occational false positive "Vulnerable CNAME records in Google Cloud DNS"

[cleo2525]

Has anyone run into the issue where domain protect doesn't detect the S3 bucket for a Cloud DNS CNAME record that is pointing to an AWS bucket?

I've had a few records trigger even though the S3 buckets are present and haven't been changed in years. I believe the python script is using requests.get to look for "NoSuchBucket" to determine if the record is vulnerable.

When I manually test with request.get, the buckets return with AccessDenied, which is expected. I'm guessing every once in a while AWS randomly returns "NoSuchBucket"?

[paulschwarzenberger]

Hi @cleo2525 thanks for raising this issue!
I think it's unlikely that AWS would randomly return NoSuchBucket if the bucket exists.
What are the Google Cloud Function logs for a function execution which results in a false positive?

[cleo2525]

Hi @paulschwarzenberger in the Cloud Function logs I see the cnamestorage function testing the CNAME record, then logging it as VULNERABLE, but I don't see any detailed output when the function is testing the record. Are there debugging logs I could turn on?