So i have a domain that I have been using solely for homelab and VPS services (domain.example).
I have my A and AAAA record for my VPS proxying through cloudflare (proxy.domain.example) and a DNS A record pointing towards my homelab for my home Wireguard (wg.domain.example) with no other records pointing home or anywhere. I have a couple of services at home with certificates for example (proxmox.domain.example, nas.domain.example, router.domain.example) that are using cloudflares API token but they do not have records listed at cloudflare
Now my issue is I specifically setup a Cloudflare WAF to block every continent/country except my own and this is now showing in the events that a crawler is attempting to access router.domain.example, nas.domain.example, homeassistant.domain.example. Do I have any reason to be concerned and also how would this web crawler only be searching for my home lab domains. None of these services are public facing.
This is my thought as well.
Those services are running on some ports and someone was able to see that there are services running on those ports. Now they (or more likely, their script) is trying to find out what those services/versions are to see if there are exploits.
So to OPs question should they be worried? No. This is par for the course today. But is a great example of why you need to be vigilant in updating your services and platforms, use strong passwords, MFA, etc.
Here’s good piece of guidance for any and all who are managing a domain/network.
The lower on the pyramid of pain you can make it a pain in the ass for a would-be intruder, the sooner they’ll give up. In OPs example, they are moving from ‘Domain names’ to ‘network/host artifacts’ if they fail to get enough info to keep digging down, they’ll likely stay there and persist for awhile and then give up if they don’t find a crack.