On 5/6/22 5:58 PM, Amir Herzberg wrote:
Hi NANOGers,
Questions: - Do you find zone enumeration a real concern?
I have found that some people who are concerned about such things will have LetsEncrypt certs for many of the same hosts they were worried about - which of course makes the DNS zone enumeration issue moot - any CA-signed certs are already public these days. Doesn't make the issue completely moot, but the reality is if you're exposing something to the internet, there's plenty of ways for it to leak out, so best not to make it public to begin with. Tangentially related today is the news that all your "private channel" names are actually completely public on Discord[1], which was also true for Slack for many years, with their security folks claiming its totally no problem that anyone can see you have a channel named secret-jv-announcing-next-month-with-company-X. Matt [1] https://twitter.com/joshfraser/status/1524093111349166080