Home

one Traffic manager and multiple DNS mapping (pls need clarification on how security is ensured)

%3CLINGO-SUB%20id%3D%22lingo-sub-638975%22%20slang%3D%22en-US%22%3Eone%20Traffic%20manager%20and%20multiple%20DNS%20mapping%20(pls%20need%20clarification%20on%20how%20security%20is%20ensured)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-638975%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3EI%20feel%20really%20strange%20on%20how%20Azure%20Traffic%20Manager%20allowing%20traffic%20from%20multiple%20Custom%20domains%20with%20just%20adding%20a%20CNAME%20record%20of%20traffic%20manager%20to%20them%20without%20enforcing%20any%20validation%20of%20DNS%20from%20Azure%20end.%3C%2FP%3E%3CP%3EMay%20be%20I%20am%20wrong%2C%20but%20let%20me%20explain%20in%20detail%3A%3C%2FP%3E%3CP%3EHere's%20my%20setup%3A%3C%2FP%3E%3CP%3ETraffic%20Manager%3C%2FP%3E%3CP%3E%5C_____%20App%20Gateway(East)%20%26amp%3B%20App%20Gateway(West)%3C%2FP%3E%3CP%3E%5C_WebApp%20(East)%20%26amp%3B%20%5C_WebApp(West)%3C%2FP%3E%3CP%3EA%20HA%20setup%20with%20applications%20in%20East%20%26amp%3B%20West.%3C%2FP%3E%3CP%3EI've%20bought%20Domain%20from%20GoDaddy%20%26amp%3B%20I%20added%20CNAME%20record%20pointing%20to%20Traffic%20manager%20(pqr-tm.trafficmanager.net).%20I%20did%20no%20additional%20steps%20for%20Domain%20validation%20from%20Azure.%3C%2FP%3E%3CP%3EAfter%20the%20DNS%20propogation%20happend%2C%20the%20other%20day%20when%20I%20tired%20my%20Custom%20Domain%20(lets%20say%20pqr.com)%2C%20it%20routed%20to%20my%20WebApp%20as%20expected%20as%20per%20CNAME%20record.%3C%2FP%3E%3CP%3ENow%2C%20when%20I%20typed%20%3CA%20href%3D%22http%3A%2F%2Fwww.prq.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.prq.com%3C%2FA%3E%20in%20%3CA%20href%3D%22https%3A%2F%2Fdigwebinterface.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdigwebinterface.com%3C%2FA%3E%3CBR%20%2F%3EI%20could%20see%2C%20it%20resolved%20first%20to%20%22traffic%20manager%22%20(it%20clearly%20displaying%20my%20traffic%20manager%20name)%2C%20then%20to%20Application%20Gateway%20DNS%20and%20then%20to%20Application%20Gateway%20Public%20IP.%3C%2FP%3E%3CP%3EThen%20my%20friend%20said%2C%20I'll%20do%20a%20trick%2C%20I'll%20get%20into%20your%20site%20without%20my%20notice.%3C%2FP%3E%3CP%3EHere's%20what%20he%20did%3A%3C%2FP%3E%3CP%3Ehe%20has%20Domain%20in%20Yahoo.%20lets%20say%20-%20xyz.com%3C%2FP%3E%3CP%3Ehe%20opened%20his%20Yahoo%20account%2C%20went%20to%20DNS%20settings%2C%20and%20in%20Forward%20URL%20option%2C%20he%20kept%20my%20traffic%20manager%20DNS%20name%20which%20is%20clearly%20appearing%20in%20%3CA%20href%3D%22https%3A%2F%2Fdigwebinterface.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdigwebinterface.com%3C%2FA%3E%20by%20just%20typing%20my%20website%20%3CA%20href%3D%22http%3A%2F%2Fwww.prq.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.prq.com%3C%2FA%3E%20in%20it.%3C%2FP%3E%3CP%3ETo%20my%20surprise%2C%20with%20in%20a%20minute%2C%3C%2FP%3E%3CP%3Ewhen%20he%20type%20xyz.com%20in%20browser%2C%20my%20WebApp%20started%20rending%20page.%3C%2FP%3E%3CP%3ESo%2C%20I%20thought%20where%20is%20security%3F%3C%2FP%3E%3CP%3EHere's%20my%20point%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdigwebinterface.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdigwebinterface.com%3C%2FA%3E%20--%20is%20publicly%20available%3C%2FP%3E%3CP%3Eby%20typing%20the%20site%20name%2C%20any%20one%20can%20get%20Traffic%20manager%20URL%20(if%20the%20setup%20includes%20it)%3C%2FP%3E%3CP%3Ethen%2C%20just%20by%20keeping%20CNAME%20in%20their%20forward%20URL%2C%20if%20they%20are%20able%20to%20map%20my%20site....where%20is%20the%20security%3F%3C%2FP%3E%3CP%3Eor%3C%2FP%3E%3CP%3EAm%20I%20missed%20any%20step%20in%20Traffic%20manager%20which%20binds%20My%20Domain%20to%20it%20and%20If%20any%20others%20tries%20to%20point%20their%20domain%20to%20my%20traffic%20manager%2C%20it%20rejects%3F%3C%2FP%3E%3CP%3EPls%20help!!%3C%2FP%3E%3CP%3EI've%20a%20strong%20feeling%20that%2C%20there%20will%20be%20tightening%20point%2C%20which%20I%20am%20not%20aware%20of.