Improve DNS security by using Domain Name Label Scope
Published Mar 27 2024 09:00 AM 2,652 Views
Microsoft

The reuse of DNS names is a common requirement for cloud customers, as applications and services may need to be upgraded or migrated while still having the ability to deploy using the same DNS name as a pointer. The danger of this practice is that it can leave you vulnerable to a security threat known as a subdomain takeover. This can happen when a DNS name record does not point to a provisioned Azure resource, which means any domain associated with the DNS entry is now considered “dangling”. A malicious actor could take control of the dangling domain by creating a new resource with the same DNS name that points to different resources as shown below:

brianlehr_0-1711047640891.png

In the past, Azure has recommended multiple ways to remediate this type of threat by using products like Microsoft Defender for App service or Azure DNS alias records, along with practicing “good DNS hygiene”. Today, we are excited to announce a new capability for Azure public IP address that can prevent this type of subdomain takeover while still allowing for re-use of DNS names. We have introduced a new parameter called Domain Name Label Scope will have an additional, hashed string in between the domainnamelabel and location fields. 

The value of the Domain Name Label Scope can be set to four different values:

Value

Behavior

TenantReuse

Object with the same name in the same tenant will receive the same Domain Label

SubscriptionReuse

Object with the same name in the same subscription will receive the same Domain Label

ResourceGroupReuse

Object with the same name in the same Resource Group will receive the same Domain Label

NoReuse

Object with the same name will receive a new Domain Label for each new instance

 

Let’s say you have a single Azure subscription and want to create a website for your Contoso Coffee business while preventing others from reusing your DNS name records. You would:

  • Select SubscriptionReuse as the option when deploying a public IP address with DNS, generating a domain name label of contoso.fjdng2acavhkevd8.westus.cloudapp.Azure.com
  • Create a DNS zone for your domain name in Azure DNS for contoso.com and then assign a CNAME (canonical name) record in your DNS zone with the subdomain contosocofee.contoso.com that points to your domain name
  • Delegate your domain name to the Azure DNS name servers at your domain name registrar
    Note the second and third steps could be done at any DNS provider, inclusive of Azure DNS.

If you delete and redeploy a public IP address using the same template as before, the domain name label will remain the same.  However, if another customer deploys a public IP address using this same template under a different subscription, the provided domain name label will change (e.g. contoso.c9ghbqhhbxevhzg9.westus.cloudapp.Azure.com), even if the public IP resource with the domain name above was removed.  This would prevent any other subscription from being able to takeover the subdomain.

brianlehr_3-1711046105169.png

The feature to secure your domain name label records using Domain Name Label Scope is available in all regions. For more information on Azure DNS or Azure Public IP Services, you can review the documentation below.

Azure DNS

Azure Public IP addresses - Domain Name Label Scope

Co-Authors
Version history
Last update:
‎Mar 27 2024 09:52 AM
Updated by: