How do subdomains get discovered by adversaries?

Michael De Roover isc at nixmagic.com
Thu Dec 22 05:19:46 UTC 2022 

Hello,

I have been running BIND 9 on my external and internal networks for a
few years now -- as such I have a basic understanding of the most
common RR types and activities such as zone transfers. However, I have
been seeing something that's been baffling me for quite a while now.
Somehow there are services like c99.nl [1] and Criminal IP [2], which
can enumerate various subdomains on a given target domain. I am
confused as to how they can enumerate this information.

As far as I know, a NS record returns the name servers authoritative
for a domain. Alright, now you've got authoritative information when
querying these domains. No useful information about the zone data they
are responsible for though.

Then there is an A record, which returns an IPv4 address of a server
responsible for a domain. Alright, now you can talk to a server. Maybe
that would be a webserver, and now you may perform a HTTP exchange to
that server (GET /whatever, with a given Host header). You still have
to guess what the Host: header would have to be.

Maybe it would be an MX record. Brilliant, now you could talk to a mail
server. Its EHLO message (sometimes called a "banner" in security
circles) would contain a domain, alright. It would also only be one of
them -- AFAICT only one domain that the organization wants to actually
primarily send from.

Another interesting record would be the CNAME record. As far as I know,
this is used to redirect to another domain from within the DNS, with
its own bespoke entries (bringing us back to A records). Getting from a
CNAME to an A record seems easy enough, but what about getting these
CNAME records in the first place?

This is what I am thinking of so far, but it may well be that I've been
talking crap in all of the above and know nothing about the DNS. That's
fine, and in that case please correct me where necessary. Either way,
I'm very confused on how these services can actually enumerate these
subdomains, and find most -- if not all -- reliably. This seems a bit
concerning to me with regards to unwanted information disclosure, hence
my curiosity. If it is at all possible to mitigate, I would of course
also appreciate discourse on this matter. Thank you!

[1] https://subdomainfinder.c99.nl
[2] https://criminalip.io/domain

Best regards,
Michael

More information about the bind-users mailing list