If Azure App Service's custom domain verification will prevent domain taking over

[qiufasheng]

[Enter feedback here] I don't understand very well the statement in italic in the doc. If the original owner release the resource and a hacker takes it over, if the CNAME is still in DNS, then the hacker will receive all the users traffic, and be able to control contents. The verification is only used to verify ownership of the custom domain when the application was initially set up, and it won't prevent adversaries from taking advantage of dangling DNS. Did I miss something?

Use Azure App Service's custom domain verification When creating DNS entries for Azure App Service, create an asuid.{subdomain} TXT record with the Domain Verification ID. When such a TXT record exists, no other Azure Subscription can validate the Custom Domain that is, take it over. These records don't prevent someone from creating the Azure App Service with the same name that's in your CNAME entry. Without the ability to prove ownership of the domain name, threat actors can't receive traffic or control the content.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 647e9a22-fedf-a3d6-5bb3-54b635bdfba4
• Version Independent ID: a35040bc-5e45-0514-fd49-e4b97813ed98
• Content: Prevent subdomain takeovers with Azure DNS alias records and Azure App Service's custom domain verification
• Content Source: articles/security/fundamentals/subdomain-takeover.md
• Service: security
• Sub-service: security-fundamentals
• GitHub Login: @memildin
• Microsoft Alias: memildin

[KrishnaG-MSFT]

@qiufasheng Thanks for your comment! We will review and provide an update as appropriate.

[shashishailaj]

@qiufasheng The details in the document pertain to two different things. And what you have mentioned is completely correct that the hacker could redirect your users to their dummy site if they can use the same App service resource name as mentioned in your DNS CNAME record. This is the reason the records in public DNS for any organization must be vetted time to time. This responsibility lies with the organization to have a process in place which keeps a check on any mishaps of dangling DNS records.

These records don't prevent someone from creating the Azure App Service with the same name that's in your CNAME entry . Because this is something which cannot be controlled by the old owner of app service. Once you have deleted your app service instance , you must remove the CNAME redirection to avoid any threat actors to create an app service instance of same name and continue to use your CNAME routing setup within your DNS. The line in italics Without the ability to prove ownership of the domain name, threat actors can't receive traffic or control the content talks about the ownership of the domain name and how subdomain takeover cannot be done if a asuid.{subdomain} TXT record with the Domain Verification ID was created while setting up DNS for the app service.

I agree that the two lines talk about two different problems. The section on how to mitigate the threat defines the strategies that can be used in order to avoid any hacking due to DNS dangling issues. Hope this does clarifies your query. We will now close this issue. Should you have any further query , feel free to tag the author of the document @memildin or me to your reply and we will be happy to help .

Thank you.

[qiufasheng]

Hi, Shashi, @memildin Thanks for the reply with explanation! Then I feel the below sentence should be deleted or updated, to avoid confusing readers.

Without the ability to prove ownership of the domain name, threat actors can't receive traffic or control the content

Thanks! Fasheng