{"id":20532628,"url":"https://github.com/cimpress-mcp/red-x","last_synced_at":"2026-03-09T17:44:27.377Z","repository":{"id":40767780,"uuid":"100618656","full_name":"Cimpress-MCP/red-x","owner":"Cimpress-MCP","description":"Check for abandoned/misconfigured delegations in your Route53 hosted zones.","archived":false,"fork":false,"pushed_at":"2023-03-04T02:35:40.000Z","size":1926,"stargazers_count":4,"open_issues_count":12,"forks_count":2,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-08-22T14:54:11.989Z","etag":null,"topics":["aws","dns","lambda","route53"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cimpress-MCP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2017-08-17T15:30:14.000Z","updated_at":"2023-04-14T08:56:49.000Z","dependencies_parsed_at":"2025-04-15T23:01:30.549Z","dependency_job_id":null,"html_url":"https://github.com/Cimpress-MCP/red-x","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/Cimpress-MCP/red-x","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cimpress-MCP%2Fred-x","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cimpress-MCP%2Fred-x/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cimpress-MCP%2Fred-x/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cimpress-MCP%2Fred-x/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cimpress-MCP","download_url":"https://codeload.github.com/Cimpress-MCP/red-x/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cimpress-MCP%2Fred-x/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30305259,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-09T17:35:44.120Z","status":"ssl_error","status_checked_at":"2026-03-09T17:35:43.707Z","response_time":61,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","dns","lambda","route53"],"created_at":"2024-11-16T00:16:06.874Z","updated_at":"2026-03-09T17:44:27.362Z","avatar_url":"https://github.com/Cimpress-MCP.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"red-x\n=====\n\n\u003eThe Red X is a warning placard affixed to a vacant building structure\nalerting first responders to the existence of structural or interior hazards\nin the building that warrant extreme caution when conducting interior\nfirefighting or rescue operations with entry occurring only for known life\nhazards.\n\nIn this case, Red-X alerts us of abandoned/misconfigured domain delegations\nor records pointing at inactive domains from managed services (cloudfront.net or\nelasticbeanstalk.com)\n\n## Why?\n\nPreventing misconfigured delegations should be pretty self-explanatory - you\nneed your customers to be able to quickly and reliably resolve your domain\nnames from anywhere in the world.\n\nPreventing abandoned delegations is also very important. For one, to prevent\nCloud resource sprawl from draining your coffers and your operations time. But,\nperhaps more importantly, to prevent DNS zone hijacking.\n\n### What's zone hijacking?\n\nDue to the shared infrastructure of Route53 (and other managed AWS services,\nlike CloudFront), it's surprisingly easy to take control of a misconfigured\nor abandoned zone, CNAME, or A ALIAS.\n\nThe particular attack Red-X attempts to prevent is zone hijacking through\nbrute-forcing nameservers. Since Route53 assigns you four nameservers when you\ncreate a hosted zone, an attacker that happens upon an abandoned zone can hijack\nthat zone by brute-force creating a hosted zone for that domain again and again\nuntil they've matched one or more of the nameservers it was delegated to.\n\nYou can find a better explanation [here](https://thehackerblog.com/the-orphaned-internet-taking-over-120k-domains-via-a-dns-vulnerability-in-aws-google-cloud-rackspace-and-digital-ocean/index.html).\n\n### What's record hijacking?\n\nSimilar to zone hijacking, records pointing to domains from managed services like\nelasticbeanstalk.com or cloudfront.net can be abandoned and later used to hijack\nthe domain.\n\n## What it does\n\n* Fetches configuration from EC2 Parameter Store\n* Gets a list of all records in the configured Route53 Hosted Zone\n* Pulls out all delegations (NS records)\n* Iterates over the delegations\n    * Checks each of the nameservers in the delegation.\n    * Ensures each nameserver returns the expected result for NS records.\n    * No response implies the delegation is abandoned.\n    * Mismatched results implies misconfiguration or zone hijacking.\n* Pulls out all A and CNAME records pointing to beanstalk or cloudfront domains\n    * Warns about CNAMEs, since A ALIAS records are more correct\n    * Alerts if the elasticbeanstalk.com or cloudfront.net address doesn't resolve.\n    \nThen, it can notify you in two ways:\n1. GitLab issues.\n    * Open an issue in the configured project for each delegation error.\n    * Close any open issues no longer associated with delegation errors.\n2. SNS notifications.\n    * Send a summary of delegation errors to the configured SNS topic.\n\n## Configuration\n\nConfiguration for this function is controlled by the EC2 Parameter Store.\nSetting up your configuration (and updating it later) is simplified using\nthe [`configure.py`](./configure.py) script at the root of this repo.\n\nRunning `python configure.py` with credentials for your account will let you\ncreate or update your Red-X configuration.\n\n**NOTE**: If you intend to use the GitLab integration, you should only do\nthis _after_ you have deployed the function, as it will attempt to use the KMS\nkey created by CloudFormation to encrypt your API token.\n\n## Setup/CloudFormation\n\nDeploying this function will create the following resources (in addition to\nthe 'usual' Serverless resources):\n\n* A KMS key to encrypt secret configuration info (i.e. GitLab API Token)\n    * Aliased as 'alias/red-x/settings'\n* An SNS topic `Red-X-Reports` for publishing delegation error summaries\n\n## Deployment\n\nThis is a Python3.6 Lambda function, since the DNS library for node isn't great.\nSo you're kind of straddling two worlds, here.\n\n```\n$ npm install\n$ virtualenv env\n$ source ./env/bin/activate\n$ ./node_modules/.bin/sls deploy\n```\n\nThen, optionally, you can run `python configure.py` to set up the parameters in\nthe EC2 Parameter Store.\n\nYou can also invoke the function locally with `./node_modules/.bin/sls invoke local -f check_delegations`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcimpress-mcp%2Fred-x","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcimpress-mcp%2Fred-x","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcimpress-mcp%2Fred-x/lists"}