Closed jonwbstr closed 3 years ago
jonwbstr
commented
3 years ago My understanding is that once the domain is verified the record is not needed and there is no risk of an existing app having the domain become unverified because the record was deleted. HOWEVER, deleting the verification record and using a CNAME carries the risk of a subdomain takeover and is not recommended but only a risk if the webapp is deleted and someone reuses that name in their own subscription.
SnehaAgrawal-MSFT
commented
3 years ago @jonwbstr Thanks for the feedback! We are taking a look into this and will get back to you soon.
AjayKumar-MSFT
commented
3 years ago @jonwbstr,
CNAME records are especially vulnerable to this threat. When an Azure resource is deprovisioned (/deleted), immediately all the associated CNAME record(s) should be removed from your DNS zone. When the records are not deleted it possess a potential risk.
For A and CNAME record mapping values, kindly checkout the example in the document section.
For a detailed information on this, please see 'Prevent dangling DNS entries and avoid subdomain takeover'.
jonwbstr
commented
3 years ago Yes I reviewed the examples prior to submitting my question.
Thank you for confirming, summarizing below for future reference.
Question: Are domains using old non asuid txt records still protected, or should we add asuid records? Answer: not protected, add asuid records.
Question: When verifying domain ownership using an A record, should we delete or keep asuid record after the domain is verified? Answer: safe to delete the txt record after verification for A records.
On Sat, Dec 5, 2020, 6:30 AM AjayKumar-MSFT notifications@github.com wrote:
@jonwbstr https://github.com/jonwbstr,
- For custom domains you previously configured without this verification ID, it is recommended that you protect them from the same risk (dangling DNS entries and help to avoid subdomain takeovers), yes add the verification ID (asuid) to your DNS record.
CNAME records are especially vulnerable to this threat. When an Azure resource is deprovisioned (/deleted), immediately all the associated CNAME record(s) should be removed from your DNS zone. When the records are not deleted it possess a potential risk.
- As mentioned in this document - https://docs.microsoft.com/azure/dns/dns-web-sites-custom-domain App Services uses TXT record only at configuration time to verify that you own the custom domain. You can delete this TXT record after your custom domain is validated and configured in App Service. Note-If you want to verify the domain name, but not route production traffic to the web app, you only need to specify the TXT record for the verification step. Verification does not require an A or CNAME record in addition to the TXT record.
For A and CNAME record mapping values, kindly checkout the example in the document
For a detailed information on this, please see 'Prevent dangling DNS entries and avoid subdomain takeover https://docs.microsoft.com/azure/security/fundamentals/subdomain-takeover '.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/67036#issuecomment-739238676, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADXTPAFFOVUHEZDQWCXEMLTSTIKTZANCNFSM4ULA64SQ .
AjayKumar-MSFT
commented
3 years ago Yes, that is correct, thanks for summarizing it and appreciate you taking time to share your feedback for Azure doc improvements.
Hello,
When verifying domain ownership uusing a CNAME record, if I'm reading this correctly, adding the "asuid" TXT record prevents Subdomain takeover in the event that the webapp is deleted and the CNAME and TXT records are not deleted.
Question 1: We have a lot of webapps that were created using either just the CNAME for verification, or a CNAME and a TXT record without "asuid" in the hostname (the old way).
Are those domains still protected, or should we add asuid records? https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain#get-a-domain-verification-id.
Question 2: When verifying domain ownership when using an A record, should we delete or keep asuid record after the domain is verified? I was thinking the answer is you can delete the asuid validation record once the domain is validated, but now I'm not sure.
This is the where I was expecting to find that answer: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain#create-the-a-record
Current records. are these acceptable?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.