How discoverable are IPv6 addresses and AAAA names by potential attackers? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Come Celebrate our 10 Year Anniversary!IPv6 replacement for scanning IP rangeDNS, subdomain, and IPv6 — possible to add subdomain.example.com NS record to an IPv6 host?Does Windows try to look for IPv6 AAAA records even when it does not have a routable IPv6 address?Win2k8R2 Obtaining DHCPv6 address, but has static configurationWindows 7 laptop with two active network connections will not perform DNS AAAA lookup under certain conditionsSome workstations/servers on the domain respond with IPv6 instead of IPv4 addresses, even though IPv6 is disabled across the boardHow to disable AAAA lookups?How can I identify a rogue IPv6 DHCP server on my LAN?Windows network computers not visible over pure IPv6 (When IPv4 stack disabled or no IPv4 address assigned)How to assign an IPv4 domain name to an IPv6 server behind NAT (local network)?multiple ipv6 routers on the same physical network, how to get it working?
Sorting numerically
How to draw this diagram using TikZ package?
What is the correct way to use the pinch test for dehydration?
Does accepting a pardon have any bearing on trying that person for the same crime in a sovereign jurisdiction?
"Seemed to had" is it correct?
Is it true that "carbohydrates are of no use for the basal metabolic need"?
Antler Helmet: Can it work?
How much radiation do nuclear physics experiments expose researchers to nowadays?
When to stop saving and start investing?
How can I fade player when goes inside or outside of the area?
Storing hydrofluoric acid before the invention of plastics
Can a non-EU citizen traveling with me come with me through the EU passport line?
What are the pros and cons of Aerospike nosecones?
Why is "Consequences inflicted." not a sentence?
Using et al. for a last / senior author rather than for a first author
Are my PIs rude or am I just being too sensitive?
Best practices for giving outside developer SSH access?
Should I discuss the type of campaign with my players?
How to assign captions for two tables in LaTeX?
How to deal with a team lead who never gives me credit?
How do I keep my slimes from escaping their pens?
Does surprise arrest existing movement?
Is high blood pressure ever a symptom attributable solely to dehydration?
If a contract sometimes uses the wrong name, is it still valid?
How discoverable are IPv6 addresses and AAAA names by potential attackers?
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!IPv6 replacement for scanning IP rangeDNS, subdomain, and IPv6 — possible to add subdomain.example.com NS record to an IPv6 host?Does Windows try to look for IPv6 AAAA records even when it does not have a routable IPv6 address?Win2k8R2 Obtaining DHCPv6 address, but has static configurationWindows 7 laptop with two active network connections will not perform DNS AAAA lookup under certain conditionsSome workstations/servers on the domain respond with IPv6 instead of IPv4 addresses, even though IPv6 is disabled across the boardHow to disable AAAA lookups?How can I identify a rogue IPv6 DHCP server on my LAN?Windows network computers not visible over pure IPv6 (When IPv4 stack disabled or no IPv4 address assigned)How to assign an IPv4 domain name to an IPv6 server behind NAT (local network)?multiple ipv6 routers on the same physical network, how to get it working?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
It is fairly standard to receive a significant number of minor hacking attempts each day trying common username / passwords for services like SSH and SMTP. I've always assumed these attempts are using the "small" address space of IPv4 to guess IP addresses. I notice that I get zero hacking attempts on IPv6 despite my domain having AAAA Name records mirroring every A Name record and all IPv4 services are also open to IPv6.
Assuming a public DNS (AWS route 53) with an obscure subdomain pointing to a reasonably randomised 64 suffix; Are IPv6 addresses and / subdomains remotely discoverable without trying every address in a 64 bit prefix or every subdomain in a very long list of common names?
I am of course aware that crawling the web looking for listed (sub)domain names is simple enough. I'm also aware that machines on the same subnet can use NDP. I'm more interested in whether DNS or the underlying protocols of IPv6 allow discovery / listing unknown domains and addresses by remote.
domain-name-system ipv6 autodiscovery discovery
asked 14 hours ago
Philip CoulingPhilip Couling
969922
add a comment |
It is fairly standard to receive a significant number of minor hacking attempts each day trying common username / passwords for services like SSH and SMTP. I've always assumed these attempts are using the "small" address space of IPv4 to guess IP addresses. I notice that I get zero hacking attempts on IPv6 despite my domain having AAAA Name records mirroring every A Name record and all IPv4 services are also open to IPv6.
