Hide Your Subdomains¶
Created 2024-02-15, Updated 2024-02-22
Something you need to take care of when you want to slow others on their way to knowing your secret subdomains.
First of all, when your subdomain is not long enough, it's very easy to scan the record of them.
AXFR¶
Method related to Domain DNS Zone Transfer, could be exploited to sniff subdomains. Should be disabled.
AXFR is not available if hosted by Cloudflare free plan. Also disabled by major DNS providers.
Try for yourself:
DNSSEC¶
Enabling DNSSEC could put you at risk of exposing secret subdomains to Zone Walking.
Cloudflare and some other DNS providers has mitigated this kind of exploit by answering NSEC query by implementing black-lies.
Try for yourself, with some existing subdomains and some non-existing:
SSL/TLS Certs¶
When you request some CA to issue a TLS certificate for your domain, the issuance will be logged on Certificate Transparency, where the SNI and NS will be included.
It’s important to those who are conscious about privacy.
If you add your subdomains to the SNI, they will be available to Certificate Transparency Logs and become public forever.
- If you set Cloudflare as the authoritative name server, this could be more upsetting. you must be aware that it uses the unique pair of words in the NS to distinguish one’s domain ownership from other Cloudflare users. Since NS is logged in TLS certificate issurance, it’s also possible for others to identify different domains under the same Cloudflare account and associate them together.
When you are going to deploy services to your subdomain and decide to hide them away while exposing HTTPS access, it's better to use wildcard certs. But meanwhile, protect your xerts carefully. While a wildcard covers your subdomains, it will also harbor other malicious subdomains when attackers gain your private key.