0

I would like to create some LOC DNS records, and I wanted to know if these records can be queried without knowing the subdomain to which they are attached.

For example, it would be fun to have a GeoCache hunt where a clue lists a DNS subdomain with the next coordinate in a LOC record (or something like that). But the game would be easily defeated if someone could simply dig domain.com any and get the LOC records for subdomains.

I know that dig domain.com any does not actually show LOC records for subdomains (geocache1.domain.com, hiddencache.domain.com, etc), but I would like to know if there are other ways that they could be determined (aside from hacking into my CloudFlare account and viewing all records).

Are these records just as hidden as random subdomains?

Stephen Schrauger
  • 180
  • 8

1 Answers1

1

It may be possible to enumerate all names in a zone, if it uses DNSSEC. The reason is that DNSSEC need signed records showing that a subdomain does not exist. Those records specify a range of domain names, that do not exist.

If you are using DNSSEC, anybody could look up a random non-existing name and from the answer get to know the two closest existing names. By repeating one could quickly identify all existing subdomains.

This can be mitigated through hashing. But it would still be possible to use pretty much the same approach to collect all the hashes and brute force them offline.

There are cryptographic tools, that could prevent such offline brute force, but they have not been standardized for DNSSEC.

DNSSEC was designed to provide integrity, not confidentiality.

If you are not using DNSSEC it may still be possible to get a complete list of names in the zone, if the server has been configured to allow anybody to request a zone transfer.

Finally the data is sent in clear and cached on other DNS severs, so once one person has queried a domain, some others may be in a position to sniff those queries off the network or caching servers.

kasperd
  • 29,894
  • 16
  • 72
  • 122