Assuming a public DNS (AWS route 53) with an obscure subdomain pointing to a reasonably randomised 64 suffix; Are IPv6 addresses and / subdomains remotely discoverable without trying every address in a 64 bit prefix or every subdomain in a very long list of common names?
I am of course aware that crawling the web looking for listed (sub)domain names is simple enough. I'm also aware that machines on the same subnet can use NDP. I'm more interested in whether DNS or the underlying protocols of IPv6 allow discovery / listing unknown domains and addresses by remote.
domain-name-system ipv6 autodiscovery discovery
asked 14 hours ago
Philip CoulingPhilip Couling
969922
Related: IPv6 replacement for scanning IP range
– Michael Hampton♦
11 hours ago
add a comment |
It is fairly standard to receive a significant number of minor hacking attempts each day trying common username / passwords for services like SSH and SMTP. I've always assumed these attempts are using the "small" address space of IPv4 to guess IP addresses. I notice that I get zero hacking attempts on IPv6 despite my domain having AAAA Name records mirroring every A Name record and all IPv4 services are also open to IPv6.
Assuming a public DNS (AWS route 53) with an obscure subdomain pointing to a reasonably randomised 64 suffix; Are IPv6 addresses and / subdomains remotely discoverable without trying every address in a 64 bit prefix or every subdomain in a very long list of common names?
I am of course aware that crawling the web looking for listed (sub)domain names is simple enough. I'm also aware that machines on the same subnet can use NDP. I'm more interested in whether DNS or the underlying protocols of IPv6 allow discovery / listing unknown domains and addresses by remote.
domain-name-system ipv6 autodiscovery discovery
asked 14 hours ago
Philip CoulingPhilip Couling
969922
It is fairly standard to receive a significant number of minor hacking attempts each day trying common username / passwords for services like SSH and SMTP. I've always assumed these attempts are using the "small" address space of IPv4 to guess IP addresses. I notice that I get zero hacking attempts on IPv6 despite my domain having AAAA Name records mirroring every A Name record and all IPv4 services are also open to IPv6.
Assuming a public DNS (AWS route 53) with an obscure subdomain pointing to a reasonably randomised 64 suffix; Are IPv6 addresses and / subdomains remotely discoverable without trying every address in a 64 bit prefix or every subdomain in a very long list of common names?
I am of course aware that crawling the web looking for listed (sub)domain names is simple enough. I'm also aware that machines on the same subnet can use NDP. I'm more interested in whether DNS or the underlying protocols of IPv6 allow discovery / listing unknown domains and addresses by remote.
domain-name-system ipv6 autodiscovery discovery
domain-name-system ipv6 autodiscovery discovery
asked 14 hours ago
Philip CoulingPhilip Couling
969922
asked 14 hours ago
Philip CoulingPhilip Couling
969922
asked 14 hours ago
Philip CoulingPhilip Couling
969922
asked 14 hours ago
Philip CoulingPhilip Couling
969922
asked 14 hours ago
Philip CoulingPhilip Couling
969922
969922
Related: IPv6 replacement for scanning IP range
– Michael Hampton♦
11 hours ago
add a comment |
Related: IPv6 replacement for scanning IP range
– Michael Hampton♦
11 hours ago
Related: IPv6 replacement for scanning IP range
– Michael Hampton♦
11 hours ago
Related: IPv6 replacement for scanning IP range
– Michael Hampton♦
11 hours ago
add a comment |
2 Answers
2
active
oldest
votes
Malicious bots don't guess IPv4 addresses anymore. They simply try them all. On modern systems this can take as little as a few hours.
With IPv6, this is not really possible any longer, as you've surmised. The address space is so much larger that it's not even possible to brute-force scan a single /64 subnet within a human lifetime.
Bots will have to get more creative if they are to continue blind scanning on IPv6 as on IPv4, and malicious bot operators will have to get accustomed to waiting far longer between finding any machines, let alone vulnerable ones.
Fortunately for the bad guys and unfortunately for everyone else, IPv6 adoption has gone much more slowly than it really should have. IPv6 is 23 years old but has only seen significant adoption in the last five years or so. But everyone is keeping their IPv4 networks active, and extremely few hosts are IPv6-only, so malicious bot operators have had little incentive to make the switch. They probably won't do until there is a significant abandonment of IPv4, which probably won't happen in the next five years.
