I believe that some DNS servers are configured to allow zone transfers without any kind of authentication. While properly configured servers will whitelist the IPs of secondaries they trust, for those that don't, hackers can simply request a zone transfer and get all subdomains at once.
this post was submitted on 11 Jan 2026
174 points (100.0% liked)
Selfhosted
54413 readers
847 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
You need better logging. Try doing a packet capture with tcpdump then decrypt the HTTPS traffic. Because what you've described so far, especially before the edit makes no sense.
If you don't have a DNS record pointing the subdomain to the IP address of the server, it shouldn't be possible to resolve the IP for random Internet users. If this VHOST only exists in your Apache config file and nowhere else, it is private.
Scans from where? Is it exposed to the internet? What does the scan traffic look like?
load more comments
(1 replies)
@BonkTheAnnoyed@lemmy.blahaj.zone are you generating certificates for each of the random subdomains?
Fitting that someone from an instance on a random subdomain commented on this lol
@BonkTheAnnoyed@lemmy.blahaj.zone have you checked on https://crt.sh/ ?
As expected, it doesn't show up. I had a couple of other subdomains configured before I switched to wildcard, but nothing matches the random one
I don't think so? I have a letsencrypt wildcard cert, and reference that in the relevant .conf
@BonkTheAnnoyed@lemmy.blahaj.zone mmm wait your logs show the new domains being targeted specifically?
Yep. They show up in the other_hosts...log
Following this thread!
Stupid question, but are you somehow publicly exposing your vhost config (or a bak file of it)? Or do you see logs of someone bruteforcing the subdomain?
Have you sent the URL across any messaging services? Lots of them look up links you share to see if it's malware (and maybe also to shovel into their AI). Even email services do this.
Nope, but that's a good suggestion. I set this one up brand new for the experiment.
If you do a port scan on your box, what services are running? Maybe something like email or diagnostics is exposed to the internet and announcing subdomains?
It's literally just a VM hosting Apache and nothing else.
Inb4 some lucky dude just ran sublist3r or wfuzz on your subdomain and got a hit
I mean, it could be... I'll try it with a 128 char base 52 name and see what happens
load more comments
(1 replies)
Did you generate a DNS A record for the subdomain?
Nope
if there's no dns entry do you mean you are getting scans to your ip with these random subdomain headers? so someone would need both pieces of information? curious
Yes, exactly. Super weird, shouldn't happen. I wonder if I have a compromised box somewhere...