Recently I've been seeing more clients using DNS load balancing (GSLB) to load-balance traditional web, API and other services - it's an easy way to load balance between datacenters for instance. What I've noticed lately, especially with servers that use cloud "as a service" offerings, is that:
If there isn't a TLS front-end (and we're seeing less of this over time), that means that certificates are now maintained per-server, which means that one or more can easily expire "under the radar" So, how do we work through this problem of "my DNS target is now multiple different hosts, each with their own IP", and add to that, now dozens or hundreds of other hosts (from other organizations) now reside on those same IP addresses? nmap -Pn -sT -v -p80,443,8443,9443 somehost.somedomain.com PORT STATE SERVICE Read data files from: C:\Program Files (x86)\Nmap This is of course less than optimal, the workaround is to use the "--resolve-all" switch, so that each IP is scanned (as the dns name provided). Because of how web servers work, if you just scan the IP address you are quite often not scanning the service you think you are - in many cases for instance you might be "looking" at the apache or IIS default server rather than your customer's web server. nmap -Pn -sT -v -p80,443,8443,9443 --resolve-all somehost.somedomain.com PORT STATE SERVICE Nmap scan report for somehost.somedomain.com (13.12.11.10) PORT STATE SERVICE Nmap scan report for somehost.somedomain.com (1.2.3.4) PORT STATE SERVICE
Using this same switch with nmap scripts can also be useful, especially the "SSL-" family of nmap scripts. ssl-cert and ssl-enum-ciphers in particular should always give you the same results for each cluster member. "Should" being the operative word! Have you found some missed configs or "housekeeping opportunities" when scanning load balanced clusters? If your NDA permits, please share any war stories using our comment form! =============== |
Rob VandenBrink 579 Posts ISC Handler May 25th 2022 |
Thread locked Subscribe |
May 25th 2022 1 month ago |
Thank you for a great writeup.
|
Anonymous |
Reply Quote |
Jun 4th 2022 4 weeks ago |
Sign Up for Free or Log In to start participating in the conversation!