I expect that blind guessing probably won't be productive for malicious bots, when they finally do move to IPv6, so they'll have to move to other means, like brute-forcing DNS names, or targeted brute-forcing of small subsets of each subnet.
For instance, a common DHCPv6 server configuration gives out addresses in ::100 through ::1ff by default. That's just 256 addresses to try, out of a whole /64. Reconfiguring the DHCPv6 server to pick addresses from a much larger range mitigates this problem.
And using modified EUI-64 addresses for SLAAC reduces the search space to 2^24 multiplied by the number of assigned OUIs. While this is over 100 billion addresses, it's far less than 2^64. Random bots won't bother to search this space, but state-level malicious actors will, for targeted attacks, especially if they can make educated guesses as to which NICs might be in use, to reduce the search space further. Using RFC 7217 stable privacy addresses for SLAAC is easy (at least on modern operating systems that support it) and mitigates this risk.
answered 9 hours ago
Michael Hampton♦Michael Hampton
175k27320649
add a comment |
Regarding AAAA records:
DNS is traditionally unencrypted. While there is a family of standards (DNSSEC) for signing DNS, the encryption of DNS records has had a far more haphazard deployment process, and so it is generally safest to assume that any MitM can read all of your DNS queries unless you have gone out of your way to configure encrypted DNS explicitly on the client side. You would know if you had done so because it's quite an ordeal.
(Also, your web browser is probably sending unencrypted SNI in the TLS handshake, after it has resolved the domain. It is not obvious how you would go about plugging this hole, since a VPN or Tor can still be MitM'd between the exit node or VPN termination point and the remote server.)
However, MitM attacks may or may not be a problem, depending on your threat model. More important is the simple fact that DNS names are intended to be public information. Lots of people (search engines, DNS registrars, etc.) collect and publicize DNS names for entirely benign reasons. DNS resolvers typically apply rate limits, but these limits are usually quite generous, because they're meant to stop DoS attacks, not subdomain enumeration. Creating an HTTPS certificate often involves publishing the domain name for all to see, depending on the CA (Let's Encrypt does it, and so do many others). In practice, it is quite impossible to keep a domain or subdomain a secret, because just about everyone assumes they are public and makes no effort to hide them.
So, to answer this question:
I'm more interested in whether DNS or the underlying protocols of IPv6 allow discovery / listing unknown domains and addresses by remote.
Technically, no, it doesn't. But that does not matter because an enormous amount of higher-layer technology just assumes your DNS records are public, so public they will inevitably be.
answered 8 hours ago
KevinKevin
1418
Encrypted SNI is under development. Give it a year or two.
– Michael Hampton♦
6 mins ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963115%2fhow-discoverable-are-ipv6-addresses-and-aaaa-names-by-potential-attackers%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Malicious bots don't guess IPv4 addresses anymore. They simply try them all. On modern systems this can take as little as a few hours.
With IPv6, this is not really possible any longer, as you've surmised. The address space is so much larger that it's not even possible to brute-force scan a single /64 subnet within a human lifetime.
Bots will have to get more creative if they are to continue blind scanning on IPv6 as on IPv4, and malicious bot operators will have to get accustomed to waiting far longer between finding any machines, let alone vulnerable ones.
Fortunately for the bad guys and unfortunately for everyone else, IPv6 adoption has gone much more slowly than it really should have. IPv6 is 23 years old but has only seen significant adoption in the last five years or so. But everyone is keeping their IPv4 networks active, and extremely few hosts are IPv6-only, so malicious bot operators have had little incentive to make the switch. They probably won't do until there is a significant abandonment of IPv4, which probably won't happen in the next five years.
I expect that blind guessing probably won't be productive for malicious bots, when they finally do move to IPv6, so they'll have to move to other means, like brute-forcing DNS names, or targeted brute-forcing of small subsets of each subnet.
For instance, a common DHCPv6 server configuration gives out addresses in ::100 through ::1ff by default. That's just 256 addresses to try, out of a whole /64. Reconfiguring the DHCPv6 server to pick addresses from a much larger range mitigates this problem.
And using modified EUI-64 addresses for SLAAC reduces the search space to 2^24 multiplied by the number of assigned OUIs. While this is over 100 billion addresses, it's far less than 2^64. Random bots won't bother to search this space, but state-level malicious actors will, for targeted attacks, especially if they can make educated guesses as to which NICs might be in use, to reduce the search space further. Using RFC 7217 stable privacy addresses for SLAAC is easy (at least on modern operating systems that support it) and mitigates this risk.
answered 9 hours ago
Michael Hampton♦Michael Hampton
175k27320649
add a comment |
Malicious bots don't guess IPv4 addresses anymore. They simply try them all. On modern systems this can take as little as a few hours.
