28 Nov 2022 06:49 AM - last edited on 30 Nov 2022 05:36 AM by AgataWlodarczyk
The client is telling me that server IP associated with the domain name that is generated after Dynatrace managed installation, is visible on the internet.
So he is looking up xxx.dynatrace-managed.com and resolving the IP of the server on which the cluster node is installed (he said). Is this possible?
In my experience, that kind of data is never exposed and you cannot look up the fqdn assigned to a Dynatrace managed installation.
I need some Community help here 🙂
Solved! Go to Solution.
Yes, that is true. We're generating real domains 🙂 that are resolvable by NS servers. The IP addresses should be private IPs that are not reachable through the internet. That's how things work 😉 If the customer doesn't like it - I suggest to opt-out letting us know to remove the domain.
Thank you for your experties,
the problem is that if I search the managed fqdn over the internet, let's say here for example:
The private IP of the virtual machine get exposed and the client say this can be a security issue.
So this is an expected behavior, is it reasonable to evaluate this as a security risk?
Yes, it's visible.
But it cannot be associated with the customer as those names are randomly generated and assigned. Also if that is accessible or not depends if the cluster node itself is exposed to the internet (typically not).
Sure you can opt-out from the DNS and certificate management. This introduces additional challenges for you as you must manage it by yourself.
I have also analyzed this in the past from a security perspective for a client. And while it is resolvable in the Internet, private IPs are not even publicly routable, so no one on the Internet can get to the server.
You could also approximate this from the Let's Encrypt certificate, but there is no information there that is useful. While you can get the entire list of certificates issued to Dynatrace Managed servers, you can't get almost anything from there. There is no geo or other type of information you can get there also.
If you did not use a private IP, there could be some more digging done, but given what you have said, your client should have nothing to fear.
Oook, thanks everybody for helping me: the picture is very clear now 🙂 I'll kudo each one of you and you have a breakfast offered by me if you happen to spend some days in Rome 😄
I love Rome and not been there for some years! I'll remember this one 🤣