Ask HN: How did the internet discover my subdomain?

287 points by govideo ↗ HN
I have a domain that is not live. As expected, loading the domain returns: Error 1016.

However...I have a subdomain with a not obvious name, like: userfileupload.sampledomain.com

This subdomain IS LIVE but has NOT been publicized/posted anywhere. It's a custom URL for authenticated users to upload media with presigned url to my Cloudflare r2 bucket.

I am using CloudFlare for my DNS.

How did the internet find my subdomain? Some sample user agents are: "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7; en-us) AppleWebKit/534.20.8 (KHTML, like Gecko) Version/5.1 Safari/534.20.8", "Mozilla/5.0 (Linux; Android 9; Redmi Note 5 Pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36",

The bots are GET requests which are failing, as designed, but I'm wondering how the bots even knew the subdomain existed?!

321 comments

[ 4.0 ms ] story [ 278 ms ] thread
If it is on DNS, it is discoverable. Even if it were not, the message you pasted says outright that they scan the entire IP space, so they could be hitting your server's IP without having a clue there is a subdomain serving your stuff from it.
Ahh yeah, my internet network knowledge was never super strong, and now is rusty to boot. Thanks for your note.
Shouldn't the web server only respond to a configred domain, else 404?
Depends if it's configured like that, by default usually no
Question: How does a subdomain get discovered by a member of the public if there are no references to it anywhere online?

The only thing I can think of that would let you do that would be a DNS zone transfer request, but those are almost always disallowed from most origin IPs.

https://en.m.wikipedia.org/wiki/DNS_zone_transfer

Certificate transparency logs.
If you know what to query, sure. You can't just say "give me all subdomains"; it doesn't work that way. The subdomain was discovered via certificate transparency logs.
> If it is on DNS, it is discoverable.

In the context of what OP is asking this is not true. DNS zones aren't enumerable - the only way to reliably get the complete contents of the zone is to have the SOA server approve a zone transfer and send the zone file to you. You can ask if a record in that zone exists but as a random user you can't say "hand over all records in this zone". I'd imagine that tools like Cloudflare that need this kind of functionality perform a dictionary search since they get 90% of records when importing a domain but always seem to miss inconspicuously-named ones.

> Even if it were not, the message you pasted says outright that they scan the entire IP space, so they could be hitting your server's IP without having a clue there is a subdomain serving your stuff from it.

This is likely what's happening. If the bot isn't using SNI or sending a host header then they probably found the server by IP. The fact that there's a heretofore unknown DNS record pointing to it is of no consequence. *EDIT: Or the Cert Transparency log as others have mentioned, though this isn't DNS per se. I learn something new every day :o)

In practice it's not so far fetched: A zone transfer is just another dns query at the protocol level, i suppose you can conceptually view it as sending a file if you consider the dns response a file. Something like "host -t axfr my.domain ns1.my.domain" will show the zone depending on how a domain's name server is configured (eg in bind, allow-transfer directive can be used to make it public, require ip acl to match the query source, etc).
No sensible DNS provider has zone transfers enabled by default. OP mentioned using CloudFlare, and they certainly don't.
> in bind, allow-transfer directive

Configuring BIND as an authoritative server for a corporate domain when I was a wee lad is how I learned DNS. It was and still is bad practice to allow zone transfers without auth. If memory serves I locked it down between servers via key pairs.

> In the context of what OP is asking this is not true. DNS zones aren't enumerable - the only way to reliably get the complete contents of the zone is to have the SOA server approve a zone transfer and send the zone file to you.

This is generally true but also if you watch authoritative-only dns server logs for text strings matching ACL rejections, there's plenty of things out there which are fully automated crawlers attempting to do entire zone transfers.

There are a non zero number of improperly configured authoritative dns servers out there on the internet which will happily give away a zone transfer to anyone who asks for it, at least, apparently enough to be useful that somebody wrote crawlers for it. I would guess it's only a few percent of servers that host zonefiles but given the total size of the public Internet, that's still a lot.

In the context of DNSSEC dns zones are very much enumerable. Cloudflare does amazing tricks to avoid this https://blog.cloudflare.com/black-lies/
Cloudflare themselves gives more information here:

> NSEC3 was a “close but no cigar” solution to the problem. While it’s true that it made zone walking harder, it did not make it impossible. Zone walking with NSEC3 is still possible with a dictionary attack.

