Protecting bugbounters from domain wildcards

wildcard DNS record is a record in a DNS zone that will match requests for non-existent domain names. A wildcard DNS record is specified by using a * as the leftmost label (part) of a domain name, e.g. *.example.com. The exact rules for when a wild card will match are specified in RFC 1034, but the rules are neither intuitive nor clearly specified. This has resulted in incompatible implementations and unexpected results when they are used. – Wikipedia.

Note: no interaction is required from existing users but we recommend to read the post still if you are one.

Time is valuable and for bugbounters domain wildcards are synonymous with wasting time because any non-existent subdomain responds to an IP address and appears to be a valid one. If you launch scan tools, fuzzing, etc. against these domains, the results will be exactly the same for all of them since they are pointing to the same domain, the same files folders, the same configuration, etc. So you are wasting your time, computing resources, money, thoughts and more with each of those subdomains.

One of the domains that implements wildcards is slack.com, if you ping itisanonexistentsubdomain.slack.com it will return an IP and so with any subdomain, how you can see below.

ping-ing NX domains

The measure taken.

Both the public and private versions of Findomain are capable of detecting wildcards in a normal enumeration (no monitoring). However this methodology was not applied in any of the versions when the monitoring process was carried out, today we have released a new version of Findomain for our service which is able to avoid sending alerts with subdomains that respond to one of the wildcard IPs. First, a search is made for IPs for subdomains generated randomly and that do not exist, if any of them gets a response then the stack of IPs is saved and when validating the new subdomains found, it is verified that the IP does not correspond to one of those found for the wildcards.

Findomain Wildcards Detection

As we can see, only subdomains that respond to IP addresses other than wildcard are taken into account and they are the only ones from which alerts will be sent.

Email example.

Check our monitoring service and pricing here.

Regards,
Findomain Team