Stories with Tag Domain Name System

• Ask HN: How did the internet discover my subdomain?

  permalink

  Posted: 2025-03-06 22:34:54

  Verbose tl;dr

  A user is puzzled by how their subdomain, used for internal documentation and not linked anywhere publicly, was discovered and accessed by an external user. They're concerned about potential security vulnerabilities and are seeking explanations for how this could have happened, considering they haven't shared the subdomain's address. The user is ruling out DNS brute-forcing due to the subdomain's unique and unguessable name. They're particularly perplexed because the subdomain isn't indexed by search engines and hasn't been exposed through any known channels.

  The author of the Hacker News post expresses bewilderment over how their subdomain, specifically something.theirdomain.com, was discovered and subsequently accessed by external users. They articulate that this subdomain hosts an internal application, intentionally not linked from anywhere publicly accessible on their main domain, theirdomain.com. Furthermore, they emphasize that the subdomain is not indexed by any search engines, nor have they shared its address in any public forum or communication. This leads them to question the possible mechanisms by which external parties could have learned of its existence and successfully navigated to it. The author is particularly curious to understand if there are common vulnerabilities or overlooked aspects of web server configurations that might inadvertently expose subdomains meant to remain private. They are seeking insights from the Hacker News community regarding potential explanations for this unexpected discovery, hoping to understand how it occurred and implement measures to prevent similar occurrences in the future. The author implicitly indicates a desire to maintain the privacy of this internal application while acknowledging its current, unintended visibility.

  • Internet
  • subdomain
  • discovery
  • dns
  • Domain Name System
  • networking
  • Security
  • privacy
  • Hacker News
  • Ask HN
  • Web Development
  • website administration

  Summary of Comments ( 188 )
  https://news.ycombinator.com/item?id=43285725

  Verbose tl;dr

  The Hacker News comments discuss various ways a subdomain might be discovered, focusing on the likelihood of accidental discovery rather than malicious intent. Several commenters suggest DNS brute-forcing, where automated tools guess subdomains, is a common occurrence. Others highlight the possibility of the subdomain being included in publicly accessible configurations or code repositories like GitHub, or being discovered through certificate transparency logs. Some commenters suggest checking the server logs for clues, and emphasize that finding a subdomain doesn't necessarily imply anything nefarious is happening. The general consensus leans toward the discovery being unintentional and automated.

  The Hacker News post "Ask HN: How did the internet discover my subdomain?" generated several comments offering various explanations and suggestions to the original poster (OP).

  Several commenters focused on the likelihood of DNS propagation. They explained that even though the OP believed they hadn't publicly exposed their subdomain, the very act of configuring it within their DNS settings likely triggered its propagation across DNS servers. This means the subdomain became visible to parts of the internet, potentially through DNS queries made by various entities, including search engine crawlers, security scanners, or even malicious bots actively scanning for new domains.

  Another popular theory revolved around misconfigured services or exposed APIs. Commenters suggested the possibility of a service running on the subdomain being inadvertently accessible from the public internet, perhaps due to a firewall misconfiguration or overly permissive access rules. They also suggested checking for publicly accessible APIs that might have revealed the subdomain's existence.

  Some comments touched upon the possibility of certificate transparency logs. These logs publicly record SSL/TLS certificates issued for websites, and if the OP had obtained a certificate for their subdomain, it would be logged and thus discoverable.

  A few commenters mentioned the potential role of link rot analysis tools and web crawlers. These tools constantly scan the web for broken links, and if a link to the OP's subdomain existed somewhere, even if obscure or unintended, it could have been discovered this way. Likewise, generic web crawlers might have stumbled upon the subdomain through various means and indexed it.

  Several users offered practical advice to the OP, recommending using tools like dig to trace DNS records and identify potential points of exposure. Others advised checking server logs for any unusual activity that might indicate how the subdomain was discovered.