So, hardening it against enumerability is a question of inserting non-dictionary names.

Zone transfers are super interesting topic. Thanks for mentioning that.

It's basically the way how to get all DNS records a DNS server has. Interestingly in some countries this is illegal and in some this is considered best practice.

Generally, enabled zone transfers is considered as misconfiguration and should be disabled.

We did research on that few months back and found out that 8% of all global name servers have it enabled.[0]

[0] - https://reconwave.com/blog/post/alarming-prevalence-of-zone-...

That's concerning. I thought everyone knows that zone transfers should be generally disallowed, especially when coming from random hosts.
(comment deleted)
Is it available under HTTPS? Then it's probably in a Certificate Transparency log.
Yes, https via cloudflare's automatic https. Thanks for the info.
Automated agents can tail the certificate log to discover new domains as the certs are issued. But if you want to explore subdomains manually, https://crt.sh/ is a nice tool.
Yeah this is a surprisingly little known fact- all certs being logged means all subdomain names get logged.

Wildcard certs can hide the subdomains, but then your cert works on all subdomains. This could be an issue if the certs get compromised.

Usually there isn’t sensitive information in subdomain names, but i suspect it often accidentally leaks information about infrastructure setups. "vaultwarden.example.com" existing tells you someone is probably running a vaultwarden instance, even if it’s not publicly accessible.

The same kind of info can leak via dns records too, I think?

> The same kind of info can leak via dns records too, I think?

That's correct "passive DNS" is sold by many large public DNS providers. They tell you (for a fee) what questions were asked and answered which meet your chosen criteria. So e.g. maybe you're interested, what questions and answers matched A? something.internal.bigcorp.example in February 2025.

They won't tell you who asked (IP address, etc.) but they're great for discovering that even though it says 404 for you, bigcorp.famous-brand-hr.example is checked regularly by somebody, probably BigCorp employees who aren't on their VPN - suggesting very strongly that although BigCorp told Famous Brand HR not to list them as a client that is in fact the HR system used by BigCorp.

I had coworkers at a previous employer go change settings in CloudFlare trying to troubleshoot instead of reaching out to me. They changed the option that caused CF proxy to issue a cert for every subdomain instead of using the wildcard. They didn't understand why I was pissed that they had now written every subdomain we had in use to the public record in addition to doing it without an approved change request.
If you're using infra in a way [cloudflare -> your VM] I'd recommend setting firewall on the VM in a way that it can be accessed only from Cloudflare.

This way, you will force everyone to go through Cloudflare and utilize all those fancy bot blocking features they have.

DNS query type AXFR allows for subdomain querying. There are security restrictions around who can do it on what DNS servers. Given the number of places online one can run a subdomain query, I suspect it's mostly a matter of paying the right fees to the right DNS provider.
I'm having the same issue.

https://securitytrails.com/ also had my "secret" staging subdomain.

I made a catch-all certificate, so the subdomain didn't show up in CT logs.

It's still a secret to me how my subdomain ended up in their database.

They could be purchasing DNS query logs from ISPs.
maybe your server responded to a plain ip addressed request with the real name...
Host header is a request header, not a response one, isn't it?
He said he used a wildcard cert though. So what part of the response would contain the subdomain in that case?
Serious question: Do you really think that Cloudflare is trying to keep these kinds of thing private? If so, I'd suggest that's not a reasonable expectation.
Related question (not rhetorical). If you do DNS for subdomains yourself (and just use Cloudflare to point dns.example.com at your box) will the subdomain queries leak and show up in aggregate datasets? What I'm asking is if query recursion is always handled locally or if any of the reasonably common software stacks resolve it remotely.
As well as assuming Cloudflare sells DNS lists, it's probably safe to assume the operators of public resolvers like 8.8.8.8, 9.9.9.9 and 1.1.1.1 (that is Google, Quad9 and Cloudflare again) are looking at their logs and either selling them or using them internally.
If you just use Cloudflare as a registrar, then they can't see what resolution happens on your servers.

If you delegate a subdomain through Cloudflare to your own DNS servers, from what I remember from the animal book, the recursive server should ask Cloudflare for the address of the machine to which the delegation has been made (yours), and while any further resolutions would be answered by your machine, Cloudflare would at very least know of every query to that subdomain.

If you delegate a subdomain and have subdomains under that subdomain, then Cloudflare would only see resolutions to that subdomain and not to the sub-subdomains.

