CNAME records in place of A records
Matthias Luft
nanog at c7f.de
Fri Nov 6 16:57:27 UTC 2020
While the change from A to CNAME itself is probably not based on
security considerations, a CNAME pointing to a CDN or similar can result
in future security issues, i.e. you want to closely monitor your
externally pointing CNAMEs when you get rid of external services:
https://www.hackerone.com/blog/Guide-Subdomain-Takeovers
On 06.11.20 05:34, Dovid Bender wrote:
> Interesting. We got a few requests at the same time which is what made
> we wonder. I wanted to make sure that there wasn't something I was missing.
>
>
> On Fri, Nov 6, 2020 at 5:25 AM Ray Orsini <ray at oit.co
> <mailto:ray at oit.co>> wrote:
>
> It's not a security thing. We do this with the the resellers who
> white label our VOIP. CNAMEs allow us to be flexible with our own
> hosts and infrastructure without having all of our resellers change
> DNS records.
> OIT Website <https://www.oit.co/>
> Ray Orsini
> Chief Executive Officer
> OIT, LLC
>
> *305.967.6756 x1009* <tel:305.967.6756%20x1009> | *305.571.6272*
>
> *ray at oit.co* <mailto:ray at oit.co> | https://www.oit.co
> <https://www.oit.co/> * www.oit.co* <https://www.oit.co/>
>
> oit.co/ray <http://oit.co/ray>
>
> Facebook <https://go.oit.co/facebook>
>
>
> LinkedIn <https://go.oit.co/linkedin>
>
>
> Twitter <https://go.oit.co/twitter>
>
>
> YouTube <https://go.oit.co/youtube>
>
> *How are we doing? We'd love to hear your feedback.
> https://go.oit.co/review*
> <https://zoom.us/webinar/register/2015851001337/WN_otbRE8XZSVOitAPS_qZ9Zg>
>
> ------------------------------------------------------------------------
> *From:* NANOG <nanog-bounces+ray=oit.co at nanog.org
> <mailto:oit.co at nanog.org>> on behalf of Dovid Bender
> <dovid at telecurve.com <mailto:dovid at telecurve.com>>
> *Sent:* Friday, November 6, 2020 5:07:26 AM
> *To:* NANOG <nanog at nanog.org <mailto:nanog at nanog.org>>
> *Subject:* CNAME records in place of A records
> Hi,
>
> Sorry if this is a bit OT. Recently several different vendors (in
> completely different fields) where they white label for us asked us
> to remove A records that we have going to them and replace them with
> CNAME records. Is there anything *going around* in the security
> aranea that has caused this?
>
More information about the NANOG
mailing list