  A more speculative, but still plausible suggestion, involved the possibility of the subdomain being guessed or brute-forced. While less likely for a complex or randomly generated subdomain name, it is not impossible, particularly if the name is based on common patterns or easily guessable words.

  Finally, some comments highlighted the inherent difficulty of fully controlling information propagation on the internet. Once something is even briefly exposed, it can be difficult to completely erase its trace. They emphasized the importance of proactive security measures and careful configuration to minimize unintended exposure.

• Evolution of Whois Protocol to RDAP (2019)

  permalink

  Posted: 2025-02-10 10:04:46

  Verbose tl;dr

  ICANN's blog post details the transition from the legacy WHOIS protocol to the Registration Data Access Protocol (RDAP). RDAP offers several advantages over WHOIS, including standardized data formats, internationalized data, extensibility, and improved data access control through different access levels. This transition is necessary for WHOIS to comply with data privacy regulations like GDPR. ICANN encourages everyone using WHOIS to transition to RDAP and provides resources to aid in this process. The blog post highlights the key differences between the two protocols and reassures users that RDAP offers a more robust and secure method for accessing registration data.

  The Internet Corporation for Assigned Names and Numbers (ICANN) blog post, "Evolution of WHOIS Protocol to RDAP - What You Need to Know," published on October 23, 2019, details the transition from the legacy WHOIS protocol to the Registration Data Access Protocol (RDAP) for accessing registration data related to domain names, IP addresses, and Autonomous System Numbers (ASNs). The post emphasizes that this shift represents a significant modernization effort, offering numerous advantages over the aging WHOIS system.

  WHOIS, having served the internet community for many years, suffers from limitations in terms of data format standardization, internationalization support, and extensibility. This has led to inconsistencies in data presentation and accessibility, hindering efficient and reliable data retrieval. RDAP, designed as a successor to address these shortcomings, provides a structured, standardized, and extensible mechanism for accessing registration data. It leverages a RESTful web service, utilizing well-defined data formats like JSON and XML, allowing for more predictable and machine-readable responses. This facilitates automated data processing and integration with other systems, promoting greater efficiency in various applications.

  A key advantage of RDAP is its inherent support for internationalization, accommodating different languages and scripts. This is a crucial improvement over WHOIS, which predominantly relied on ASCII text, often posing challenges for users and systems dealing with non-Latin characters. Furthermore, RDAP offers enhanced data access control mechanisms, enabling registrars and registries to implement specific access policies based on data types and user roles. This granular control enhances data privacy and security, addressing concerns associated with the open nature of WHOIS data.

  The blog post highlights the gradual transition from WHOIS to RDAP, with ICANN encouraging stakeholders to adopt RDAP and progressively phase out reliance on the legacy system. It underscores the benefits of RDAP's structured data format, enabling more efficient querying and analysis, and its support for different data types, allowing for comprehensive access to registration information. The post also emphasizes the improved security and privacy features offered by RDAP through access control mechanisms, allowing for more granular control over data dissemination.

  The post concludes by reiterating ICANN's commitment to facilitating the transition and providing resources to assist stakeholders in adopting RDAP. It encourages users to familiarize themselves with the protocol and its capabilities, recognizing it as the future of registration data access and a critical component of a more secure and efficient internet infrastructure. This transition represents a significant step forward in modernizing the management and access of critical internet resource registration information.

  • ICANN
  • Whois
  • RDAP
  • Domain Name System
  • dns
  • Internet Governance
  • Data Accuracy
  • privacy
  • Security
  • Protocol
  • Transition
  • Registration Data Access Protocol
  • Domain Name Registration
  • 2019

  Summary of Comments ( 3 )
  https://news.ycombinator.com/item?id=42998737

  Verbose tl;dr

  Several Hacker News commenters discuss the shift from WHOIS to RDAP. Some express frustration with the complexity and inconsistency of RDAP implementations, noting varying data formats and access methods across different registries. One commenter points out the lack of a simple, unified tool for RDAP lookups compared to WHOIS. Others highlight RDAP's benefits, such as improved data accuracy, internationalization support, and standardized access controls, suggesting the transition is ultimately positive but messy in practice. The thread also touches upon the privacy implications of both systems and the challenges of balancing data accessibility with protecting personal information. Some users mention specific RDAP clients they find useful, while others express skepticism about the overall value proposition of the new protocol given its added complexity.

