At work we have a wildcard certificate for most services we host on our own infrastructure. Most public websites have been detected, and some internal ones which have probably been referenced in public GitHub issues and so on.
They've done simple reverse DNS lookups on our public IP range and indexed all those hostnames.
Certificate transparency logs have found names used for externally hosted websites.
There are some pretty old hostnames which haven't been used for 5 years or more, and were probably found with reverse DNS at the time.
They've done simple reverse DNS lookups on our public IP range and indexed all those hostnames.
Certificate transparency logs have found names used for externally hosted websites.
There are some pretty old hostnames which haven't been used for 5 years or more, and were probably found with reverse DNS at the time.