BonkTheAnnoyedHow are people discovering random subdomains on my server?
A@[email protected] are you generating certificates for each of the random subdomains?
I don’t think so? I have a letsencrypt wildcard cert, and reference that in the relevant .conf
@[email protected] mmm wait your logs show the new domains being targeted specifically?
Yep. They show up in the other_hosts…log
Novi SadLetsencrypt certs are (by necessity?) publicly indexed, tools like subfinder can find them
Even with a wildcard cert?
Bobby TurkalinoFitting that someone from an instance on a random subdomain commented on this lol
@[email protected] have you checked on https://crt.sh/ ?
As expected, it doesn’t show up. I had a couple of other subdomains configured before I switched to wildcard, but nothing matches the random one
ambitiousslabI believe that some DNS servers are configured to allow zone transfers without any kind of authentication. While properly configured servers will whitelist the IPs of secondaries they trust, for those that don’t, hackers can simply request a zone transfer and get all subdomains at once.
I don’t have any subdomains registered with DNS.
I attempted dig axfr example.com @ns1.example.com returned zone transfer DENIED
Yeah, this is interesting, I’ll dig more into this direction.
But the randomly generated subdomain has never seen a DNS registrar.
I do have *.mydomain.com registered though…hmmm
Mostly from AWS or the like, with occasional Chinese and Russian origins.
The scans look like requests to various WordPress endpoints, JavaScript files associated with known vulnerabilities etc
Morphit Have you sent the URL across any messaging services? Lots of them look up links you share to see if it’s malware (and maybe also to shovel into their AI). Even email services do this.
Nope, but that’s a good suggestion. I set this one up brand new for the experiment.
Are you sure they’re hitting the hostname and not just the IP directly?
Shows up by name in the apache other_hosts…log, so yes
Going to IP directly could redirect to your first domain. This would trigger another request to your domain and could result in your logs.
Fair FairyI need to make sure to 444 drop connection immediately if wrong domain. Redirect to https should be configured after - I suspect ur config redirects
if you use Let’s Encrypt (ACME protocol) AFAIK you can find all domains registered in a directory that even has a search, no matter if it’s wildcard or not.
It was something like this crt.sh but can’t find the site exactly anymore
Holy shit, this has every cert I’ve ever generated or renewed since 2015.
vf2000Certificate Transparency makes public all issued certificates in the form of a distributed ledger, giving website owners and auditors the ability to detect and expose inappropriately issued certificates.
ShimitarThis.
That’s why temping obscurity for security is not a good idea. Doesn’t take much to be “safe”, at least reasonably safe. But that not much its good practice to be done :)
No. Not this.
Op is doing hidden subdomain pattern. Wildcard dns and wildcard ssl.
This way subdomain acts as a password and application essentially inaccessible for bot crawls.
Works very well
Holy shit… I thought it was DNS resolver selling these data
Do post again if you figure it out!
Will do!
IheartcheeseWe’re always watching.
You say you have a wildcad cart but just to make sure: I don’t suppose you’ve used ACME for Letsencrypt or some other publicly trusted CA to issue a cert including the affected name? If so it will be public in Certificate Transparency Logs.
The random name is not in the public log. Someone else suggested that earlier. I checked CRT.sh and while my primary domain is there, the random one isn’t.
My next suspicion from what you’ve shared so far would be something out of the http server loop.
Have you used some free public DNS server and inadvertently queried it with the name from a container or something? Developer tooling building some app with opt-out analytics? Any locally connected AI agents having access to it?
if there’s no dns entry do you mean you are getting scans to your ip with these random subdomain headers? so someone would need both pieces of information? curious
Yes, exactly. Super weird, shouldn’t happen. I wonder if I have a compromised box somewhere…
Did you yourself make a request to it or just set it up and not check it? My horrifying guess it that if you use SNI in a request every server in the middle could read the subdomain and some system in the internet routing is untrustworthy.
Previous experiments, yes, I sent a request. The random one, no.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CA (SSL) Certificate Authority DNS Domain Name Service/System IP Internet Protocol SSL Secure Sockets Layer, for transparent encryption[Thread #990 for this comm, first seen 11th Jan 2026, 01:25] [FAQ] [Full list] [Contact] [Source code]
Good bot
Kudos to the bot.
I mean, it could be… I’ll try it with a 128 char base 52 name and see what happens
Have you also tried making a subdomain and not making any requests to it yourself? So no browser access or other DNS resolution requests for the new subdomain. That should rule out some of the other possible causes suggested in the other comments.
You need better logging. Try doing a packet capture with tcpdump then decrypt the HTTPS traffic. Because what you've described so far, especially before the edit makes no sense.
If you don't have a DNS record pointing the subdomain to the IP address of the server, it shouldn't be possible to resolve the IP for random Internet users. If this VHOST only exists in your Apache config file and nowhere else, it is private.
SavvyWolfIf you do a port scan on your box, what services are running? Maybe something like email or diagnostics is exposed to the internet and announcing subdomains?
It’s literally just a VM hosting Apache and nothing else.
At the end of the day this is obscurity, not security; however obscurity is a good secondary defense because it buys time.
I too would be interested to learn how this leaked
it’s not even obscurity; it’s logged publicly.
How is it being logged publicly? Like OP said there is no specific subdomain registered in the DNS records (instead using a wildcard). Same for the SSL cert. Only things I can think of is the browser leaking the subdomains (through google or Microsoft) or the DNS queries themselves being logged and leaked. (Possibly by the ISP inspecting the traffic or logging and leaking on their own DNS servers?). I would hardly call either of those public.
It’s not. Wildcard DNS and wildcard cert. Domain is not logged publicly.
People that keep saying logged publicly simply don’t understand setup and technilogy
Isnt security mostly achieved by heavy obscurity?
A password secures because other people dont know what it is, it is obscured.
In cryptography, there’s a difference between “secrets” (like passwords and encryption keys), and hiding / obscuring something (like steganography or changing your web server to run on a different port)