I've received an alert from our Security Operations Center about some vulnerabilities on the hosting server for one of our subdomains. The issue is that we don't even use this subdomain anymore, and the server has been taken offline. The alert mentions an external IP address that we don't recognize, and it belongs to an ISP we're not affiliated with. Although we have a DNS record for this subdomain, it points to our internal IP address, not this external one. Interestingly, the alert also indicates that another company has a different subdomain sharing the same IP.
When I perform a lookup for our subdomain, it resolves to our internal IP. However, when I execute a reverse lookup on this external IP, it points back to our subdomain. I found that this record is associated with Cloudflare, not our DNS hosting service. I apologize if I'm being unclear—I'm still new to DNS management and trying to make sense of everything.
2 Answers
Have you checked what an external DNS lookup shows for the IP linked to your subdomain? Tools like MX Toolbox can help you analyze the records. You might uncover more details about this external IP and its connection to your subdomain.
How are you querying these DNS records? Make sure you're using public DNS servers like Google or OpenDNS. If your query returns an internal IP, that could be a sign of misconfiguration. An ISP might have a record that incorrectly associates your domain with their IP. If that's the case, you need to contact the organization in charge of that IP block to remove the misleading record.
I'm using online tools like MX Toolbox and IPInfo.io, but I keep getting the same confusing results! It looks like the external IP belongs to Optus, but they won’t provide any information unless I have a business account with them.
The external subdomain lookup shows the IP we're concerned about, and the reverse IP lookup for that same address resolves back to our subdomain. I've used several DNS tools, but I still can't find clear answers.