How can a web site be accessed without A, AAAA or CNAME records?

user202141 asked:

Someone who was helping me setup an Apache server on a VPS said that I can set up my DNS in such a way that you can’t resolve the IP by pinging the hostname because apparently the ping tool only queries for A/AAAA/CNAME records.

He said his method of doing this was to create an obfuscated port, say 2673 or some such, and create an SRV record which links to this. And the only way to get the IP of the server is by digging through raw DNS data. He showed me an example of one of his sites, and sure enough, I was unable to ping for IP, and when using nmap intense scan, I was unable to get any meaningful results on portscan or what the server was, but yet I could visit it in Firefox.

Anyone know how he did this? And how I might be able to replicate this for my domain names? And finally, if this is the way to do it, how exactly it works (technical point of view)?

My answer:

Yes, this is theoretically possible. There have been multiple proposals on how to locate HTTP sites with SRV records, the most well known of which is RFC 2782. Indeed, many other services already use SRV records in similar ways.

An example SRV record that might locate an HTTP service for running on port 2673 might look like: IN      SRV     0 5 2673

This, of course, must have a corresponding record to locate the real webserver:  IN      A

The problem is that none of these proposals have gotten any real traction, and to the best of my knowledge, most browsers don’t even implement this. Until today, the last I’d heard was that no web browser implemented it. Even Mozilla’s own bug tracker shows it as unimplemented in Firefox, so I’m not really sure what your friend demonstrated.

So you have two negatives with this approach:

First, most people won’t be able to view your web site if you don’t have address records and only rely on the SRV record proposal.

Second, it won’t really protect you from any but the most idiotic of morons, as it’s quite trivial to query the DNS and locate your server’s actual IP address, and using only a SRV record makes it only slightly less trivial; you have to do two lookups instead of one. Big hairy deal.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.