Are DNS records private information?
Solution 1:
Is there some kind of "subdomain listing" query for DNS?
There is no query for this specific purpose, but there are a few indirect methods.
- A non-incremental zone transfer (
AXFR
). Most server operators lock down zone transfers to specific IP addresses to prevent unaffiliated parties from snooping around. - If DNSSEC is enabled, iterative
NSEC
requests can be used to walk the zone.NSEC3
was implemented to make zone walking more computationally intensive.
There's also a trick that will let someone know if an arbitrary subdomain exists.
example.com. IN A 198.51.100.1
www.sub.example.com. IN A 198.51.100.2
In the above example, www
lies within sub
. A query for sub.example.com IN A
will not return an ANSWER section, but the result code will be NOERROR instead of NXDOMAIN, betraying the existence of records further down the tree. (just not what those records are named)
Should secrecy of DNS records ever be relied upon?
No. The only way to reliably hide data from a client is to ensure that it can never get the data to begin with. Assume that existence of your DNS records will be spread among whoever has access to them, either by word of mouth or by observing the packets.
If you're trying to hide records from a routable DNS client, You're Doing It Wrong™. Make sure the data is only exposed to the environments that need it. (i.e. use privately routed domains for private IPs) Even if you have such a division set up, assume that knowledge of the IP addresses will be spread around anyway.
The focus on security should be on what happens when someone gets the IP address, because it's going to happen.
I'm aware that the list of reasons for IP address secrecy being a pipe dream could be expanded on further. IP scanning, social engineering...the list is endless, and I'm mostly focusing on the DNS protocol aspects of this question. At the end of the day, it all falls under the same umbrella: someone is going to get your IP address.
Solution 2:
It depends.
Andrew B's answer is spot on, when you register the subdomain in the public DNS zone which also hosts your companies MX records and public website for instance.
Most companies would have an internal DNS server, not publically available where you would register the host names for your internal (secret) hosts.
Recommended method is to register a dedicated domain for internal use, or alternatively create a subdomain in your primary domain for internal use.
But technically you also use your primary domain by creating an internal view on your domain, where depending on the origin of the DNS client an alternate version of the DNS zone would be visible.
Solution 3:
In additionally to Andrew anwser
AXFR
requests can be done with one of the following commands:
dig @8.8.8.8 mydomain.com. AXFR
nslookup -query=AXFR mydomain.com 8.8.8.8
host -l mydomain.com
There are also some brute force scripts (like WS-DNS-BFX) using dictionary to guess other DNS records