Should a non-public RDS instance have a publicly resolvable DNS name?

1

So, I spun up a RDS PostgreSQL database instance, and chose the 'Not Public' option. The instance was created with DNS name: pg-rds-db-instance-1.caqxluy95kpl.us-east-1.rds.amazonaws.com

Since this is not a public instance, I would expect that the DNS name is not publicly resolvable. However this is not the case. I can do a DNS lookup using multiple public websites such as MXTOOLBOX or https://toolbox.googleapps.com/apps/dig/#A/, and the DNS name resolves to an IP in my private subnet (172.16.4.87). This seems odd to me.

Is this expected behavior?

AspiE
質問済み 2年前1710ビュー
1回答
2

Yes, this is the expected behavior. Or at least this is how most AWS resources handler resolving their name.

It is seems like a security risk because a hacker seems to be able to find out information about the internal workings of your infrastructure but that is not necessarily the case.

You have to realize that the returned IP address is from private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). These IP address ranges wil not resolve to anything when used on the internet. Pinging or tunneling to them does not work.

So the only thing exposed is something of your internal infrastructure. But you have to realize that a abuser has to know the name of the resource before he can find out the internal IP address. So the only thing you have to do is keep the name a secret as you would do with other sensitive information.

profile picture
JaccoPK
回答済み 2年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