On Thu, 22 Dec 2022 05:19:46 +0000
Michael De Roover <i...@nixmagic.com> wrote:
> I have been running BIND 9 on my external and internal networks for a
> few years now -- as such I have a basic understanding of the most
> common RR types and activities such as zone transfers. However, I have
> been seeing something that's been baffling me for quite a while now.
> Somehow there are services like c99.nl [1] and Criminal IP [2], which
> can enumerate various subdomains on a given target domain. I am
> confused as to how they can enumerate this information.
In addition to techniques others have mentioned, here are some
possibilities:
- TLS certificate issuance. When a CA issues a certificate, some data
about the cert and the associated hostname(s) is posted to public
certificate transparency logs. Based on the output of the c99 site, I
have a hunch this is where it gets much of its information.
- Passive DNS logs. A variety of orgs with access to enormous amounts of
network traffic are actively sniffing port 53 DNS traffic and logging
everything they see.
- Dictionary style enumeration. Some attackers (or "researchers") will
attempt to resolve many thousands of commonly-used hostnames in your
zone, recording which ones return RRs. If you have an authoritative BIND
server configured with the rate-limit {} option, these attacks will show
up in the corresponding rate-limit logging channel.
Shaun
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
