I have a Meteor App that I'm whitelisting to just a specific IP.
So something like
handleRoute(req,res) => {
if (req.HEADERS[x-forwarder-for]) === WHITELISTED_IP) {
next(res,req)
} else {
res.writeHead(404);
res.end();
}
}
This works and you get a 404 page.
However, this can lead an attacker to know that the site at least exists. I'd like to obfuscate that further if possible.
Like, if you go to some obscure site that doesn't exist you'll probably see some splash page from your ISP. I'm guessing this is something the ISP put in place when DNS lookup fails.
I'm wondering if it's possible to still show that somehow. This would be using standard Node HTTP Request req,res API. Thanks!
No, that's not possible. Once the control flow reaches your Node application, an attacker will know that it exists. They will be able to tell the difference between a page that is rendered by the browser on failure to look up a domain name in DNS, and a page you return to them. Besides, they won't be using browsers to investigate targets, so they will see quite a bit more than what a user in a browser would.
I think your best bet would be to copy & paste one of those annoying domain parking pages that web hosts put on a domain when it was purchased but isn't yet hosting a page yet. Ideally you would use the parking page of the domain registrar you used to acquire your domain because it will be the most believable. And of course, try to replicate the entire message (including headers), not just the HTTP body. Unlike the idea of serving a fake "can't resolve domain" page, this one should be entirely possible.