The post describes what Cisco’s SOC observed at Cisco Live Melbourne 2025: many Windows laptops on the conference Wi-Fi were automatically trying to find their corporate Active Directory (AD) domain controllers by sending DNS SRV lookups (for example, Kerberos and LDAP service records). Cisco captured and analyzed the traffic and saw roughly 3,800 distinct AD-related query names; most failed, but around 300 returned successful DNS responses—suggesting that some organizations’ domain controllers (or related services) were reachable from the public internet. In a few cases, those lookups were followed by cleartext LDAP BIND attempts, which can expose authentication material over untrusted networks.

The author highlights why this matters: any public or semi-public Wi-Fi operator can learn details about your organization just from these queries (an OSINT leak), and a malicious hotspot could potentially trick misconfigured endpoints into disclosing credentials (the post references tools like Responder). It also calls out a broader hygiene issue: if your domain controllers are internet-accessible, you need to be confident they are hardened appropriately. The recommended “reliable” mitigation is a properly configured VPN—ideally a full-tunnel setup, and “Start Before Login” so DNS and other traffic is protected as early as possible—combined with strong Windows hardening (for example, SMB signing, LDAP over TLS, and LDAP channel binding).

Source: https://blogs.cisco.com/security/windows-ad-dns-public-vpn