Are DNS records private information?

Question

Assuming you wanted to create a subdomain that points to a private location (perhaps the location of a database, or the IP address of a computer you don't want people to attempt SSH-ing into), so you add a DNS record named something like this:

private-AGhR9xJPF4.example.com

Would this be "hidden" to everyone except those who know the exact URI to the subdoman? Or, is there some way to "list" all registered subdomains of a particular domain?

Answer 1

Is there some kind of "subdomain listing" query for DNS?

There is no query for this specific purpose, but there are a few indirect methods.

• A non-incremental zone transfer (AXFR). Most server operators lock down zone transfers to specific IP addresses to prevent unaffiliated parties from snooping around.
• If DNSSEC is enabled, iterative NSEC requests can be used to walk the zone. NSEC3 was implemented to make zone walking more computationally intensive.

There's also a trick that will let someone know if an arbitrary subdomain exists.

        example.com. IN A 198.51.100.1
www.sub.example.com. IN A 198.51.100.2

In the above example, www lies within sub. A query for sub.example.com IN A will not return an ANSWER section, but the result code will be NOERROR instead of NXDOMAIN, betraying the existence of records further down the tree. (just not what those records are named)

Should secrecy of DNS records ever be relied upon?

No. The only way to reliably hide data from a client is to ensure that it can never get the data to begin with. Assume that existence of your DNS records will be spread among whoever has access to them, either by word of mouth or by observing the packets.

If you're trying to hide records from a routable DNS client, You're Doing It Wrong™. Make sure the data is only exposed to the environments that need it. (i.e. use privately routed domains for private IPs) Even if you have such a division set up, assume that knowledge of the IP addresses will be spread around anyway.

The focus on security should be on what happens when someone gets the IP address, because it's going to happen.

---

I'm aware that the list of reasons for IP address secrecy being a pipe dream could be expanded on further. IP scanning, social engineering...the list is endless, and I'm mostly focusing on the DNS protocol aspects of this question. At the end of the day, it all falls under the same umbrella: someone is going to get your IP address.

Answer 2

It depends.

Andrew B's answer is spot on, when you register the subdomain in the public DNS zone which also hosts your companies MX records and public website for instance.

Most companies would have an internal DNS server, not publically available where you would register the host names for your internal (secret) hosts.

Recommended method is to register a dedicated domain for internal use, or alternatively create a subdomain in your primary domain for internal use.

But technically you also use your primary domain by creating an internal view on your domain, where depending on the origin of the DNS client an alternate version of the DNS zone would be visible.

Answer 3

In additionally to Andrew anwser

AXFR requests can be done with one of the following commands:

dig @8.8.8.8 mydomain.com. AXFR
nslookup -query=AXFR mydomain.com 8.8.8.8
host -l mydomain.com

There are also some brute force scripts (like WS-DNS-BFX) using dictionary to guess other DNS records