I’ve been using Cloudflare tunnels in my homelab. I’m wondering how well they resist subdomain discovery/enumeration by bots/malicious actors. I’m aware that security through obscurity isn’t a real strategy, but I am curious about this from a purely academic standpoint. Aside from brute force guessing, are there any other strategies that could be used to find the subdomains of services tunneled through cloudflare?
crt.sh ?