Azure / Azure-Network-Security

Resources for improving Customer Experience with Azure Network Security
MIT License
792 stars 309 forks source link

Incorrectly flagging root of domain as dangling #21

Open Ross-NeoNexus opened 3 years ago

Ross-NeoNexus commented 3 years ago

Describe the bug This tool reports the root (or apex) of the domain as "dangling" when in fact it has been mapped. This appears to be due to the tool ONLY recognising & querying CNAME DNS records. However, the root (or apex) of a domain can NOT have a CNAME associated with it. (A CNAME record is not allowed to coexist with any other data. If a CNAME for the apex is created, DNS resolution will break for the domain. See RFC 1912 section-2.4)

To achieve an Azure mapping for the apex behaviour, an ANAME record must be created in the DNS. This ANAME record can be mapped to the Azure resource, or more usually, mapped to the CNAME that is in turn mapped to an Azure resource.

For example, we may wish to map both "www.contoso.com" subdomain and the root domain, "contoso.com" to a CDN resource. to accomplish this, we an create a CNAME record for "www.contoso.com" that maps to the CDN endpoint "contosowebsite.azureedge.net" . However to map "contoso.com" to the same endpoint, we can NOT create a CNAME. To map the apex record "contoso.com" we create an ANAME record in the DNS that point to "www.contoso.com" or to "contosowebsite.azureedge.net" This now has the effect that DNS lookups for both "www.contoso.com" and "contoso.com" both resolve to "contosowebsite.azureedge.net". Thus "contoso.com" is NOT a dangling domain!!

Reproduce Steps to reproduce the behavior:

  1. Create a CDN custom domain of "contoso.com" to an endpoint
  2. Verify the domain by using the CDNVERIFY method (we can't use auto verification as we can't crate a CNAME)
  3. Create an ANAME record in the DNS pointing "contoso.com" to the resource endpoint
  4. Browse to the endpoint using "contoso.com" and note that it is correctly mapped.
  5. Run Get-DanglingDnsRecords.ps1
  6. Note that "contoso.com" is INCORRECTLY flagged as a dangling domain!!

Expected behaviour The apex (root) of a domain should be checked properly to see if it is in fact dangling. i.e. check to see if an ANAME exists that is mapped to a valid Azure resource (either explicitly or via mapping to a CNAME that in turn is correctly mapped) The apex of a domain should NOT be reported as dangling if it in fact resolves to a valid Azure resource.

Screenshots N/A

Environment- if applicable N/A

Desktop (please complete the following information if applicable): N/A

Logs- if applicable N/A

Additional context N/A

tobystic commented 3 years ago

@Arun-Mudiraj has this been fixed in subsequent updates?

Arun-Mudiraj commented 3 years ago

not yet @tobystic

2021H1030039G commented 2 years ago

Can I contribute to the project?

tobystic commented 1 year ago

@2021H1030039G Contributions are welcome under the contribution guidelines