  The Hacker News post titled "Evolution of Whois Protocol to RDAP (2019)" has several comments discussing the transition from the legacy Whois protocol to the newer Registration Data Access Protocol (RDAP). Many commenters express frustration and skepticism about the supposed improvements of RDAP.

  One recurring theme is the increased complexity of RDAP compared to Whois. Commenters point out that Whois, despite its flaws, was simple and easy to use, even scriptable. RDAP, with its structured data and reliance on specific query formats, is seen as more difficult to work with, particularly for casual users or those accustomed to the simplicity of Whois. This added complexity is viewed as a barrier to access, potentially hindering security research and transparency efforts.

  Some commenters highlight the issue of rate limiting and access restrictions implemented by various registries. They argue that these limitations, often justified under the guise of privacy or abuse prevention, make it harder to gather information necessary for legitimate purposes like security research or investigating spam. The perception is that RDAP makes it easier for registrars to control and restrict access to registration data.

  There's a sense of disappointment that RDAP hasn't delivered on its promise of improved privacy and security. While acknowledging that RDAP offers better privacy features in theory, commenters observe that many registrars still expose much of the same information, effectively negating the potential benefits. Some even argue that the added complexity of RDAP makes it harder to understand what data is being collected and shared.

  The perceived lack of standardization in RDAP implementations is also a source of frustration. Commenters mention inconsistencies in data formats and query responses across different registries, making it difficult to develop tools that work universally. This lack of interoperability is seen as undermining the potential benefits of a standardized protocol.

  Finally, several comments express cynicism about the motivations behind the transition to RDAP. Some speculate that it's driven more by the desire for greater control over data access and revenue generation rather than genuine improvements in privacy or security. The overall sentiment in the comments section leans towards viewing RDAP as a more complex and less accessible replacement for Whois, failing to deliver on its promised benefits and potentially hindering legitimate uses of registration data.

• Mastercard DNS error went unnoticed for years

  permalink

  Posted: 2025-01-22 15:25:57

  Verbose tl;dr

  A misconfigured DNS record for Mastercard went unnoticed for an estimated two to five years, routing traffic intended for a Mastercard authentication service to a server controlled by a third-party vendor. This misdirected traffic included sensitive authentication data, potentially impacting cardholders globally. While Mastercard claims no evidence of malicious activity or misuse of the data, the incident highlights the risk of silent failures in critical infrastructure and the importance of robust monitoring and validation. The misconfiguration involved an incorrect CNAME record, effectively masking the error and making it difficult to detect through standard monitoring practices. This situation persisted until a concerned individual noticed the discrepancy and alerted Mastercard.

  Brian Krebs, in a post titled "Mastercard DNS error went unnoticed for years" on KrebsOnSecurity, reports on a significant yet surprisingly long-lived DNS misconfiguration affecting Mastercard that persisted undetected for an estimated two to five years. This error, stemming from a typographical mistake in a single digit within a critical DNS record, directed traffic intended for Mastercard's payment gateway to an internal server. This internal server, ill-equipped to handle the massive volume of external requests, silently discarded these transactions without logging or alerting relevant parties.

  The misconfiguration specifically impacted a domain crucial for processing “Click to Pay” transactions, Mastercard's online checkout system designed for seamless and secure online purchases. While the primary Mastercard payment gateway remained unaffected, the erroneous DNS record meant that any merchant utilizing this particular “Click to Pay” domain experienced transaction failures. This resulted in a substantial but unquantified number of failed payments for customers attempting to use the service through affected merchants.

