0

During experimentation with the gobuster tool, and trying to find the subdomains matches of a domain (let's call that testdomain.com), I got some strange results and I explain.

The command used was $ gobuster dns -d testdomain.com -w mywordlist.txt -o subdomain_results.txt which gave me a list of subdomains (like example1.testdomain.com, example2.testdomain.com, etc).

The strange thing I noticed is that after trying to ping the list of subdomains (in order to get their IP addresses fairly easy and quick), there were many subdomains that seemed to resolve to bogus IPs which belonged to the 10.0.0.0/8 network. Also note that there was 100% packet loss for those subdomains.

Trying to resolve those subdomains through a DNS lookup utility (i.e. dig), but without specifying a specific nameserver for queries (@server), there was the same resolved address again. Also searching about those subdomains on the internet gave me nothing, probably because they don't actually exist I suppose.

My ping output looked like the following:

ping example.testdomain.com
PING example.testdomain.com (10.8.60.103) 56(84) bytes of data.
^C
--- example.testdomain.com ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4103ms

Also the answer section from dig output is the following:

;; ANSWER SECTION:
example.testdomain.com. 600 IN  A   10.8.60.103

;; Query time: 80 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Sep 23 14:11:56 UTC 2021
;; MSG SIZE  rcvd: 62

Why am I getting those IPs in the resolution of subdomains (that do not exist) ? I suspect it all has to do with this, which also has some very good references, but what I cannot understand is how and why is the DNS resolution happening for those IPs.

What is a possible case scenario that explains this observed bahaviour?

orespan
  • 1
  • 1

1 Answers1

2

Why am I getting those IPs in the resolution of subdomains (that do not exist)

These IP address do exist. These are IP address in the private address space, which can be used in local networks.

Sometimes the reason for this is a simplified DNS setup where both internal and external hosts in a domain are managed together and thus these internal hostnames with associated internal IP addresses "spill over" to the public internet. Another reason is described in What is the advantage of having a domain name (spotilocal) that resolves to 127.0.0.1?.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    Some locally-hosted services like Plex also use public DNS records on subdomains to point back to RFC1918 addresses, to reduce complications when dealing with CORS. – Polynomial Sep 23 '21 at 20:55
  • Thanks for the answer. Of course those addrs do exist, but in private space as you said. I was referring that the domains don't probably exist. So based on your answer, does that mean that there is indeed a DNS server with a record of example.testdomain.com <--> 10.8.60.103 ? Isn't that considered information "leak" of private records to the public internet? Would it be possible that those records are rogue entries in the DNS server? Thanks also for the RFC comment, so it is a little more complex than I imagined at first. – orespan Sep 25 '21 at 10:26
  • @orespan: There is an authoritative DNS server for this domain, serving such records. Just do a DNS lookup for the NS records for this domain and you can then query this authoritative DNS server yourself. And yes, unless specifically intended to be publicly visible (see the linked answer) it is an information leak. This does not mean that is always a serious leak which provides sensitive internal information, but it might be. For example if the name is for `confluence.example.com` it is very likely a confluence instance and an attacker might try to use this knowledge in some CSRF attack. – Steffen Ullrich Sep 25 '21 at 15:36
  • Did a query in the (primary) authoritative DNS of that domain and indeed that subdomain resolves to that internal IP. So I guess it is indeed information leak (although the severity might depend on other things as you mentioned with the confluence page). Thank you very much for all the answers. – orespan Sep 29 '21 at 11:27