What is the domain name?
shout.eu
Describe the issue you are having:
I can see the IPs for shout.eu domain (that I do not own) by adding it to my account
I just want to confirm that this is secure behavior. If not, maybe it should be fixed.
Which IPs are you seeing and for which subdomain?
All of them (I’ll put them below and mask the last 2 bytes)
172.67..
104.21..
35.177..
The first two are Cloudflare IP’s and you can see those just by running dig on the domain.
;; ANSWER SECTION:
shout.eu. 297 IN A 172.67.204.67
shout.eu. 297 IN A 104.21.74.163
(post deleted by author)
third one, I can see its an AWS server. Probably that’s the only real IP.
There doesn’t seem to be any WAF for that IP.
When adding a zone to an account a scan is done of common domain records using public DNS. The domain you referenced appears to be hosted by Amazon infrastructure or at least some unproxied records point to it, but that data (along with the rest of the scan data) is public.
Yeah I did a random search for a fake hostname and got their wildcard IP which is expected. The others are of Cloudflare IPs and not the true origin (excluding the CNAME targets which are public).
Is it a nice intel gathering function? Yes, but for hackers there are much better DNS (and other tools) discovery tools to gather data. Nothing in that list is non-public.
You could add my domain (demo.dog) to get similar results. Most DNS hosts (including Cloudflare) prevent you from just asking for a full zone transfer to get all the DNS records that might be in use in a zone, but that’s really security through obscurity for the most part.
Because Cloudflare uses public queries vs checking their own backend for true values of proxied records it’s really no different than trying to add any zone from any DNS provider. Unless you control the registrar and can change the nameservers it’s not a problem (and if you have unauthorized access to their registrar they have much bigger problems).
Understood. Thanks a lot for your patience and the clear answer.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.