In other words, for most things, they'd have full insight.

Certificate Transparency logs, or they don't actually know the domain name: just port-scanning[1] then making requests to open web ports.

[1] Turns out you can port-scan the entire internet in under 5 minutes: https://github.com/robertdavidgraham/masscan

Port scanning usually can't discover subdomains. Most servers don't expose the of the domains they server content for. In case of HTTP they usually only serve the subdomain content if the Host: request-header includes it.
Most servers just listen on :80 and respond to all requests. Almost nobody checks the host header intentionally, it's just a happy mistake if they use a reverse proxy.

You can often decloak servers behind Cloudflare because of this.

But OP's post already answered their question: someone scanned ipv4 space. And what they mean is that a server they point to via DNS is receiving requests, but DNS is a red herring.

This really depends on the setup. Most web servers host multiple virtual hosts. IP addresses are expensive.

If you're deploying a service behind a reverse proxy, it either must be only accessible from the reverse proxy via an internal network, or check the IP address of the reverse proxy. It absolutely must not trust X-Forwarded-For: headers from random IPs.

I just don't see how any of this matters. OP's server is reachable via ipv4 and someone sent an http request to it. Their post even says that this is the case.
I'm guessing they meant it discovered a virtual host behind a subdomain.
I could be wrong, but the Palo Alto scanner says it's using global ipv4 space, so not using DNS at all. So actually the subdomain has not been discovered at all.
This is exactly what’s happening based on the log snippet posted. Has nothing to do with subdomains, has everything to do with it being on the internet.
How deep in the domain hierarchy you are doesn't matter from a network layer: a bare tld (yes this exists), a normal domain, a subdomain, a sub-subdomain, etc can all be assigned different IPs and go different places. You can issue a GET against / for any IP you want (like we see in the logs OP posted). The only time this would actually matter is if a host at an address is serving content for multiple hostnames and depends on the Host header to figure out which one to serve -- but even those will almost always have a default.
You can discover IP adresses, sure. Just enumerate them. But this doesn't give you the domain, as long as there is no reverse dns record.

I'm quite sure OP meant a virtual host only reachable with the correct Host: header.

And in the case of HTTPS they need to insist on SNI (and TLSv3 requires it).
Last few times I tried to do this my ISP cut off my internet every time. Assholes. It comes back, but they're still assholes for it.
This.

I have a DNS client that feeds into my passive DNS database by reading CT logs and then trying to resolve them.

LPT, this is an object lesson in the weakness of security through obscurity
I mean you could argue that this is more of a multi-factor authentication lesson.

Just knowing 1 "secret"— a subdomain in this case —shouldn't get you somewhere you shouldn't.

In general you should always assume that any password has been (or could be) compromised. So in this case, more factors should be involved such as IP restricting for access, an additional login page, certificate validation, something...

Security by obscurity can be a great additional measure for an already secure system. It can reduce attack surface, make it less likely to get attacked in the first place. In some cases (like this one) it can also be much easier to break than expected.
Interesting! Just checked them out.

"MerkleMap gathers its information by continuously monitoring and live tailing Certificate Transparency (CT) logs, which are operated by organizations like Google, Cloudflare, and Let's Encrypt. "

I made this, thank you!
Did you ever email the URL to somebody? We had the same issue years ago where google seemed to be crawling/indexing new subdomains it finds in emails.
Nope, never emailed or posted to anyone. Just me (it's my solo project at the moment).
I'm surprised nobody mentioned subfinder yet: https://github.com/projectdiscovery/subfinder

Subfinder uses different public and private sources to discover subdomains. Certificate Transparency logs are a great source, but it also has some other options.

(comment deleted)
Does the IP address for that subdomain have a DNS PTR record set? If it does, someone can discover the subdomain by querying the PTR record for the IP.
If it does, I did not set it up; it would have been automatically done by CloudFlare when I told it to use my custom subdomain for the upload urls.
(comment deleted)
If a HTTPS service should be hard to discover, an easy way is to hide it behind a subdirectory. Something like https://subdomain.domain.example/hard_to_find_secret_string.

Another option are wildcard certificates.

This obviously can't be the only protection. But if an attacker doesn't know about a service, or misses it during discovery, they can't attack it.

