MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.3k stars 21.48k forks source link

More info on verifying domains #67036

Closed jonwbstr closed 3 years ago

jonwbstr commented 3 years ago

Hello,

When verifying domain ownership uusing a CNAME record, if I'm reading this correctly, adding the "asuid" TXT record prevents Subdomain takeover in the event that the webapp is deleted and the CNAME and TXT records are not deleted.

Question 1: We have a lot of webapps that were created using either just the CNAME for verification, or a CNAME and a TXT record without "asuid" in the hostname (the old way).

Are those domains still protected, or should we add asuid records? https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain#get-a-domain-verification-id.

Question 2: When verifying domain ownership when using an A record, should we delete or keep asuid record after the domain is verified? I was thinking the answer is you can delete the asuid validation record once the domain is validated, but now I'm not sure.

This is the where I was expecting to find that answer: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain#create-the-a-record

Current records. are these acceptable?

host type value
site CNAME mywebapp.azurewebsites.net
site TXT <VerificationID>
host type value
@ A <IP address>
@ TXT mywebapp..azurewebsites.net

 

Recommended records? host type value
site CNAME mywebapp.azurewebsites.net
asuid.site TXT mywebapp..azurewebsites.net
host type value
@ A <IP address>
asuid TXT mywebapp..azurewebsites.net

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

jonwbstr commented 3 years ago

My understanding is that once the domain is verified the record is not needed and there is no risk of an existing app having the domain become unverified because the record was deleted. HOWEVER, deleting the verification record and using a CNAME carries the risk of a subdomain takeover and is not recommended but only a risk if the webapp is deleted and someone reuses that name in their own subscription.

SnehaAgrawal-MSFT commented 3 years ago

@jonwbstr Thanks for the feedback! We are taking a look into this and will get back to you soon.

AjayKumar-MSFT commented 3 years ago

@jonwbstr,

  1. For custom domains you previously configured without this verification ID, it is recommended that you protect them from the same risk (dangling DNS entries and help to avoid subdomain takeovers), yes add the verification ID (asuid) to your DNS record.

CNAME records are especially vulnerable to this threat. When an Azure resource is deprovisioned (/deleted), immediately all the associated CNAME record(s) should be removed from your DNS zone. When the records are not deleted it possess a potential risk.

  1. As mentioned in this document - App Services uses TXT record only at configuration time to verify that you own the custom domain. You can delete this TXT record after your custom domain is validated and configured in App Service. Note-If you want to verify the domain name, but not route production traffic to the web app, you only need to specify the TXT record for the verification step. Verification does not require an A or CNAME record in addition to the TXT record.

For A and CNAME record mapping values, kindly checkout the example in the document section.

For a detailed information on this, please see 'Prevent dangling DNS entries and avoid subdomain takeover'.

jonwbstr commented 3 years ago

Yes I reviewed the examples prior to submitting my question.

Thank you for confirming, summarizing below for future reference.

Question: Are domains using old non asuid txt records still protected, or should we add asuid records? Answer: not protected, add asuid records.

Question: When verifying domain ownership using an A record, should we delete or keep asuid record after the domain is verified? Answer: safe to delete the txt record after verification for A records.

On Sat, Dec 5, 2020, 6:30 AM AjayKumar-MSFT notifications@github.com wrote:

@jonwbstr https://github.com/jonwbstr,

  1. For custom domains you previously configured without this verification ID, it is recommended that you protect them from the same risk (dangling DNS entries and help to avoid subdomain takeovers), yes add the verification ID (asuid) to your DNS record.

CNAME records are especially vulnerable to this threat. When an Azure resource is deprovisioned (/deleted), immediately all the associated CNAME record(s) should be removed from your DNS zone. When the records are not deleted it possess a potential risk.

  1. As mentioned in this document - https://docs.microsoft.com/azure/dns/dns-web-sites-custom-domain App Services uses TXT record only at configuration time to verify that you own the custom domain. You can delete this TXT record after your custom domain is validated and configured in App Service. Note-If you want to verify the domain name, but not route production traffic to the web app, you only need to specify the TXT record for the verification step. Verification does not require an A or CNAME record in addition to the TXT record.

For A and CNAME record mapping values, kindly checkout the example in the document

https://docs.microsoft.com/azure/app-service/app-service-web-tutorial-custom-domain#enable-the-cname-record-mapping-in-the-app section.

For a detailed information on this, please see 'Prevent dangling DNS entries and avoid subdomain takeover https://docs.microsoft.com/azure/security/fundamentals/subdomain-takeover '.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/67036#issuecomment-739238676, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADXTPAFFOVUHEZDQWCXEMLTSTIKTZANCNFSM4ULA64SQ .

AjayKumar-MSFT commented 3 years ago

Yes, that is correct, thanks for summarizing it and appreciate you taking time to share your feedback for Azure doc improvements.