upvote

points

by NitpickLawyer18 hours ago |
comments
upvoteby jraph18 hours ago|
next
[-]
That hypothesis seems less likely and more complicated than the sentry one.

Scanning wildcards for well-known subdomains seems both quite specific and rather costly for unclear benefits.

reply
upvoteby flexagoon12 hours ago|
parent|
[-]
Bots regularly try to bruteforce domain paths to find things like /wp-admin, bruteforcing subdomains isn't any more complicated
reply
upvoteby jraph12 hours ago|
parent|
[-]
> Bots regularly try to bruteforce domain paths to find things like /wp-admin

Sure, when WordPress powers 45% of all websites, your odds to reach something by hitting /wp-admin are high.

The space of all the possible unknown subdomains is way bigger than a few well known paths you can attack.

reply
upvoteby rawling17 hours ago|
prev|
next
[-]
I feel like the author would have noticed and said so if she was getting logs for more than just the one host.
reply
upvoteby A1kmm17 hours ago|
prev|
next
[-]
But she mentioned: 1) it isn't in DNS only /etc/hosts and 2) they are making a connection to it. So they'd need to get the IP address to connect to from somewhere as well.
reply
upvoteby jeroenhd16 hours ago|
parent|
next
[-]
From the article:

> You're able to see this because you set up a wildcard DNS entry for the whole ".nothing-special.whatever.example.com" space pointing at a machine you control just in case something leaks. And, well, something did* leak.

They don't need the IP address itself, it sounds like they're not even connecting to the same host.

reply
upvoteby bardsore16 hours ago|
parent|
prev|
[-]
Unless she hosts her own cert authority or is using a self-signed cert, the wildcard cert she mentions is visible to the public on sites such as https://crt.sh/.
reply
upvoteby heipei14 hours ago|
parent|
[-]
Yes, the wildcard cert, but not the actual hostname under that wildcard.
reply
upvoteby imtringued15 hours ago|
prev|
[-]
Because sentry.io is a commercial application monitoring tool which has zero incentive to any kind of application monitoring on non-paying customers. That's just costs without benefits.

You now have to argue that a random third party is using and therefore paying sentry.io to do monitoring of random subdomains for the dubious benefit of knowing that the domain exists even though they are paying for something that is way more expensive.

It's far more likely that the NAS vendor integrated sentry.io into the web interface and sentry.io is simply trying to communicate with monitoring endpoints that are part of said integration.

From the perspective of the NAS vendor, the benefits of analytics are obvious. Since there is no central NAS server where all the logs are gathered, they would have to ask users to send the error logs manually which is unreliable. Instead of waiting for users to report errors, the NAS vendor decided to be proactive and send error logs to a central service.

reply