2

I need help debugging/troubleshooting a DNS/DKIM issue over on ServerFault, but it looks like I need to paste the results of running:

dig my-dns-record.example.com CNAME

...where my-dns-record.example.com is a placeholder for my actual domain (obviously!).

I was told that the output of dig produces only stuff that is already public knowledge + available, but before I do so I wanted to check here with the Security community and make sure I won't be giving anyone the keys to my kingdom!

So I ask: Is it safe for me to post the output of my dig commands?

smeeb
  • 689
  • 6
  • 11
  • 1
    Are you querying the public DNS or your internal DNS? – schroeder Feb 16 '18 at 15:15
  • 1
    Take a look at the command you posted. Is there anything there that requires authentication or authorisation? Could I, where ever I am in the world, run the same command and get the same data? – schroeder Feb 16 '18 at 15:16
  • Thanks @schroeder (+1 for both): Yes this is a public DNS, and nothing on the command requires auth. Yes I'd expect the same command to yield the same result from anywhere! – smeeb Feb 16 '18 at 15:18
  • 1
    Then, by definition, it is public and already 'disclosed'. If you are giving away the keys to the kingdom, then you already have. We cannot tell you if it is "safe", only that if it is not safe, it is already out there. – schroeder Feb 16 '18 at 15:18
  • You can learn more about execution requests like these by looking at the man pages. You can invoke the man(ual) page for dig by typing "man dig". This works for nearly everything and you can use your favorite search engine to verify that this is indeed the function of "man" (or read the man page for dig online while you're at it). – BlueWizard Feb 16 '18 at 20:44

1 Answers1

5

If you are running dig on public DNS, then the output is the same for everyone, and Public.

But that does not mean that it is "safe". It is possible that you disclose an unsafe amount of info in the public DNS record. But, since it is public, it is already disclosed, and you are not adding more risk by posting it.

schroeder
  • 123,438
  • 55
  • 284
  • 319