As others have said, likely cert transparency logs. Use a wildcard cert to avoid this. They are free using LetsEncrypt and possibly a couple other ACME providers. I have loads of wildcard certs. Bots will try guessing names but like you I do not use easily guessable names and the bots never find them. I log all DNS answers. I assume cloudflare supports strict-SNI but no idea if they have their own automation around wildcard certs. Sometimes I renew wildcard certs I am not even using just to give the bots something to do.
I have been just relying on CloudFlare's automatic https. But I will look into my own certs, though will likely just use CloudFlare's. I don't mind the internet knowing the subdomain I posted about; was curious how the bots found it!
There is a chance that your subdomain is the first/default virtual host in your web server setup (or the subdomain's access log is the default log file) so any requests to the server's IP address get logged to this virtual host. That means they didn't access your subdomain, they accessed via your server IP address but got logged in your subdomain's access log.
And this is the correct answer, thank you.

Transparency logs are fine except if you have a wildcard cert (or no https, obviously).

IP scans are just this: scans for live ports. If you do not provide a host header in your call you get whatever the default response was set up. This can be a default site, a 404 or anything else.

This site will find any subdomain, for any domain, so long as it previously had a certificate (ssl/tls)

https://crt.sh/

This is incorrect (or at least only technically correct). This is only true for subdomains with public, trusted CA signed certificates since certificate transparency has existed and only for subdomains with a specific, non wildcard certificate.
Thanks for mentioning. I checked it out, and am learning lots of new stuff (ie, realize how much I do not know).
Doesn’t find any of my semi secret subdomains.
Some CAs (Amazon) allow not publishing to the Certificate Transparency Log. But if you do this, browsers will block the connection by default. Chromium browsers have a policy option to skip this check for selected URLs. See: CertificateTransparencyEnforcementDisabledForURLs.

Some may find this more desirable than wildcard certificates and their drawbacks.

To avoid subdomain discovery, I usually acquire certificate domain level and add a wildcard SAN.
Will you send me an invite to tildes?
Firefox is currently rolling out the same thing. They will treat any non-publicly-logged certificate as insecure.

I’m surprised amazon offers the option to not log certificates. The whole idea is that every issued cert should get logged. That way, fraudulently-issued certs are either well documented in public logs- or at least not trusted by the browser.

It doesn't seem like the choice has any impact on that. It just protects user privacy if that's what they want to prioritize.

Depending on the issuer logging all certs would never work. You can't rely on the untrusted entity to out themselves for you.

The security comes from the browser querying the log and warning you if the entry is missing. In that sense declining to log a cert is similar to self signing one. The browser will warn and users will need to accept. As long as the vast majority of sites don't do that then we maintain a sort of herd immunity because the warnings are unexpected by the end user.

I should have included in my post, this technique only makes sense in the context of private or internal endpoints.
Someone might used open-source tool like sublist3r
yea was gonna mention this as well lol
(comment deleted)
Not sure why everyone is going on about certificate transparency logs when the answer is right there in the user agent. The company is scanning the ipv4 space and came upon your IP and port.
(comment deleted)
Okay. But how did they get the proper host header?
There are a couple easy possibilities depending on server config.

1. Not using SNI, and all https requests just respond with the same cert. (Example, go to https://209.216.230.207/ and you'll get a certificate error. Go to the cert details and you'll see the common name is news.ycombinator.com).

2. http upgrades to https with a redirect to the hostname, not IP address. (Example, go to http://209.216.230.207/ and you get a 301 redirect to https://news.ycombinator.com)

I don't think op said that they had the correct host header?
Could be a number of ways for example a default TLS cert, or a default vhost redirect.

I actually had a job once a few years ago where I was asked to hide a web service from crawlers and so I did some of these things to ensure no info leaked about the real vhost.

Who says they did?
It's rather hilarious that nobody mentioned this in 7 hours. What am I missing?

~5 billion scans in a few hours is nothing for a company with decent resources. OP: in case you didn't follow, they're literally trying every possible IPv4 address and seeing if something exists on standard ports at that address.

I believe it would be harder to find out your domain that way if you were using SNI and only forwarded/served requests that used the correct host. But if you aren't using SNI, your server is probably just responding to any TLS connect request with your subdomain's cert, which will reveal your hostname.

> What am I missing?

That it was in fact mentioned many hours earlier, in more than one top level comment.

