Hi all I'm currently designing a new DNS delegation structure for my company. This is to allow many development teams to have a small portion of DNS to administer inside Route53.
Due to the way private hosted zone work and in order to achieve a good hybrid solution. I'm proposing we utilise the following information in the naming of subdomains;
AWS region - euwe1 / euwe2 / usea1 etc
Environment Type - dev / tst / prd etc
service - service1 / service2 / service3 (these will be in the form of a business unique id)
environment number - env01 / env02
This should allow for a nice deterministic DNS hierarchy of subdomains, but security are also cautious of the simplicity of dns reconnaissance, basically being able to determine the structure quickly allows the identification of production systems etc, and then easier lateral movement. Whilst I understand the risk if a box is compromised, this has always been a balance of usability vs obfuscation. My feeling is that with a lean to items like service discovery this will remain a challenge. Security would prefer to have a complete obfuscation of environment and service etc to create just a uniqueid string. I can understand that for external DNS, but think we'll loose a lot of human readability if we go that route which somewhat defeats the point of DNS as a sensible human understandable construct.
Let me know your thoughts on the subject. I'll read some additional ethical hacking papers around the subject in the meantime.
Due to the way private hosted zone work and in order to achieve a good hybrid solution. I'm proposing we utilise the following information in the naming of subdomains;
AWS region - euwe1 / euwe2 / usea1 etc
Environment Type - dev / tst / prd etc
service - service1 / service2 / service3 (these will be in the form of a business unique id)
environment number - env01 / env02
This should allow for a nice deterministic DNS hierarchy of subdomains, but security are also cautious of the simplicity of dns reconnaissance, basically being able to determine the structure quickly allows the identification of production systems etc, and then easier lateral movement. Whilst I understand the risk if a box is compromised, this has always been a balance of usability vs obfuscation. My feeling is that with a lean to items like service discovery this will remain a challenge. Security would prefer to have a complete obfuscation of environment and service etc to create just a uniqueid string. I can understand that for external DNS, but think we'll loose a lot of human readability if we go that route which somewhat defeats the point of DNS as a sensible human understandable construct.
Let me know your thoughts on the subject. I'll read some additional ethical hacking papers around the subject in the meantime.
