How to prevent reading internal routing table?

[serpent_driver]

Hi there,

Some weeks ago I have ModSecurity enabled and have added Comodo LiteSpeed rule set. This rule set allows to add user agents to block. Since this rule set is running i noticed a lot of blocked UAs like I have defined it, so it works like expected. But the problem is that many blocked UAs acccessed subdomains defined by cPanel like webmail.domain.com, autodiscover.domain.com and much more self created subdomains. Most of these URLs are not public, so how it is possible to read internal routing table from outside and how can it be prevented?

Thank you!
Michael

 

[cPRex]

Hey there! Can you explain to me how those subdomains aren't public? If the subdomain is created and exists in DNS, anyone would be able to attempt a connection to it.

 

[serpent_driver]

Not public means subdomains either they have never been published in search engines or have password protection or don't exist anymore or have no content or have redirection and so on...

You said if they are in DNS they can be connected. That's okay, but if there are subdomains like the URL to cpanel/WHM control panel or other subdomains that are created by cpanel, I am the only one who knows such URLs. To me, it looks like someone can access or can read information like routing table. For example what happend to day. Netcraft Survey Agent tries to connect to all subdomains that exist in the last 3 years, around 50 subdomains within a few hours. That can not be a coincidence.

 

[cPRex]

I don't think that is the case at all, and isn't how those tools work. For example, I get CSF/LFD notifications all the time on my personal server for users trying to access domain.com/cpanel. If you do a web search for a domain name, and add "cpanel" to it, you won't see that directory come up, but it's such a common directory that the automated bots know to test that. I don't think there is any tool that is reading a routing table or other DNS structure, but it's just reading from a common list that is automatically generated.

 

[serpent_driver]

In case of cPanel URL your answer could sound plausible. If it would only be about URL to control panel, there wouldn't be any reason to get in panic, but it is more about control panel URL. It is about all subdomains I ever created, but I will give you another example to demonstrate that there must be any "tool" to get access to DNS information. Some month ago for testing I added some A records to DNS zone, but without creating subdomains. DNS zone only have additional A records, not more. If ModSecurity blocks access to these "faked" URLs, someone must be able to read DNS information if I am the only one who knows it.

You can reproduce it by your own. Create a ModSecurity rule that blocks User Agent "Netcraft Survey Agent" and create an A record for a subdomain that doesn't exist. It could take some times, but if your watch ModSecurity Tools frequently you will find a hit.

Happy New Year

 

[cPRex]

I would also expect DNS information to be public. If you're adding an A record, that's public information as well.

 

[serpent_driver]

If you're adding an A record, that's public information as well.

How can such information be public? Your reply means (for me) if I ask a server to give me all DNS information he publishes those data without to know if the one who asked is allowed to get these informationen. Some information like IP, hostname or nameserver are neccessary, but it is not okay to request the hostname like Netcraft Survey Agent does it and the server gives him ALL DNS information about domains, subdomains, A records and so on, setuped on the server.

Do you think that is okay?

 

[cPRex]

That's how the entire internet works - DNS information is free and public and there is no authentication required to ask another server for their records. I can connect to any system on port 53 and ask for DNS information. If you do not want the access to exist, then it should not be added in the DNS zone.

 

[serpent_driver]

I know how the Internet works! DNS is a elementary part of the Internet, but you seem not to understand what I am talking about. Again, how can it be possible if I request only the hostname per HTTP protokoll and my server publishes all DNS, again ALL DNS information from A to Z, everything?

 

[cPRex]

There are many ways this information can be found. For example, this online tool lets you enter a hostname and it will pull all the DNS records that are available:

UltraDNS Enterprise-grade DNS with 100% Uptime | Neustar

Neustar UltraDNS delivers 100% uptime SLA, DNSSEC support & DDoS protection to thousands of companies across the globe including Fortune 500 companies.

www.ultratools.com

I think you're also underestimating the bots on the internet. It's a trivial task for them to constantly scan DNS information for new data, and then try and access that just to see what's there.

If you think there are additional security flaws happening on your system it would be best to have an admin check that, but this really sounds like normal activity to me from what I'm used to seeing.

 

[serpent_driver]

Hey Hurra, we come together , but this tool at ultratools.com doesn't work. There are better one and I know some of them, but all of such tools publish only basic DNS information that are exclusively needed to get access to a host, but not the content of my complete zone file. And that is the problem i have with all my servers managed with cPanel/WHM.

If you don't have more and better information we should stop the conversation. Thank you for your time and trying to help.

 

[cPRex]

You're very welcome! While that tool may not work in all cases, it was just one example that there are ways to get those details that aren't malicious.

 

[serpent_driver]

To keep this thread alive, because it isn't solved, I add some information for other users that want to protect their DNS. The main topic of this thread is about:

Disabling or Enabling DNS Recursion on Your Bind Server

to prevent exploring all subdomains.

Here are some links:

SecurityTrails | 8 tips to prevent DNS attacks

Follow these tips to keep your company protected against Domain Name System based attacks and information disclosure.

securitytrails.com

https://kb.cloud.im/hc/en-us/articles/360001022147-cPanel-Disabling-or-Enabling-DNS-Recursion-on-Your-Bind-Server

SecurityTrails | Exploring Google DNS zone, record by record

Days ago playing with DNSTrails we discovered some new gems to share with you, this time from Google.com. Let’s explore the list.

securitytrails.com