I was referring more to the fact that the user agent explicitly contained the answer, rather than suggestions that it was IP scanning. But you're right I do see one comment that mentions that. And many more likely assumed the OP already figured that part out.
The user agent contains a partial answer. IP scanning doesn't give you the actual subdomain, so the question is slightly wrong or there are missing pieces.
Judging by the logs (user agents really) right now in the submission, it's hard to tell if the requests were actually for the domain (since the request headers aren't included) or just for the IP.
Yes, that's the question being wrong option I listed.
> What am I missing?

It's very common for people to read only up to the point they feel they can comment, then skip immediately to the comment. So, basically, noone read it.

Funny, that'd be so unthinkable for me to do! But you're probably right.
Just the default hostname. It won't reveal all of them or any of the IP addresses of that box. secret-freedom-fighter.ice-cream-shop.example.com could have the same IP as example.com and you'd only know example.com
If you've got one cert with a subject alt name for each host, they'd see them all. If you use SNI and they have different certificates, the domains might still be in Certificate Transparency logs. If a wildcard cert is used, that could help to conceal the exact subdomain.
That perfectly fits midwit meme. Lots of people are smart enough to know transparency logs - but not smart enough to read OP post and understand the details.
The details aren't there, so it's "assume" rather than "understand".

The only proper response to OP's question is to ask for clarification: is the subdomain pointing to a separate IP? Are the logs vhost-specific or not?

If you don't get the answers, all you can do is to assume, and both assumptions may end up being right or wrong (with varying probability, perhaps).

Also it's Palo Alto. They're not some kiddie scripters. https://en.m.wikipedia.org/wiki/Palo_Alto_Networks
Am I google when I come with the useragent 'google here, no evil'?
Looking at how they earned their 100s of CVEs, script kiddie almost looks like a compliment
Finding IP does not mean finding the domain. When doing HTTP request to IP you specify the domain you want to connect to. For example you can configure your /etc/hosts to have xxxnakedhamsters.google.com pointing to 8.8.8.8 and make the http request, which will cause Google getting the domain request (i.e. header Host: xxxnakedhamsters.google.com) and it will refuse it or try to redirect to http. Of course it's only related to HTTP because HTTPS will require certificate. That's why they're speaking about certificates.
First thing I’d do for an IP that answers is a reverse lookup, so I expect that’s at least in the list of things they’d try.
Depending on the web server's configuration, you very much _can_ find the domain which is configured on an IP address, by attempting to connect to that IP address via HTTPS and seeing what certificate gets served. Here's an example:

https://138.68.161.203/

> Web sites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for 138.68.161.203. The certificate is only valid for the following names: exhaust.lewiscollard.com, www.exhaust.lewiscollard.com

I don't think that does you any good for Cloudflare, though. They will definitely be using SNI.
That doesn't really matter, though. While OP is using Cloudflare, the actual server behind it is still a publicly-accessible IP address that an IPv4 space scanner can easily stumble upon.
I misunderstood, I thought the subdomain was an R2 bucket. If it's just normal Cloudflare proxying to some backend this is probably the most likely answer.

That said, while I think it's not the case here, using Cloudflare doesn't mean the underlying host is accessible, as even on the free tier you can use Cloudflare Tunnels, which I often do.

they only state they are using cloudflare for DNS, they didn't say if they were proxying the connection
Also a valid point. I guess without more details all we can really do is speculate about the exact setup. That said, I do now agree that the most likely answer is "the underlying host was accessible and caught by an IPv4 scanner" since well, that's pretty much what it says anyway.
(comment deleted)
But there's no evidence in the OP's post that they have, in fact, discovered the domain. The only thing posted is that there is a GET request to a listening web server.

The OP and all the people talking about certificates are making the same assumption. Namely that the scanning company discovered the DNS name for the server and tried to connect. When, if fact, they simply iterate through IP address blocks and make get requests to any listening web servers they find.

OP states that the domain was discovered
No they didn't. They said "How did the internet find my subdomain?" They're assuming the internet found their subdomain. They don't provide any evidence that happened, just that they found their IP address.
(comment deleted)
I really doubt CloudFlare gives them an IPv4 and they can see all the logs for said IPv4
> When doing HTTP request to IP you specify the domain you want to connect to

No, you make HTTP requests to an IP, not a domain. You convert the domain name to an IP in an earlier step (via a DNS query). You can connect to servers using their raw IPs and open ports all day if you like, which is what's happening here. Yes servers will (likely) reject the requests by looking at the host header, but they will still receive the request.

(comment deleted)