The reuse of DNS names is a common requirement for cloud customers, as applications and services may need to be upgraded or migrated while still having the ability to deploy using the same DNS name as a pointer. The danger of this practice is that it can leave you vulnerable to a security threat known as a subdomain takeover. This can happen when a DNS name record does not point to a provisioned Azure resource, which means any domain associated with the DNS entry is now considered “dangling”. A malicious actor could take control of the dangling domain by creating a new resource with the same DNS name that points to different resources as shown below:
In the past, Azure has recommended multiple ways to remediate this type of threat by using products like Microsoft Defender for App service or Azure DNS alias records, along with practicing “good DNS hygiene”. Today, we are excited to announce a new capability for Azure public IP address that can prevent this type of subdomain takeover while still allowing for re-use of DNS names. We have introduced a new parameter called Domain Name Label Scope will have an additional, hashed string in between the domainnamelabel and location fields.
The value of the Domain Name Label Scope can be set to four different values:
Value |
Behavior |
TenantReuse |
Object with the same name in the same tenant will receive the same Domain Label |
SubscriptionReuse |
Object with the same name in the same subscription will receive the same Domain Label |
ResourceGroupReuse |
Object with the same name in the same Resource Group will receive the same Domain Label |
NoReuse |
Object with the same name will receive a new Domain Label for each new instance |
Let’s say you have a single Azure subscription and want to create a website for your Contoso Coffee business while preventing others from reusing your DNS name records. You would:
If you delete and redeploy a public IP address using the same template as before, the domain name label will remain the same. However, if another customer deploys a public IP address using this same template under a different subscription, the provided domain name label will change (e.g. contoso.c9ghbqhhbxevhzg9.westus.cloudapp.Azure.com), even if the public IP resource with the domain name above was removed. This would prevent any other subscription from being able to takeover the subdomain.
The feature to secure your domain name label records using Domain Name Label Scope is available in all regions. For more information on Azure DNS or Azure Public IP Services, you can review the documentation below.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.