On Thu, 22 Dec 2022 05:19:46 +0000 Michael De Roover <i...@nixmagic.com> wrote:
> I have been running BIND 9 on my external and internal networks for a > few years now -- as such I have a basic understanding of the most > common RR types and activities such as zone transfers. However, I have > been seeing something that's been baffling me for quite a while now. > Somehow there are services like c99.nl [1] and Criminal IP [2], which > can enumerate various subdomains on a given target domain. I am > confused as to how they can enumerate this information. In addition to techniques others have mentioned, here are some possibilities: - TLS certificate issuance. When a CA issues a certificate, some data about the cert and the associated hostname(s) is posted to public certificate transparency logs. Based on the output of the c99 site, I have a hunch this is where it gets much of its information. - Passive DNS logs. A variety of orgs with access to enormous amounts of network traffic are actively sniffing port 53 DNS traffic and logging everything they see. - Dictionary style enumeration. Some attackers (or "researchers") will attempt to resolve many thousands of commonly-used hostnames in your zone, recording which ones return RRs. If you have an authoritative BIND server configured with the rate-limit {} option, these attacks will show up in the corresponding rate-limit logging channel. Shaun -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users