I’ve been using Cloudflare tunnels in my homelab. I’m wondering how well they resist subdomain discovery/enumeration by bots/malicious actors. I’m aware that security through obscurity isn’t a real strategy, but I am curious about this from a purely academic standpoint. Aside from brute force guessing, are there any other strategies that could be used to find the subdomains of services tunneled through cloudflare?
You must log in or # to comment.
I use wildcard certs. I don’t know if this completely fixes the issue, though.