With IPv6, this is not really possible any longer, as you've surmised. The address space is so much larger that it's not even possible to brute-force scan a single /64 subnet within a human lifetime.
Bots will have to get more creative if they are to continue blind scanning on IPv6 as on IPv4, and malicious bot operators will have to get accustomed to waiting far longer between finding any machines, let alone vulnerable ones.
Fortunately for the bad guys and unfortunately for everyone else, IPv6 adoption has gone much more slowly than it really should have. IPv6 is 23 years old but has only seen significant adoption in the last five years or so. But everyone is keeping their IPv4 networks active, and extremely few hosts are IPv6-only, so malicious bot operators have had little incentive to make the switch. They probably won't do until there is a significant abandonment of IPv4, which probably won't happen in the next five years.
I expect that blind guessing probably won't be productive for malicious bots, when they finally do move to IPv6, so they'll have to move to other means, like brute-forcing DNS names, or targeted brute-forcing of small subsets of each subnet.
For instance, a common DHCPv6 server configuration gives out addresses in ::100 through ::1ff by default. That's just 256 addresses to try, out of a whole /64. Reconfiguring the DHCPv6 server to pick addresses from a much larger range mitigates this problem.
And using modified EUI-64 addresses for SLAAC reduces the search space to 2^24 multiplied by the number of assigned OUIs. While this is over 100 billion addresses, it's far less than 2^64. Random bots won't bother to search this space, but state-level malicious actors will, for targeted attacks, especially if they can make educated guesses as to which NICs might be in use, to reduce the search space further. Using RFC 7217 stable privacy addresses for SLAAC is easy (at least on modern operating systems that support it) and mitigates this risk.
answered 9 hours ago
Michael Hampton♦Michael Hampton
175k27320649
add a comment |
Malicious bots don't guess IPv4 addresses anymore. They simply try them all. On modern systems this can take as little as a few hours.
With IPv6, this is not really possible any longer, as you've surmised. The address space is so much larger that it's not even possible to brute-force scan a single /64 subnet within a human lifetime.
Bots will have to get more creative if they are to continue blind scanning on IPv6 as on IPv4, and malicious bot operators will have to get accustomed to waiting far longer between finding any machines, let alone vulnerable ones.
Fortunately for the bad guys and unfortunately for everyone else, IPv6 adoption has gone much more slowly than it really should have. IPv6 is 23 years old but has only seen significant adoption in the last five years or so. But everyone is keeping their IPv4 networks active, and extremely few hosts are IPv6-only, so malicious bot operators have had little incentive to make the switch. They probably won't do until there is a significant abandonment of IPv4, which probably won't happen in the next five years.
I expect that blind guessing probably won't be productive for malicious bots, when they finally do move to IPv6, so they'll have to move to other means, like brute-forcing DNS names, or targeted brute-forcing of small subsets of each subnet.
For instance, a common DHCPv6 server configuration gives out addresses in ::100 through ::1ff by default. That's just 256 addresses to try, out of a whole /64. Reconfiguring the DHCPv6 server to pick addresses from a much larger range mitigates this problem.
And using modified EUI-64 addresses for SLAAC reduces the search space to 2^24 multiplied by the number of assigned OUIs. While this is over 100 billion addresses, it's far less than 2^64. Random bots won't bother to search this space, but state-level malicious actors will, for targeted attacks, especially if they can make educated guesses as to which NICs might be in use, to reduce the search space further. Using RFC 7217 stable privacy addresses for SLAAC is easy (at least on modern operating systems that support it) and mitigates this risk.
answered 9 hours ago
Michael Hampton♦Michael Hampton
175k27320649
Malicious bots don't guess IPv4 addresses anymore. They simply try them all. On modern systems this can take as little as a few hours.
With IPv6, this is not really possible any longer, as you've surmised. The address space is so much larger that it's not even possible to brute-force scan a single /64 subnet within a human lifetime.
Bots will have to get more creative if they are to continue blind scanning on IPv6 as on IPv4, and malicious bot operators will have to get accustomed to waiting far longer between finding any machines, let alone vulnerable ones.
