How do subdomains get discovered by adversaries?
Shaun Cummiskey
bind-users at shat.net
Fri Dec 23 02:01:54 UTC 2022
On Thu, 22 Dec 2022 05:19:46 +0000
Michael De Roover <isc at nixmagic.com> wrote:
> I have been running BIND 9 on my external and internal networks for a
> few years now -- as such I have a basic understanding of the most
> common RR types and activities such as zone transfers. However, I have
> been seeing something that's been baffling me for quite a while now.
> Somehow there are services like c99.nl [1] and Criminal IP [2], which
> can enumerate various subdomains on a given target domain. I am
> confused as to how they can enumerate this information.
In addition to techniques others have mentioned, here are some
possibilities:
- TLS certificate issuance. When a CA issues a certificate, some data
about the cert and the associated hostname(s) is posted to public
certificate transparency logs. Based on the output of the c99 site, I
have a hunch this is where it gets much of its information.
- Passive DNS logs. A variety of orgs with access to enormous amounts of
network traffic are actively sniffing port 53 DNS traffic and logging
everything they see.
- Dictionary style enumeration. Some attackers (or "researchers") will
attempt to resolve many thousands of commonly-used hostnames in your
zone, recording which ones return RRs. If you have an authoritative BIND
server configured with the rate-limit {} option, these attacks will show
up in the corresponding rate-limit logging channel.
Shaun
More information about the bind-users
mailing list