CNAME records in place of A records

Matthias Luft nanog at c7f.de
Fri Nov 6 16:57:27 UTC 2020 

While the change from A to CNAME itself is probably not based on 
security considerations, a CNAME pointing to a CDN or similar can result 
in future security issues, i.e. you want to closely monitor your 
externally pointing CNAMEs when you get rid of external services: 
https://www.hackerone.com/blog/Guide-Subdomain-Takeovers

On 06.11.20 05:34, Dovid Bender wrote:
> Interesting. We got a few requests at the same time which is what made 
> we wonder. I wanted to make sure that there wasn't something I was missing.
> 
> 
> On Fri, Nov 6, 2020 at 5:25 AM Ray Orsini <ray at oit.co 
> <mailto:ray at oit.co>> wrote:
> 
>     It's not a security thing. We do this with the the resellers who
>     white label our VOIP. CNAMEs allow us to be flexible with our own
>     hosts and infrastructure without having all of our resellers change
>     DNS records.
>     OIT Website <https://www.oit.co/>	
>     Ray Orsini​
>     Chief Executive Officer
>     OIT, LLC
> 
>     	*305.967.6756 x1009* <tel:305.967.6756%20x1009>	 | 		*305.571.6272*
> 
>     	*ray at oit.co* <mailto:ray at oit.co>	 | 	https://www.oit.co
>     <https://www.oit.co/>	* www.oit.co* <https://www.oit.co/>
> 
>     	oit.co/ray <http://oit.co/ray>
> 
>     Facebook <https://go.oit.co/facebook>
> 
>     	
>     LinkedIn <https://go.oit.co/linkedin>
> 
>     	
>     Twitter <https://go.oit.co/twitter>
> 
>     	
>     YouTube <https://go.oit.co/youtube>
> 
>     *How are we doing? We'd love to hear your feedback.
>     https://go.oit.co/review*
>     <https://zoom.us/webinar/register/2015851001337/WN_otbRE8XZSVOitAPS_qZ9Zg>
> 
>     ------------------------------------------------------------------------
>     *From:* NANOG <nanog-bounces+ray=oit.co at nanog.org
>     <mailto:oit.co at nanog.org>> on behalf of Dovid Bender
>     <dovid at telecurve.com <mailto:dovid at telecurve.com>>
>     *Sent:* Friday, November 6, 2020 5:07:26 AM
>     *To:* NANOG <nanog at nanog.org <mailto:nanog at nanog.org>>
>     *Subject:* CNAME records in place of A records
>     Hi,
> 
>     Sorry if this is a bit OT. Recently several different vendors (in
>     completely different fields) where they white label for us asked us
>     to remove A records that we have going to them and replace them with
>     CNAME records. Is there anything *going around* in the security
>     aranea  that has caused this?
>

More information about the NANOG mailing list