<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">I was just reading yesterday about one way this can be done. If you are using DNSSEC, the server, in order to sign a negative result, will use an NSEC record type which will contain some similar record to the missing record since it can’t sign an empty record. see below where I dig for MacBook.mylocal which doesn’t exist on my home domain and it returns a couple of NSEC records with appletv-livingroom.mylocall, <span style="font-family: Menlo; font-size: 11px;">jj-soundbar.mylocal., and </span><font face="Menlo"><span style="font-size: 11px;">macbookpro-20.mylocal. The solution to this is NSEC3 where the host names are hashed (</span></font><a href="https://bind9.readthedocs.io/en/v9_18_9/dnssec-guide.html#nsec3">https://bind9.readthedocs.io/en/v9_18_9/dnssec-guide.html#nsec3</a>)<font face="Menlo"><span style="font-size: 11px;">. Not sure if that answers how others are doing it, but was something I read about yesterday that has been exploited in the past to learn details about a zone.</span></font><div><br></div><div><p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">$ dig macbook.mylocal IN A @192.168.40.42 +dnssec</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; min-height: 13px;"><span style="font-variant-ligatures: no-common-ligatures"></span><br></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">; <<>> DiG 9.16.33-Debian <<>> macbook.mylocal IN A @192.168.40.42 +dnssec</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">;; global options: +cmd</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">;; Got answer:</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18808</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; min-height: 13px;"><span style="font-variant-ligatures: no-common-ligatures"></span><br></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">;; OPT PSEUDOSECTION:</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">; EDNS: version: 0, flags: do; udp: 1232</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">; COOKIE: 498ba75e90a524ad0100000063a44d72b4b9adb0b61ef5de (good)</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">;; QUESTION SECTION:</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">;macbook.mylocal.<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>A</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; min-height: 13px;"><span style="font-variant-ligatures: no-common-ligatures"></span><br></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">;; AUTHORITY SECTION:</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">mylocal.<span class="Apple-tab-span" style="white-space:pre"> </span>7200<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>SOA<span class="Apple-tab-span" style="white-space:pre"> </span>ns1.mylocal. hostmaster.mylocal. 64133 43200 900 1814400 7200</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">mylocal.<span class="Apple-tab-span" style="white-space:pre"> </span>7200<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>RRSIG<span class="Apple-tab-span" style="white-space:pre"> </span>SOA 13 1 86399 20230105095806 20221222085806 2295 mylocal. 0AaPYQf2zVZuTshZ/yaVoQfgtQdwp2WigXypDEXp/NVdz6jH8pQKDB8j 3NDB7Xw1lr/o2OeJeK9NjuVIr3dZiA==</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">mylocal.<span class="Apple-tab-span" style="white-space:pre"> </span>7200<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>RRSIG<span class="Apple-tab-span" style="white-space:pre"> </span>NSEC 13 1 7200 20221228002743 20221213235040 2295 mylocal. SLA3LiYg8s80GlEFIgK0thf83k7z927lJJvGGUTF6mBzbrpC2kkDFfvw hx3cwjHU+zMlKoy1MdyDUJajBfn7hg==</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">mylocal.<span class="Apple-tab-span" style="white-space:pre"> </span>7200<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>NSEC<span class="Apple-tab-span" style="white-space:pre"> </span>appletv-livingroom.mylocal. NS SOA RRSIG NSEC DNSKEY CDS CDNSKEY TYPE65534</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">jj-soundbar.mylocal. 7200<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>RRSIG<span class="Apple-tab-span" style="white-space:pre"> </span>NSEC 13 2 7200 20221228203849 20221221200203 2295 mylocal. bczZ0RfYzVaoLoJC6qV8RJHaXJhyxVtkExQ/S1NB0iPQeb26jZghZfMK umFNNcsMlGo4o5eiryxJGeC+yMfReA==</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">jj-soundbar.mylocal. 7200<span class="Apple-tab-span" style="white-space:pre"> </span>IN<span class="Apple-tab-span" style="white-space:pre"> </span>NSEC<span class="Apple-tab-span" style="white-space:pre"> </span>macbookpro-20.mylocal. A RRSIG NSEC DHCID</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; min-height: 13px;"><span style="font-variant-ligatures: no-common-ligatures"></span><br></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">;; Query time: 0 msec</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">;; SERVER: 192.168.40.42#53(192.168.40.42)</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">;; WHEN: Thu Dec 22 07:28:34 EST 2022</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo;"><span style="font-variant-ligatures: no-common-ligatures">;; MSG SIZE rcvd: 576</span></p><div><span style="font-variant-ligatures: no-common-ligatures"><br></span></div><div><br><blockquote type="cite"><div>On Dec 22, 2022, at 12:19 AM, Michael De Roover <isc@nixmagic.com> wrote:</div><br class="Apple-interchange-newline"><div><div>Hello,<br><br>I have been running BIND 9 on my external and internal networks for a<br>few years now -- as such I have a basic understanding of the most<br>common RR types and activities such as zone transfers. However, I have<br>been seeing something that's been baffling me for quite a while now.<br>Somehow there are services like c99.nl [1] and Criminal IP [2], which<br>can enumerate various subdomains on a given target domain. I am<br>confused as to how they can enumerate this information.<br><br>As far as I know, a NS record returns the name servers authoritative<br>for a domain. Alright, now you've got authoritative information when<br>querying these domains. No useful information about the zone data they<br>are responsible for though.<br><br>Then there is an A record, which returns an IPv4 address of a server<br>responsible for a domain. Alright, now you can talk to a server. Maybe<br>that would be a webserver, and now you may perform a HTTP exchange to<br>that server (GET /whatever, with a given Host header). You still have<br>to guess what the Host: header would have to be.<br><br>Maybe it would be an MX record. Brilliant, now you could talk to a mail<br>server. Its EHLO message (sometimes called a "banner" in security<br>circles) would contain a domain, alright. It would also only be one of<br>them -- AFAICT only one domain that the organization wants to actually<br>primarily send from.<br><br>Another interesting record would be the CNAME record. As far as I know,<br>this is used to redirect to another domain from within the DNS, with<br>its own bespoke entries (bringing us back to A records). Getting from a<br>CNAME to an A record seems easy enough, but what about getting these<br>CNAME records in the first place?<br><br>This is what I am thinking of so far, but it may well be that I've been<br>talking crap in all of the above and know nothing about the DNS. That's<br>fine, and in that case please correct me where necessary. Either way,<br>I'm very confused on how these services can actually enumerate these<br>subdomains, and find most -- if not all -- reliably. This seems a bit<br>concerning to me with regards to unwanted information disclosure, hence<br>my curiosity. If it is at all possible to mitigate, I would of course<br>also appreciate discourse on this matter. Thank you!<br><br>[1] https://subdomainfinder.c99.nl<br>[2] https://criminalip.io/domain<br><br>Best regards,<br>Michael<br><br>-- <br>Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list<br><br>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.<br><br><br>bind-users mailing list<br>bind-users@lists.isc.org<br>https://lists.isc.org/mailman/listinfo/bind-users<br></div></div></blockquote></div><br></div></body></html>