Description: All default Canarytokens use o3n.io (for example 45e51129ec7e.o3n.io). Adding in a Custom Canarytoken Domain further obscures Canarytokens and increases the belief that this link/URL belongs on your network.
Note: You will need:
- Access to log on and make changes to your Canary Console
- Access to create or get records created in your public DNS Zone/Domain
Follow the steps below to change the default Canarytokens domain:
Step 1:
Log in to your Console.
Step 2:
Click on the gear icon and then Global Settings to go to Global Settings page.
Step 3:
Select Canarytokens and enable Custom Canarytokens Domains.
Step 4:
You will be asked to create 2 records in your Zone (let's assume your Console's domain/zone as example.com).
1. First, create the Name server Record:
Note: docs. is used in this example, but you can use anything here.
- docs.example.com NS ns1.docs.example.com
2. Then go ahead and create the Address Record
- ns1.docs.example.com A {{Consoles IP - Which can be found in the Custom Canarytoken Domain Tab}}
3. click Save and you're ready to test your new tokens domain.
Step 5:
You are now ready to test your Custom Canarytoken Domain
Updating or Creating new Canarytokens
Updating or Creating new Canarytokens update the Canarytokens on your Console to use the newly created Custom Domain. If you already have Canarytokens in the field they will still work correctly however they won't have the newly created domain in the URL. You can simply replace them should you wish to use the newly created domain.
FAQ
I can trigger a Canarytoken on an external network but not on my internal network?
The possible cause is that your internal network doesn't have the ability to resolve your Custom Domain (docs.example.com) to get around this you need to add an A record to your internal DNS which points to docs.example.com