s3dns is a lightweight DNS server that helps uncover cloud storage buckets (AWS S3, Google Cloud Storage, and Azure Blob) by resolving DNS requests, tracing CNAMEs, and matching known bucket URL patterns.
Itβs a handy companion for pentesters, bug bounty hunters, and cloud security analysts who want to catch exposed cloud buckets during DNS traffic analysis.
- Added offline AWS IP ranges as a JSON file.
- Added offline Azure Storage IP ranges as a JSON file.
- Added the option to disable the IP range check for either service using:
AZURE_IP_RANGES=falseorAWS_IP_RANGES=false(default is true).
- Moved
regex_patternsand hardcoded patterns to thepatternsfolder as YAML files. You can add your own patterns.- Regex patterns must start with
regex_.
- Regex patterns must start with
- Added multiple more cloud providers
- IBM Cloud Object Storage
- Oracle Object Storage
- Alibaba OSS
- Backblaze B2
- Linode Object Storage
- Scaleway Object Storage
- Vultr Object Storage
- Cloudflare R2
- Added AWS GovCloud support.
- Updated regex patterns.
- Updated output for better visibility (displaying the original domain for CNAMEs, the client IP, and IP range indicators).
- Auto-downloading of IP ranges from AWS β now checking those too!
- Option to add your own IP ranges (manually adjust the patterns or IP ranges in the class).
- Added regex support for Google Cloud Storage and Azure Blob Storage buckets.
-
Runs as a DNS server (port
53/udp) -
Detects potential cloud storage buckets in DNS requests:
- AWS S3 (virtual-host and path style)
- GCP Buckets
- Azure Blob Containers
-
Follows CNAME chains to catch masked cloud bucket links
-
Logs bucket indicators to console and file
-
Super lightweight and container-friendly
S3DNS listens on UDP port 53 for DNS queries. For every DNS request it:
- Extracts the requested domain
- Forwards the request to a real DNS resolver (e.g.,
1.1.1.1) - Returns the valid DNS response to the client
In parallel, it:
- Checks for AWS/GCP/Azure bucket patterns
- Checks against known IP ranges for AWS S3 and Azure Blob Storage
- Follows CNAME chains recursively
- Logs bucket-like domains and findings
β‘ Use this as your DNS during recon, and it will indicate if any domains you query point to cloud buckets.
You will only need one of the following:
- Python 3.11+
- Docker (optional, but recommended)
Only needed if you want to run it locally with Python
git clone https://github.com/olizimmermann/s3dns.git
cd s3dns(Using a virtual environment is recommended)
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txtPort 53 requires elevated privileges:
sudo python s3dns.pyIf the command with sudo claims missing a module, try using: sudo venv/bin/python s3dns.py
- If you build the image yourself, be sure to tag it the same as the Docker Hub version for consistency:
docker build -t ozimmermann/s3dns:latest .
The easiest way to get started with S3DNS.
docker pull ozimmermann/s3dns:latest
docker run --rm -p 53:53/udp \
-v "./bucket_findings/:/app/buckets/" \
--name "s3dns" \
ozimmermann/s3dns:latestdocker build -t ozimmermann/s3dns:latest .docker run --rm -p 53:53/udp \
-v "./bucket_findings/:/app/buckets/" \
--name "s3dns" \
ozimmermann/s3dns:latestπ Findings are saved:
- In the terminal, and/or
- In
./bucket_findings/
When using S3DNS on the same machine where you perform analysis, it may help to set the --network host flag:
docker run --rm -p 53:53/udp \
-v "./bucket_findings/:/app/buckets/" \
--network host \
--name "s3dns" \
ozimmermann/s3dns:latestSince port 53 requires elevated privileges, some users (e.g., Mac users) may need sudo:
sudo docker run --rm -p 53:53/udp \
-v "./bucket_findings/:/app/buckets/" \
--name "s3dns" \
ozimmermann/s3dns:latestSet your system or toolβs DNS resolver to your S3DNS instance.
While browsing or fuzzing your target, S3DNS analyzes every domain and tells you if it resolves to:
- An AWS S3 bucket
- A GCP bucket
- An Azure Blob container
It even follows CNAMEs, so if a domain points to
cdn.example.com, which in turn points to a cloud bucket, it will catch that too.
Use it passively while analyzing a site to spot exposed buckets without active probing.
You can tweak behavior via environment variables or by modifying s3dns.py.
DEBUG: Enable debug mode (default:false)AWS_IP_RANGES: Enable AWS IP range checks (default:true)AZURE_IP_RANGES: Enable Azure IP range checks (default:true)REAL_DNS_SERVER_IP: Set the real DNS server IP (default:1.1.1.1)LOCAL_DNS_SERVER_IP: Set the local DNS server IP / listening interface (default:0.0.0.0)BUCKET_FILE: Set the bucket file path (default:buckets.txt)
Since Microsoft does not explicitly name their Azure Blob Storage IP ranges, S3DNS uses all publicly provided Azure Storage IP addresses. This may lead to false positives. Consider disabling this check if you encounter issues by setting:
AZURE_IP_RANGES=falseFeel free to customize your patterns by adding them to the patterns directory. You can create new YAML files with your desired patterns. If you need to modify existing patterns, you can do so directly in the corresponding YAML files.
Be sure to follow the naming conventions used in the existing pattern files. For regex based patterns, start with regex_. All other patterns will be treated as hardmatch/hardcoded patterns.
Python:
su
export DEBUG=TRUE
python s3dns.pyDocker:
docker run --rm -p 53:53/udp \
-v "./bucket_findings/:/app/buckets/" \
-e "DEBUG=TRUE" \
--name "s3dns" \
ozimmermann/s3dns:latestSetting other environment variables in Docker:
docker run --rm -p 53:53/udp \
-v "./bucket_findings/:/app/buckets/" \
-e "LOCAL_DNS_SERVER_IP=0.0.0.0" \
-e "REAL_DNS_SERVER_IP=1.1.1.1" \
--name "s3dns" \
ozimmermann/s3dns:latest
MIT License β Free to use, improve, and share.
Use responsibly. Only scan domains you own or have explicit permission to analyze.
Unauthorized access or probing may be illegal.