search

18F / pulse

How the federal .gov domain space is doing at best practices and policies.
Other
94 stars 56 forks source link

Removal of old (no longer used) subdomains #744

Closed mikesto closed 6 years ago

mikesto commented 6 years ago

pulse.cio.gov/https includes a number of subdomains for our agency which are no longer active resulting in the overall compliance results being inaccurate. It appears as though these inactive "discoverable services" may be the result of previous/expired certificates discovered from censys.io. How can these subdomains which are no longer active be removed so that the results at pulse.cio.gov/https are accurate?

konklone commented 6 years ago

@mikesto Pulse only shows subdomains which actively responded to HTTP over the public internet at the time of the scan. Right now, that's as of November 25th. Expired certificates wouldn't be sufficient.

If you can provide an example or two, I'm happy to check them -- but you can also check them yourself by running curl --head whatever.example.gov and seeing if anything is returned. Even if all that's returned is an HTTP error code, or it fails on an untrusted certificate, that would still be in scope and active. Only subdomains which do not communicate at all over HTTP on port 80/443 on the public internet are excluded from the policy and from Pulse.

mikesto commented 6 years ago

Thank you for your prompt reply. Below are a few example subdomains which are listed on pulse.cio.gov/https but no longer active (and curl results in “Couldn’t resolve host…”):

oldvpn.fhfaoig.gov origin.fhfaoig.gov telework.fhfaoig.gov

konklone commented 6 years ago

@mikesto Are you running cURL on your agency's network? It's possible that your DNS inside your agency is giving you different results from the outside world. On my home network, as well as from a separate Amazon EC2 E/W vantage point, these domains resolve and speak HTTP:

$ curl --head http://oldvpn.fhfaoig.gov
HTTP/1.1 403 Forbidden: Access is denied.
Content-Length: 1233
Content-Type: text/html
Server: Microsoft-IIS/8.5
Date: Thu, 07 Dec 2017 05:02:08 GMT

$ curl --head http://origin.fhfaoig.gov
HTTP/1.1 403 Forbidden: Access is denied.
Content-Length: 1233
Content-Type: text/html
Server: Microsoft-IIS/8.5
Date: Thu, 07 Dec 2017 05:02:15 GMT

$ curl --head http://telework.fhfaoig.gov
HTTP/1.1 403 Forbidden: Access is denied.
Content-Length: 1233
Content-Type: text/html
Server: Microsoft-IIS/8.5
Date: Thu, 07 Dec 2017 05:02:23 GMT
mikesto commented 6 years ago

Thank you. Yes, although none of the subdomains are active, it appears as though this is a DNS issue where these old subdomains are still being resolved externally to the same IP. We have initiated efforts to clean this up.