If you do a GET / request against the IP (typically http too) does it yield a redirect to your proper fqdn? It shouldn't return anything and remain stealthy as you likely dont want to expose anything directly on IP connections and rely solely on your vhosts.
this post was submitted on 11 Jan 2026
215 points (99.5% liked)
Selfhosted
57238 readers
468 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
I can't say I know the answer but a few ideas:
- did you access it with a browser? Maybe it snitches on you or some extension does?
- did you try to resolve it with a public DNS server at any point (are you sure nothing forwarded the request to one)?
You could try it again, create the domain in the config and then do absolutely nothing. Don't try to confirm it works in any way. If you don't see the same behaviour you can do one of the above and then the other and see when it kicks in. If it gets picked up without you doing anything..then pass!
I run my webservers behind a pfsense firewall with ssl offloading(using a wildcard cert) with a static IP and use Haproxy to have sub-domain's go to individual servers. Even though I've seen my fair share of scans, I only ever expose port 443 and keep things updated.
Recently though someone on here mentioned routing everything over Tailscale via a VPS. I didn't want to pay for a VPS and frankly can't even find one that is reasonably priced in the US(bandwidth limits mainly), so I threw Tailscale onto my pfsense, setup split-dns on Tailscale's admin panel with my domain name, and then reconfigured Haproxy to listen on my Tailscale interface. Even got IPv6 working(huge pain due to a bug it seems). Oh and setup pfblocker.
My current plan is I'm going to run my webservers behind Tailscale and keep my game servers public and probably segment those servers to a different vlan/subnet/dmz/whatever. And maybe just have a www/blog landing page that is read only on 443 and have it's config/admin panel accessible via my tailscale only.
Anyway, back on topic. I run my game servers and I don't advertise them out anywhere(wildcard cert) and do whitelist only, yet I still see my minecraft servers get hit constantly on port 25565.
So not much you can do except minimize exposure as much as possible.
Inb4 some lucky dude just ran sublist3r or wfuzz on your subdomain and got a hit
I mean, it could be... I'll try it with a 128 char base 52 name and see what happens
Have you also tried making a subdomain and not making any requests to it yourself? So no browser access or other DNS resolution requests for the new subdomain. That should rule out some of the other possible causes suggested in the other comments.
Dang, it could be the upstream DNS server passing along client queries. Maybe the ISP?
In that case not even curl would be safe unless you could ensure all queries only resolve on your gear. Either use a host file entry or local DNS server.
Have you sent the URL across any messaging services? Lots of them look up links you share to see if it's malware (and maybe also to shovel into their AI). Even email services do this.
load more comments
(1 replies)
If you do a port scan on your box, what services are running? Maybe something like email or diagnostics is exposed to the internet and announcing subdomains?
It's literally just a VM hosting Apache and nothing else.
Following this thread!
Stupid question, but are you somehow publicly exposing your vhost config (or a bak file of it)? Or do you see logs of someone bruteforcing the subdomain?
Did you generate a DNS A record for the subdomain?
Nope
if there's no dns entry do you mean you are getting scans to your ip with these random subdomain headers? so someone would need both pieces of information? curious
Yes, exactly. Super weird, shouldn't happen. I wonder if I have a compromised box somewhere...