Is it possible to properly hide DNS records?
Hello everyone,
I come looking for the right solution, if such thing is even really possible:
For example lets say I provide some service so customers (which are companies), my service name is "whatever" and I have some servers/environemnts in 3 different locations.
Each customer needs to be directed to the right environment by a subdomain they have:
like imagine if I have Abibas as an EU based customer
And Nyke as a US based customer
Because of that, I want the subdomain abibas.portal.whatever.com to point to my EU environment, since they are EU based.
And the nyke.portal.whatever.com to point to my US environment since they are US based, and so on.
Imagine I have many many more customers like that, each with a subdomain under my domain, unique to them, to use to direct them to the relevant environment (It should be mentioned - there can be workers in the US that work for abibas and will need to connect to the EU server, since the company is based there
and vice versa.. that's why only need the subdomain to point to the relevant environment).
My greatest concern in this whole sitaution, is that I don't want my customers' names to be exposed in any way through the DNS records, to any "dig" requests or anything of that sort.
So my big question is, is there a way to hide records to avoid exposing the customer's names? (notice the main concern is not preventing any hacking or whatever, but at the very base, to not disclose which customers are using my service, to hide the names)
Is there a way to only expose for example a wildcard at most and not anything under *.portal.whatever.com?
If you have any idea please let me know what it would require and if possible also how to do itπ π
I hope it is understandable enough and makes sense.
Thanks a lot for checking this out!π
8 Replies
you could do 100%
*.portal.whatever.com
and tbh, thats what I would do as wellEverything in DNS is public, or should be treated as such.
Doing a wildcard like suggested may help detour scanning/etc because "everything would exist", but if you were using them as CNAME targets they'd be exposed publicly, if customers or users ever accessed them directly, a lot of resolvers keep logs, even if anonymized. Plus DNS itself isn't encrypted.
If your goal was something like that, you would probably want something like
na-portal.example.com eu-portal.example.com, and deal with picking the right "realm" or user based off the email address or maybe having the company in the path like /adidas/login, it'd still be possible to leak but that would be more on them
note cloudflare's free universal is wildcard only for the first level as well, if you wanted anything deeper like x.portal.example.com, you'd need Advanced Cert Manager (ACM - $10 USD/mo)couldn't you use custom hostnames?
since that would also hide stuff since it proxies through cloudflare? or am i thinking incorrectly πΏ
if they are using their own domain that is ^^
If Adidas was on Cloudflare CNAMEing proxied to his portal?
unless i'm mistaken, i dont think adidas would need to be using cloudflare, since OP could be using custom hostnames and proxy through CF
If Adidas has a cname on their own zone like <hiscompany>.adidas.com CNAME'd to hiscompany.com, It would make it a bit obvious
it might still kind of fit what he was going for, if his customers were fine with creating those cnames
This might not necessarily be exactly what you want, but an idea would be to offer companies to bring their own domain instead of using your own domain. A simple CNAME and domain verification using TXT records would work and that way you could give the portal itself some random subdomain thats not recognisable and the company can handle a humanly readable hostname.
in your case instead of having
abidas.eu-portal.com you could have a CNAME 2309120398123.eu-portal.com for my-app.abidas.com
(this would also allow the company to just not expose it publicly, if they have an intranet chances are they host their own Nameserver so its not publicly visible at all and practically impossible to spot from the outside)Thank you guys for your time and help! I will look through your suggested solutions and try to test to see what would work best, I greatly appreciate all your help π
May come back with more questions later π