt
sudo python3 s3dns.py
Configure your system’s DNS to point to the host running s3dns.
Output Example
[+] 2025-07-28 14:00:22 | cdn.example.com | CNAME | media.s3.amazonaws.com | Match: AWS S3
You can pipe this into log files or feed it into further automation scripts.
Real-World Applications
- Reconnaissance: Detect storage buckets from known subdomains without brute-force.
- Pentesting: Use as a drop-in DNS forwarder during assessments.
- Monitoring: Spot cloud storage misuse in internal networks.
- Stealthy Enumeration: Less likely to trigger alerts or rate limits than direct probing.
Limitations
- Cannot verify bucket access (public/private).
- DNS queries must occur — static zones won’t trigger detection.
- Requires manual updates for new cloud provider patterns/IPs.
Conclusion
s3dns introduces an innovative, DNS-level approach to cloud bucket reconnaissance. It identifies cloud storage buckets referenced in DNS records without initiating direct HTTP connections. By acting as a DNS resolver, it seamlessly integrates into passive reconnaissance workflows, enabling early detection of cloud misconfigurations across AWS, Azure, and GCP environments.
Reference
GitHub: https://github.com/olizimmermann/s3dns
Blog: https://olizimmermann.medium.com/uncovering-hidden-cloud-buckets-with-dns-the-s3dns-approach-caf5bdf37324
Support Crack-Vault and help us keep providing free tools. Every donation counts!
(BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn
