Automated DNS (Cloudflare): *.domain.com added manually but subdomains visible. Normal?
-
I thought that if we used the programmable DNS, subdomains will be hidden from the certificate transparency log thing that is mentioned in the docs. I have Cloudflare API set up and it's been working fine.
Today, I added an A record of *.domain.com and deleted all the A records of the sub.domain.com. Then, in the CR dashboard, I went to each app > location > save. I checked CF and all subdomains are back.
Is this normal? If so, are the subdomains actually hidden? How can I check?
-
@humptydumpty DNS and Certificate Transparency are separate things.
CT (via https://crt.sh/) is a public record of the certificates issued. When you search this for your domain, you will only see
*.domain.comthere. You won't see subdomains of individual apps.DNS entries are always individual. DNS has no API to query the subdomain list. You can only ask for a specific subdomain. So, even when we create individual entries in the DNS, for an outsider, there is no way to get the full entry list. You can only ask specifically for
blog.domain.comand so on. -
@girish Thanks for the clarification. I did a DNS lookup and it's exactly as you said. However, I remember doing a search in the not-so-recent past that showed what domains were on my server IP (I forgot how I did that). I thought I could hide those. Thanks again.
-
@humptydumpty yes, correct. the log is forever. One thing is that Let's Encrypt itself only support wildcard certs in around 2016 or so. This meant that all LE domains before that are public in the log.