  Remarkably, the error went unnoticed for an extended period due to several compounding factors. Primarily, the silent failure mode of the internal server meant no error messages or notifications were generated. This lack of feedback combined with a potential lack of robust monitoring and alerting systems around “Click to Pay” transactions created a blind spot where the issue could persist undetected. Furthermore, the affected domain appears to have been less commonly used than the primary payment gateway, further reducing the visibility of the problem.

  The issue was ultimately discovered and reported by a security researcher who prefers to remain anonymous. This individual, after encountering repeated payment failures, investigated the DNS records and identified the single-digit typo. Upon notification, Mastercard swiftly rectified the error, restoring functionality to the affected domain. While the financial impact of the failed transactions remains undisclosed, the incident highlights the potential consequences of even minor DNS misconfigurations, especially within critical financial infrastructure, and emphasizes the importance of comprehensive monitoring and alerting mechanisms. The incident also underscores the crucial role security researchers play in identifying and reporting vulnerabilities, even those as seemingly mundane as a typographical error. The silent nature of the failure raises concerns about the potential for similar undetected issues to exist within complex online systems.

  • Mastercard
  • dns
  • Error
  • Security
  • Cybersecurity
  • DNSSEC
  • Domain Name System
  • Outage
  • Vulnerability
  • Internet Infrastructure
  • Financial Services
  • Technology
  • KrebsOnSecurity
  • Brian Krebs

  Summary of Comments ( 171 )
  https://news.ycombinator.com/item?id=42793783

  Verbose tl;dr

  HN commenters discuss the surprising longevity of Mastercard's DNS misconfiguration, with several expressing disbelief that such a basic error could persist undetected for so long, particularly within a major financial institution. Some speculate about the potential causes, including insufficient monitoring, complex internal DNS setups, and the possibility that the affected subdomain wasn't actively used or monitored. Others highlight the importance of robust monitoring and testing, suggesting that Mastercard's internal processes likely had gaps. The possibility of the subdomain being used for internal purposes and therefore less scrutinized is also raised. Some commenters criticize the article's author for lacking technical depth, while others defend the reporting, focusing on the broader issue of oversight within a critical financial infrastructure.

  The Hacker News post titled "Mastercard DNS error went unnoticed for years" has generated several comments discussing the implications of the KrebsOnSecurity article about Mastercard's long-standing DNS misconfiguration.

  Several commenters express surprise and concern over the length of time – reportedly years – that this misconfiguration persisted. Some speculate about the potential reasons for this oversight, including a lack of proper monitoring or alerting systems, complacency, and insufficient testing procedures. One commenter highlights the irony of a financial giant like Mastercard experiencing such a basic infrastructure issue.

  The discussion touches on the potential consequences of this DNS error. While Krebs' article doesn't mention any specific negative impacts, commenters suggest possibilities like performance degradation or even potential security vulnerabilities. One commenter raises the possibility that Mastercard may have relied on other mechanisms for internal communication, minimizing the impact of the faulty external DNS.

  The conversation also delves into the technical aspects of the issue, with commenters discussing the intricacies of DNSSEC, CAA records, and other DNS-related technologies. Some commenters point out the importance of redundant DNS servers and robust monitoring practices to prevent similar issues. One commenter speculates about the specific tools and processes Mastercard likely uses for DNS management.

  A few commenters question the accuracy or completeness of Krebs' reporting, suggesting that there might be more to the story than what's been revealed. Others offer alternative explanations for the observed behavior, positing that the misconfiguration might have been intentional or related to specific testing or staging environments.

  Several comments also highlight the broader implications of this incident for the industry, emphasizing the need for better DNS management practices and increased awareness of potential vulnerabilities. One commenter points to the increasing complexity of modern IT infrastructure and the challenges of maintaining reliable and secure systems.

  Finally, some commenters offer humorous takes on the situation, poking fun at Mastercard's apparent oversight and the potential consequences of such a basic error.