Fortunately for the bad guys and unfortunately for everyone else, IPv6 adoption has gone much more slowly than it really should have. IPv6 is 23 years old but has only seen significant adoption in the last five years or so. But everyone is keeping their IPv4 networks active, and extremely few hosts are IPv6-only, so malicious bot operators have had little incentive to make the switch. They probably won't do until there is a significant abandonment of IPv4, which probably won't happen in the next five years.
I expect that blind guessing probably won't be productive for malicious bots, when they finally do move to IPv6, so they'll have to move to other means, like brute-forcing DNS names, or targeted brute-forcing of small subsets of each subnet.
For instance, a common DHCPv6 server configuration gives out addresses in ::100 through ::1ff by default. That's just 256 addresses to try, out of a whole /64. Reconfiguring the DHCPv6 server to pick addresses from a much larger range mitigates this problem.
And using modified EUI-64 addresses for SLAAC reduces the search space to 2^24 multiplied by the number of assigned OUIs. While this is over 100 billion addresses, it's far less than 2^64. Random bots won't bother to search this space, but state-level malicious actors will, for targeted attacks, especially if they can make educated guesses as to which NICs might be in use, to reduce the search space further. Using RFC 7217 stable privacy addresses for SLAAC is easy (at least on modern operating systems that support it) and mitigates this risk.
answered 9 hours ago
Michael Hampton♦Michael Hampton
175k27320649
answered 9 hours ago
Michael Hampton♦Michael Hampton
175k27320649
answered 9 hours ago
Michael Hampton♦Michael Hampton
175k27320649
answered 9 hours ago
Michael Hampton♦Michael Hampton
175k27320649
175k27320649
add a comment |
add a comment |
Regarding AAAA records:
DNS is traditionally unencrypted. While there is a family of standards (DNSSEC) for signing DNS, the encryption of DNS records has had a far more haphazard deployment process, and so it is generally safest to assume that any MitM can read all of your DNS queries unless you have gone out of your way to configure encrypted DNS explicitly on the client side. You would know if you had done so because it's quite an ordeal.
(Also, your web browser is probably sending unencrypted SNI in the TLS handshake, after it has resolved the domain. It is not obvious how you would go about plugging this hole, since a VPN or Tor can still be MitM'd between the exit node or VPN termination point and the remote server.)
However, MitM attacks may or may not be a problem, depending on your threat model. More important is the simple fact that DNS names are intended to be public information. Lots of people (search engines, DNS registrars, etc.) collect and publicize DNS names for entirely benign reasons. DNS resolvers typically apply rate limits, but these limits are usually quite generous, because they're meant to stop DoS attacks, not subdomain enumeration. Creating an HTTPS certificate often involves publishing the domain name for all to see, depending on the CA (Let's Encrypt does it, and so do many others). In practice, it is quite impossible to keep a domain or subdomain a secret, because just about everyone assumes they are public and makes no effort to hide them.
So, to answer this question:
I'm more interested in whether DNS or the underlying protocols of IPv6 allow discovery / listing unknown domains and addresses by remote.
Technically, no, it doesn't. But that does not matter because an enormous amount of higher-layer technology just assumes your DNS records are public, so public they will inevitably be.
answered 8 hours ago
KevinKevin
1418
Encrypted SNI is under development. Give it a year or two.
– Michael Hampton♦
6 mins ago
add a comment |
Regarding AAAA records:
DNS is traditionally unencrypted. While there is a family of standards (DNSSEC) for signing DNS, the encryption of DNS records has had a far more haphazard deployment process, and so it is generally safest to assume that any MitM can read all of your DNS queries unless you have gone out of your way to configure encrypted DNS explicitly on the client side. You would know if you had done so because it's quite an ordeal.
(Also, your web browser is probably sending unencrypted SNI in the TLS handshake, after it has resolved the domain. It is not obvious how you would go about plugging this hole, since a VPN or Tor can still be MitM'd between the exit node or VPN termination point and the remote server.)
However, MitM attacks may or may not be a problem, depending on your threat model. More important is the simple fact that DNS names are intended to be public information. Lots of people (search engines, DNS registrars, etc.) collect and publicize DNS names for entirely benign reasons. DNS resolvers typically apply rate limits, but these limits are usually quite generous, because they're meant to stop DoS attacks, not subdomain enumeration. Creating an HTTPS certificate often involves publishing the domain name for all to see, depending on the CA (Let's Encrypt does it, and so do many others). In practice, it is quite impossible to keep a domain or subdomain a secret, because just about everyone assumes they are public and makes no effort to hide them.
