Can someone explain how the enumeration of subdomains on a hostname works?
I know that zone transfers is one way, but I looked up one of my domains and it includes a private subdomain I've never published anywhere.
I checked and my DNS provider does not allow zone transfers (as far as I can tell) so I'm curious how this information is obtainable.
And I mean through ordinary means, let's ignore the "your account/ISP/Registrar may be compromised" scenarios. Are there everyday scanning tools that allow for this?
"The search relies on data from our crawls of the Alexa Top 1 Million sites, Search Engines, Common Crawl, Certificate Transparency, Max Mind, Team Cymru, Shodan and scans.io."
So probably CT logs.
Also, if you've ever sent a cold-cache query to a recursive resolver that didn't employ QNAME minimization (few do), it was likely harvested by pDNS replication at the TLD nameserver level and shared with a number of commercial and research parties' databases to which DNSDumpster may subscribe.
This seems like the most likely candidate then (a resolver that caches and shares requests or CT - which I didn't know about), because the subdomain is a random string of characters so it wouldn't have been brute-forced.
Zone transfers is one way, but you can also use brute force using a common word list. You can also these days use ‘OSINT’ (open source intelligence), and use things like TLS certificate transparency logs to go looking for obscure DNS names.
I can't speak for DNSDumpster, but a common technique I use to do subdomain enumeration is just brute forcing with a wordlist. By enumerating with a large enough wordlist, you can discover matching subdomains for a target domain.
Yeah this is a random string of characters so it can't be that.. Also my logs show it getting queried by automated tools within a few weeks of being live, so I suspect it's due to someone's else's suggestion that a DNS resolver somewhere is caching and sharing request data for "research" or other reasons.
Can someone explain how the enumeration of subdomains on a hostname works?
I know that zone transfers is one way, but I looked up one of my domains and it includes a private subdomain I've never published anywhere.
I checked and my DNS provider does not allow zone transfers (as far as I can tell) so I'm curious how this information is obtainable.
And I mean through ordinary means, let's ignore the "your account/ISP/Registrar may be compromised" scenarios. Are there everyday scanning tools that allow for this?