This article is contributed. See the original author and article here.

The reuse of DNS names is a common requirement for cloud customers, as applications and services may need to be upgraded or migrated while still having the ability to deploy using the same DNS name as a pointer. The danger of this practice is that it can leave you vulnerable to a security threat known as a subdomain takeover. This can happen when a DNS name record does not point to a provisioned Azure resource, which means any domain associated with the DNS entry is now considered “dangling”. A malicious actor could take control of the dangling domain by creating a new resource with the same DNS name that points to different resources as shown below:


brianlehr_0-1711047640891.png


In the past, Azure has recommended multiple ways to remediate this type of threat by using products like Microsoft Defender for App service or Azure DNS alias records, along with practicing “good DNS hygiene”. Today, we are excited to announce a new capability for Azure public IP address that can prevent this type of subdomain takeover while still allowing for re-use of DNS names. We have introduced a new parameter called Domain Name Label Scope will have an additional, hashed string in between the domainnamelabel and location fields. 


The value of the Domain Name Label Scope can be set to four different values:


























Value



Behavior



TenantReuse



Object with the same name in the same tenant will receive the same Domain Label



SubscriptionReuse



Object with the same name in the same subscription will receive the same Domain Label



ResourceGroupReuse



Object with the same name in the same Resource Group will receive the same Domain Label



NoReuse



Object with the same name will receive a new Domain Label for each new instance



 


Let’s say you have a single Azure subscription and want to create a website for your Contoso Coffee business while preventing others from reusing your DNS name records. You would:



  • Select SubscriptionReuse as the option when deploying a public IP address with DNS, generating a domain name label of contoso.fjdng2acavhkevd8.westus.cloudapp.Azure.com

  • Create a DNS zone for your domain name in Azure DNS for contoso.com and then assign a CNAME (canonical name) record in your DNS zone with the subdomain contosocofee.contoso.com that points to your domain name

  • Delegate your domain name to the Azure DNS name servers at your domain name registrar
    Note the second and third steps could be done at any DNS provider, inclusive of Azure DNS.


If you delete and redeploy a public IP address using the same template as before, the domain name label will remain the same.  However, if another customer deploys a public IP address using this same template under a different subscription, the provided domain name label will change (e.g. contoso.c9ghbqhhbxevhzg9.westus.cloudapp.Azure.com), even if the public IP resource with the domain name above was removed.  This would prevent any other subscription from being able to takeover the subdomain.


brianlehr_3-1711046105169.png


The feature to secure your domain name label records using Domain Name Label Scope is available in all regions. For more information on Azure DNS or Azure Public IP Services, you can review the documentation below.


Azure DNS documentation | Microsoft Learn


Azure Virtual Network IP Services Documentation | Microsoft Learn

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.