Dangling DNS! What it is and how to protect against the attacks!

Dangling DNS! What it is and how to protect against the attacks!

In this video I explore a potential big issue for your organization, Dangling DNS and what you can do to protect and mitigate.

00:00 Introduction and custom DNS use
10:55 Dangling DNS problem
15:18 What we can do
16:26 App Service protections
18:12 Azure DNS alias set protection
19:48 Process to search and find dangling DNS
22:24 Summary

Microsoft Dangling DNS Doc – https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
Scanning tool – https://github.com/Azure/Azure-Network-Security/tree/master/Cross%20Product/DNS%20-%20Find%20Dangling%20DNS%20Records

21 Comments

  1. Jeff Moss on October 30, 2021 at 10:12 am

    Timely. Had issues with this area this week. An App Service on VNET behind an App Gateway you can’t put the CNAME into the Public DNS without interrupting the connectivity through the App Gateway – can’t point at both at same time. We temporarily added the CNAME, accepting the temporary connectivity interruption, before the Custom Domain was validated and then we removed the CNAME and replaced the original pointer to the App Gateway – the check is only done once so this approach works albeit with small outage. MS Support gave us a better way of just using the asuid TXT record adding to the public DNS Zone without the CNAME – that way it validated (via the TXT) and the CNAME isn’t required at all so the original pointing to the App Gateway can remain in place throughout and no loss of connectivity…tried that on another App Service later and that worked fine and obviously no outage required.



  2. satya smart on October 30, 2021 at 10:13 am

    Hiii John
    I’m amazed by seeing this content in your channel. I’m looking for AZ-104 administrator do I have any play list for that ? Or its combined one ?
    Great work. Thanks in advance 😊



  3. Geroff Milan on October 30, 2021 at 10:14 am

    The security here is: inadequate CA processes.

    It should *not* be possible to validate a domain using the method outlined initially.

    The DV method of creating either a TXT record or a CNAME is approved by the CA/Browser Forum, but the CNAME (if used) must either be temporary, or not point to something unrelated to the solution.
    Doing so creates this issue.



  4. Ken RQ on October 30, 2021 at 10:15 am

    Intersting topic, John, thank you. One thing though, I am not sure that having the DNS TXT record as optional is a good idea, maybe it can be made compulsory so that you are better proving that you (the requestor) have the capability to get implemented a DNS TXT record in your domain’s DNS rather than just relying on the fact that the CNAME entry exists. Anyway, am looking forward to your next interesting topic.



  5. Mark Marquez on October 30, 2021 at 10:16 am

    I thought your arm tattoo was a sombrero, hahahahahaha.

    As always, thank you for the great content.



  6. Gary on October 30, 2021 at 10:18 am

    Thanks John. Never knew about this security risk. It cannot come at better time as I am going through all domains and their DNS entries. I will try run this tool and hope to see nothing dangling. Only question I had is how easy would it be for someone to find such dangling entry for misuse? Thanks



  7. Barry Bahrami on October 30, 2021 at 10:20 am

    Is this a hypothetical or has this attack actually happened to someone?



  8. Bronson Magnan on October 30, 2021 at 10:26 am

    A+ content John.



  9. Pradeep Nair on October 30, 2021 at 10:28 am

    Thanks for creating the awareness.



  10. C on October 30, 2021 at 10:32 am

    Thanks for the content – really helpful. Would you consider covering MCAS in an upcoming video?



  11. Anu Kaw on October 30, 2021 at 10:33 am

    Great, thanks for another awesome video. You make everything sound so simple. Have you done any video on Azure Lighthouse? I did a quick search but couldn’t find one :-)..



  12. Olle Hellman on October 30, 2021 at 10:36 am

    Great description of the problem!



  13. Antonio Campos on October 30, 2021 at 10:38 am

    I didn’t know this could happen. Thank you!!!



  14. Thangavel Mudaliar on October 30, 2021 at 10:43 am

    Very useful. I think Microsoft should set warning before deletion of such resources which can cause dangling DNS or enforce policy which would force the admins to delete the DNS entries before the resources are deleted



  15. Tony on October 30, 2021 at 10:43 am

    Awesome video as always John, the cert was an eye opener as i didnt know you could provision these through Azure for web services!



  16. goonerw27 on October 30, 2021 at 10:49 am

    Just note. The domain verification is only unique in the Azure Subscription. Each app service will have the same ID.



  17. Adrian Long on October 30, 2021 at 10:49 am

    Thanks John, great info as always from you



  18. pizang1 on October 30, 2021 at 10:56 am

    Ha, I first heard "bad barber" and then looked at your hairstyle 🙂 I was just discussing that with during security audit of our digital services in Azure. Once again great explanation and very funny pictures! Thanks for sharing knowledge and making me lough 🙂



  19. Scott Osborne on October 30, 2021 at 10:58 am

    Great stuff as always. Thanks John



  20. Noor Mohammad on October 30, 2021 at 10:59 am

    Thank you!
    As always it was informative 🙂



  21. Robann Mateja on October 30, 2021 at 11:03 am

    Great video; thanks for the heads up on this and the links to the scanning tool and doc.