Using Kubernetes, nginx, linode loadbalancer, v2 protocol and it works great. DNS entry includes a *.example.com entry pointing to the loadbalancer so I can create any subdomain/microsite just by creating the ingress. Cert-manager finally works too.
I notice though, if I create a random ingress eg. jhjhtdf76753.example.com, my ingress logs are quiet... Once I generate the letsencrypt cert, the hackers arrive in force, kiddie scripts and all.
How do the hackers know about this subdomain?
What is it about the DNS system or LetsEncrypt that alert them to the existence of this new site? It can't simply be traffic since using the site without a cert, the site appears to be "unknown" to hackers. It can't be random subdomain attempts as the attacks would occur irrespective of the letsencrypt cert? Que pasa?
MORE INFO
From the letsencrypt website:
"We need to be able to demonstrate to the public, including those who rely on the trustworthiness of our certificates, that our services perform as expected. As a result, we may be unable to delete information, including IP addresses. This information may be made public in a number of ways, including via public API, public repositories, and/or public discussions."
I also see they are behind Cloudfare.
My guess is the "public API" is the tool being queried. If you don't know a subdomain exists and there is no backlink to alert a bot of its existence, why would letsencrypt publish this data at all? My gut tells me to follow the money...