CNAME records in place of A records

Alain Hebert ahebert at pubnix.net
Fri Nov 6 17:45:25 UTC 2020


     Hi,

     1. I know y'all know it, but too often I come across customers 
using CDN Dashboard without 2FA.

     In my experience this has been the most abused security vector in 
the cases I saw.


     2. Matthias point is extremely valid.

     I would add: Externally monitoring the signature of the non static 
objects (html, javascript) returned by the CDN.

     While you can easily recover from image defacing, having your 
customers getting their private information (creds, identity, CC) stolen 
is another ball game.

-----
Alain Hebert                                ahebert at pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

On 11/6/20 11:57 AM, Matthias Luft via NANOG wrote:
> While the change from A to CNAME itself is probably not based on 
> security considerations, a CNAME pointing to a CDN or similar can 
> result in future security issues, i.e. you want to closely monitor 
> your externally pointing CNAMEs when you get rid of external services: 
> https://www.hackerone.com/blog/Guide-Subdomain-Takeovers
>
> On 06.11.20 05:34, Dovid Bender wrote:
>> Interesting. We got a few requests at the same time which is what 
>> made we wonder. I wanted to make sure that there wasn't something I 
>> was missing.
>>
>>
>> On Fri, Nov 6, 2020 at 5:25 AM Ray Orsini <ray at oit.co 
>> <mailto:ray at oit.co>> wrote:
>>
>>     It's not a security thing. We do this with the the resellers who
>>     white label our VOIP. CNAMEs allow us to be flexible with our own
>>     hosts and infrastructure without having all of our resellers change
>>     DNS records.
>>     OIT Website <https://www.oit.co/>
>>     Ray Orsini​
>>     Chief Executive Officer
>>     OIT, LLC
>>
>>         *305.967.6756 x1009* <tel:305.967.6756%20x1009>  |         
>> *305.571.6272*
>>
>>         *ray at oit.co* <mailto:ray at oit.co>     | https://www.oit.co
>>     <https://www.oit.co/>    * www.oit.co* <https://www.oit.co/>
>>
>>         oit.co/ray <http://oit.co/ray>
>>
>>     Facebook <https://go.oit.co/facebook>
>>
>>
>>     LinkedIn <https://go.oit.co/linkedin>
>>
>>
>>     Twitter <https://go.oit.co/twitter>
>>
>>
>>     YouTube <https://go.oit.co/youtube>
>>
>>     *How are we doing? We'd love to hear your feedback.
>>     https://go.oit.co/review*
>> <https://zoom.us/webinar/register/2015851001337/WN_otbRE8XZSVOitAPS_qZ9Zg>
>>
>> ------------------------------------------------------------------------
>>     *From:* NANOG <nanog-bounces+ray=oit.co at nanog.org
>>     <mailto:oit.co at nanog.org>> on behalf of Dovid Bender
>>     <dovid at telecurve.com <mailto:dovid at telecurve.com>>
>>     *Sent:* Friday, November 6, 2020 5:07:26 AM
>>     *To:* NANOG <nanog at nanog.org <mailto:nanog at nanog.org>>
>>     *Subject:* CNAME records in place of A records
>>     Hi,
>>
>>     Sorry if this is a bit OT. Recently several different vendors (in
>>     completely different fields) where they white label for us asked us
>>     to remove A records that we have going to them and replace them with
>>     CNAME records. Is there anything *going around* in the security
>>     aranea  that has caused this?
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20201106/109b1dfd/attachment.html>


More information about the NANOG mailing list