So, to answer this question:
I'm more interested in whether DNS or the underlying protocols of IPv6 allow discovery / listing unknown domains and addresses by remote.
Technically, no, it doesn't. But that does not matter because an enormous amount of higher-layer technology just assumes your DNS records are public, so public they will inevitably be.
answered 8 hours ago
KevinKevin
1418
Encrypted SNI is under development. Give it a year or two.
– Michael Hampton♦
6 mins ago
add a comment |
Regarding AAAA records:
DNS is traditionally unencrypted. While there is a family of standards (DNSSEC) for signing DNS, the encryption of DNS records has had a far more haphazard deployment process, and so it is generally safest to assume that any MitM can read all of your DNS queries unless you have gone out of your way to configure encrypted DNS explicitly on the client side. You would know if you had done so because it's quite an ordeal.
(Also, your web browser is probably sending unencrypted SNI in the TLS handshake, after it has resolved the domain. It is not obvious how you would go about plugging this hole, since a VPN or Tor can still be MitM'd between the exit node or VPN termination point and the remote server.)
However, MitM attacks may or may not be a problem, depending on your threat model. More important is the simple fact that DNS names are intended to be public information. Lots of people (search engines, DNS registrars, etc.) collect and publicize DNS names for entirely benign reasons. DNS resolvers typically apply rate limits, but these limits are usually quite generous, because they're meant to stop DoS attacks, not subdomain enumeration. Creating an HTTPS certificate often involves publishing the domain name for all to see, depending on the CA (Let's Encrypt does it, and so do many others). In practice, it is quite impossible to keep a domain or subdomain a secret, because just about everyone assumes they are public and makes no effort to hide them.
So, to answer this question:
I'm more interested in whether DNS or the underlying protocols of IPv6 allow discovery / listing unknown domains and addresses by remote.
Technically, no, it doesn't. But that does not matter because an enormous amount of higher-layer technology just assumes your DNS records are public, so public they will inevitably be.
answered 8 hours ago
KevinKevin
1418
Regarding AAAA records:
DNS is traditionally unencrypted. While there is a family of standards (DNSSEC) for signing DNS, the encryption of DNS records has had a far more haphazard deployment process, and so it is generally safest to assume that any MitM can read all of your DNS queries unless you have gone out of your way to configure encrypted DNS explicitly on the client side. You would know if you had done so because it's quite an ordeal.
(Also, your web browser is probably sending unencrypted SNI in the TLS handshake, after it has resolved the domain. It is not obvious how you would go about plugging this hole, since a VPN or Tor can still be MitM'd between the exit node or VPN termination point and the remote server.)
However, MitM attacks may or may not be a problem, depending on your threat model. More important is the simple fact that DNS names are intended to be public information. Lots of people (search engines, DNS registrars, etc.) collect and publicize DNS names for entirely benign reasons. DNS resolvers typically apply rate limits, but these limits are usually quite generous, because they're meant to stop DoS attacks, not subdomain enumeration. Creating an HTTPS certificate often involves publishing the domain name for all to see, depending on the CA (Let's Encrypt does it, and so do many others). In practice, it is quite impossible to keep a domain or subdomain a secret, because just about everyone assumes they are public and makes no effort to hide them.
So, to answer this question:
I'm more interested in whether DNS or the underlying protocols of IPv6 allow discovery / listing unknown domains and addresses by remote.
Technically, no, it doesn't. But that does not matter because an enormous amount of higher-layer technology just assumes your DNS records are public, so public they will inevitably be.
answered 8 hours ago
KevinKevin
1418
answered 8 hours ago
KevinKevin
1418
answered 8 hours ago
KevinKevin
1418
answered 8 hours ago
KevinKevin
1418
1418
Encrypted SNI is under development. Give it a year or two.
– Michael Hampton♦
6 mins ago
add a comment |
Encrypted SNI is under development. Give it a year or two.
– Michael Hampton♦
6 mins ago
Encrypted SNI is under development. Give it a year or two.
– Michael Hampton♦
6 mins ago
Encrypted SNI is under development. Give it a year or two.
– Michael Hampton♦
6 mins ago
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963115%2fhow-discoverable-are-ipv6-addresses-and-aaaa-names-by-potential-attackers%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Related: IPv6 replacement for scanning IP range
– Michael Hampton♦
11 hours ago