%3C%2FP%3E%3CP%3EPls%20guide%20Guru's%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EKiran%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-638975%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDNS%20Mapping%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETraffic%20Manager%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-639143%22%20slang%3D%22en-US%22%3ERe%3A%20one%20Traffic%20manager%20and%20multiple%20DNS%20mapping%20(pls%20need%20clarification%20on%20how%20security%20is%20ensured%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-639143%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F347667%22%20target%3D%22_blank%22%3E%40kirankumar_azurecloud925%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20first%20thought%20in%20reading%20your%20scenario%20is%3A%20don%E2%80%99t%20count%20on%20DNS%20for%20security.%26nbsp%3B%20Here%20is%20my%20point%3B%20DNS%20is%20just%20a%20public%20record%20of%20pointers.%26nbsp%3B%20Anyone%20could%20just%20as%20easily%20get%20to%20the%20site%20with%20the%20trafficmanager.net%20URL%20or%2C%20if%20a%20web%20server%20was%20hosted%20directly%20behind%20a%20public%20IP%20(like%20we%20did%20in%20the%20olden%20days)%2C%20anyone%20could%20create%20an%20A%20record%20to%20point%20a%20domain%20to%20the%20IP.%26nbsp%3B%20DNS%20is%20an%20old%20protocol%20that%20was%20not%20built%20with%20security%20in%20mind.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20need%20to%20ensure%20that%20only%20users%20intending%20to%20get%20to%20%3CA%20href%3D%22http%3A%2F%2Fwww.prq.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ewww.prq.com%3C%2FA%3E%20get%20to%20your%20site%2C%20the%20best%20bet%20would%20be%20to%20add%20a%20certificate%20to%20trafficmanager%20for%20your%20custom%20hostname%20and%20enforce%20SSL.%26nbsp%3B%20That%20way%2C%20if%20anyone%20tries%20to%20spoof%20the%20host%20(xyz.com)%20the%20user%20will%20get%20a%20certificate%20error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20need%20authentication%2C%20check%20out%20Azure%20AD%20App%20Proxy%20or%20Azure%20AD%20Application%20Gateway.%26nbsp%3B%20You%20can%20put%20the%20site%20behind%20these%20products%20and%20force%20Azure%20AD%20authentication%20before%20the%20user%20accesses%20the%20web%20site.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-642743%22%20slang%3D%22en-US%22%3ERe%3A%20one%20Traffic%20manager%20and%20multiple%20DNS%20mapping%20(pls%20need%20clarification%20on%20how%20security%20is%20ensured%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-642743%22%20slang%3D%22en-US%22%3E%3CP%3E%40%3CSPAN%3ETravis%20Roberts%26nbsp%3B%20Thanks%20for%20your%20inputs....but%20I%20couldn't%20find%20any%20option%20in%20Traffic%20Manager%20to%20SSL%20bind%20and%20restrict%20the%20traffic%20there%20itself.%20Am%20I%20missing%20anything%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20see%20we%20have%20SSL%20binding%20option%20only%20at%20-%20Application%20Gateway%20(HTTPS%20Listener)%20and%20WebApp.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EIn%20my%20case%2C%20I%20did%20SSL%20bind%20at%20AGW%20HTTPS%20listener%20by%20uploading%20PFX.%20We%20thought%20we%20will%20go%20with%20SSL%20off-loading%20at%20AGW%2C%20so%20I%20thought%20of%20not%20adding%20SSL%20again%20at%20WebApp.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20that's%20the%20right%20setup%20where%20there%20is%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETM%20for%20routing%20requests%20in%20HA%20setup%20%26gt%3B%26nbsp%3B%3C%2FP%3E%3CP%3E(followed%20by)%20App%20Gateway%20with%20WAF%20enabled%20(to%20apply%20security)%20%26amp%3B%20SSL%20off%20Load%3C%2FP%3E%3CP%3E(followed%20by)%20Azure%20WebApp%20to%20serve%20the%20request.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20sure%2C%20at%20least%20why%20AGW%20is%20not%20blocking%20the%20connections%20as%20we%20did%20SSL%20bind%20at%20HTTPS%20listener.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPls%20help!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-643445%22%20slang%3D%22en-US%22%3ERe%3A%20one%20Traffic%20manager%20and%20multiple%20DNS%20mapping%20(pls%20need%20clarification%20on%20how%20security%20is%20ensured%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-643445%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F347667%22%20target%3D%22_blank%22%3E%40kirankumar_azurecloud925%3C%2FA%3EThat%20sounds%20correct.%26nbsp%3B%20The%20Cert%20is%20added%20to%20the%20proxy%20offload%20device%20or%20to%20the%20endpoints.%3C%2FP%3E%3CP%3EGood%20luck%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
kirankumar_azurecloud925
New Contributor

