SOLVED

Azure DNS zone security

%3CLINGO-SUB%20id%3D%22lingo-sub-2228441%22%20slang%3D%22en-US%22%3EAzure%20DNS%20zone%20security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2228441%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20considering%20using%20Azure%20DNS.%3C%2FP%3E%3CP%3EI%20created%20a%20test%20tenant%20to%20try%20it%20out%20and%20configured%20an%20unused%20domain%20on%20it%20(say%20example.com).%3C%2FP%3E%3CP%3EIt%20worked%20fine%20and%20I%20decided%20to%20start%20using%20it%20for%20my%20production%2Flive%20domains.%3C%2FP%3E%3CP%3EI%20created%20a%20new%20'production'%20tenant%2C%20a%20DNS%20zone%20on%20that%20tenant%20and%20added%20domain%20example.com%3C%2FP%3E%3CP%3EI%20realised%20that%20I%20was%20not%20asked%20to%20prove%20ownership%20of%20the%20domain%20(like%20you%20are%20asked%20when%20configuring%20a%20domain%20on%20O365).%3C%2FP%3E%3CP%3ESo%20I%20have%202%20tenants%20with%20DNS%20zones%20with%20the%20same%20domain!%3C%2FP%3E%3CP%3EHowever%2C%20the%20name%20servers%20on%20the%202nd%20tenant%20were%20different.%3C%2FP%3E%3CP%3ESo%2C%20when%20I%20changed%20it%20at%20my%20domain%20registrar%2C%20I%20was%20able%20to%20get%20the%20records%20managed%20on%20the%20new%20tenant.%3C%2FP%3E%3CP%3EBut%20that%20got%20me%20worried.%3C%2FP%3E%3CP%3EAnyone%20can%20create%20a%20tenant%20on%20Azure%20and%20create%20a%20DNS%20zone%20for%20domain%20example.com%3C%2FP%3E%3CP%3ECan%20anyone%20advise%20if%20there%20is%20a%20way%20to%20prevent%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2228441%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDNS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDNS%20zone%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2230822%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20DNS%20zone%20security%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2230822%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F250751%22%20target%3D%22_blank%22%3E%40nadsurf93%3C%2FA%3E%2C%20when%20you%20provision%20a%20DNS%20Zone%20in%20Azure%2C%20you%20are%20simply%20using%20a%20PaaS%20service%20that%20will%20allow%20you%20to%20delegate%20DNS%20resolution%20for%20a%20domain%20you%20own.%20An%20Azure%20DNS%20Zone%20by%20itself%20is%20useless%20until%20you%20configure%20your%20domain%20registrar%20to%20use%20Azure%20DNS%20name%20servers%20for%20your%20domain.%20That's%20why%20you%20don't%20have%20to%20prove%20ownership%20to%20Azure%20-%20you%20can%20only%20configure%20your%20registrar%20settings%20to%20use%20Azure%20name%20servers%20if%20you%20own%20the%20domain%2C%20of%20course.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20each%20DNS%20Zone%2C%20Azure%20will%20provide%20you%20with%204%20name%20server%20addresses.%20If%20you%20have%20multiple%20Azure%20DNS%20Zones%20with%20the%20same%20name%2C%20then%20their%20name%20servers%20must%20be%20different%2C%20because%20this%20will%20be%20the%20glue%20between%20Azure%20DNS%20and%20your%20registrar%20configuration.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMore%20details%20on%20Azure%20DNS%20delegation%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdns%2Fdns-domain-delegation%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi there,

 

I have been considering using Azure DNS.

I created a test tenant to try it out and configured an unused domain on it (say example.com).

It worked fine and I decided to start using it for my production/live domains.

I created a new 'production' tenant, a DNS zone on that tenant and added domain example.com

I realised that I was not asked to prove ownership of the domain (like you are asked when configuring a domain on O365).

So I have 2 tenants with DNS zones with the same domain!

However, the name servers on the 2nd tenant were different.

So, when I changed it at my domain registrar, I was able to get the records managed on the new tenant.

But that got me worried.

Anyone can create a tenant on Azure and create a DNS zone for domain example.com

Can anyone advise if there is a way to prevent this?

 

Update:
When I created the resource group on my production tenant, 1 selected a different region and I was thinking that this may be why the name servers are different.

So I deleted everything on my production tenant.

I created a new resource group and selected the same region as on the test tenant.

When I created a zone for example.com, the name servers were different from those on the test tenant.

So it does seem that there is some verification/control being done.

I would be grateful if someone can confirm this.

2 Replies
best response confirmed by nadsurf93 (New Contributor)
Solution

@nadsurf93, when you provision a DNS Zone in Azure, you are simply using a PaaS service that will allow you to delegate DNS resolution for a domain you own. An Azure DNS Zone by itself is useless until you configure your domain registrar to use Azure DNS name servers for your domain. That's why you don't have to prove ownership to Azure - you can only configure your registrar settings to use Azure name servers if you own the domain, of course.

 

For each DNS Zone, Azure will provide you with 4 name server addresses. If you have multiple Azure DNS Zones with the same name, then their name servers must be different, because this will be the glue between Azure DNS and your registrar configuration.

 

More details on Azure DNS delegation here.

Dear hspinto,
I suspected that it was the case (since when I created the zone on the new tenant it gave me a different set of name records).
And I was able to change the name servers on my registrar account so that it would point to the "new" name servers.
I just wanted to lay this worry to rest (DNS is critical after all).
In any case, many thanks for having provided this information.