Hi Team,

I feel really strange on how Azure Traffic Manager allowing traffic from multiple Custom domains with just adding a CNAME record of traffic manager to them without enforcing any validation of DNS from Azure end.

May be I am wrong, but let me explain in detail:

Here's my setup:

Traffic Manager

\_____ App Gateway(East) & App Gateway(West)

\_WebApp (East) & \_WebApp(West)

A HA setup with applications in East & West.

I've bought Domain from GoDaddy & I added CNAME record pointing to Traffic manager (pqr-tm.trafficmanager.net). I did no additional steps for Domain validation from Azure.

After the DNS propogation happend, the other day when I tired my Custom Domain (lets say pqr.com), it routed to my WebApp as expected as per CNAME record.

Now, when I typed www.prq.com in https://digwebinterface.com
I could see, it resolved first to "traffic manager" (it clearly displaying my traffic manager name), then to Application Gateway DNS and then to Application Gateway Public IP.

Then my friend said, I'll do a trick, I'll get into your site without my notice.

Here's what he did:

he has Domain in Yahoo. lets say - xyz.com

he opened his Yahoo account, went to DNS settings, and in Forward URL option, he kept my traffic manager DNS name which is clearly appearing in https://digwebinterface.com by just typing my website www.prq.com in it.

To my surprise, with in a minute,

when he type xyz.com in browser, my WebApp started rending page.

So, I thought where is security?

Here's my point:

https://digwebinterface.com -- is publicly available

by typing the site name, any one can get Traffic manager URL (if the setup includes it)

then, just by keeping CNAME in their forward URL, if they are able to map my site....where is the security?

or

Am I missed any step in Traffic manager which binds My Domain to it and If any others tries to point their domain to my traffic manager, it rejects?

Pls help!!

I've a strong feeling that, there will be tightening point, which I am not aware of.

Pls guide Guru's :)

Thanks,

Kiran

3 Replies

@kirankumar_azurecloud925 

My first thought in reading your scenario is: don’t count on DNS for security.  Here is my point; DNS is just a public record of pointers.  Anyone could just as easily get to the site with the trafficmanager.net URL or, if a web server was hosted directly behind a public IP (like we did in the olden days), anyone could create an A record to point a domain to the IP.  DNS is an old protocol that was not built with security in mind. 

 

If you need to ensure that only users intending to get to www.prq.com get to your site, the best bet would be to add a certificate to trafficmanager for your custom hostname and enforce SSL.  That way, if anyone tries to spoof the host (xyz.com) the user will get a certificate error.

 

If you need authentication, check out Azure AD App Proxy or Azure AD Application Gateway.  You can put the site behind these products and force Azure AD authentication before the user accesses the web site.

@Travis Roberts  Thanks for your inputs....but I couldn't find any option in Traffic Manager to SSL bind and restrict the traffic there itself. Am I missing anything?

 

I see we have SSL binding option only at - Application Gateway (HTTPS Listener) and WebApp.

In my case, I did SSL bind at AGW HTTPS listener by uploading PFX. We thought we will go with SSL off-loading at AGW, so I thought of not adding SSL again at WebApp.

 

Hope that's the right setup where there is

 

TM for routing requests in HA setup > 

(followed by) App Gateway with WAF enabled (to apply security) & SSL off Load

(followed by) Azure WebApp to serve the request.

 

Not sure, at least why AGW is not blocking the connections as we did SSL bind at HTTPS listener.

 

Pls help!!

@kirankumar_azurecloud925That sounds correct.  The Cert is added to the proxy offload device or to the endpoints.

Good luck