Dangling Dns on Azure

Dangling DNS in Azure environments occurs when DNS records point to Azure resources that have been deleted, decommissioned, or never existed. This creates a security vulnerability where attackers can claim these abandoned resources and intercept traffic meant for legitimate services.

In Azure, dangling DNS manifests through several specific patterns:

App Service Domain Takeover: When an Azure App Service is deleted but its DNS CNAME record remains, attackers can create a new App Service with the same name and receive all traffic intended for the original service. The App Service naming convention requires globally unique names, making it possible to claim abandoned domains.

Storage Account Endpoint Hijacking: Azure Storage accounts use predictable URLs like https://<accountname>.blob.core.windows.net. If a storage account is deleted but DNS records still point to it, an attacker can recreate the account and intercept blob storage traffic.

Azure Functions Hostname Reuse: Similar to App Service, Azure Functions have unique hostnames. Deleted functions with lingering DNS records can be claimed by creating new functions with matching names.

API Management Custom Domains: When custom domains are configured in Azure API Management and the underlying service is deleted, DNS records may persist. Attackers can create new API Management instances and configure matching custom domains.

The Azure-specific attack flow typically follows this pattern:

1. Discover dangling DNS records via subdomain enumeration or DNS history tools
2. Identify Azure service type from the DNS record format
3. Create matching Azure resource with the same name
4. Wait for DNS propagation or TTL expiration
5. Intercept traffic, credentials, or sensitive data

Azure's global namespace for certain services makes this particularly dangerous. For example, if api.example.com pointed to a deleted Azure App Service, an attacker can create a new App Service named api-example-com (Azure replaces dots with hyphens) and claim the domain.

Detecting dangling DNS in Azure requires understanding Azure's specific service naming conventions and endpoint structures. Here's how to identify these vulnerabilities:

DNS Record Analysis: Examine your DNS records for CNAMEs pointing to Azure-specific domains:

*.azurewebsites.net          // App Service
*.blob.core.windows.net      // Blob Storage
*.azurewebsites.net          // Functions
*.azure-api.net              // API Management
*.servicebus.windows.net     // Service Bus
*.table.core.windows.net     // Table Storage

Azure CLI Detection Script: Use this Azure CLI script to check for dangling DNS:

#!/bin/bash
# Check for dangling DNS records pointing to Azure services

AZURE_DOMAINS=(
    "azurewebsites.net"
    "blob.core.windows.net"
    "azure-api.net"
    "servicebus.windows.net"
    "table.core.windows.net"
)

for domain in "${AZURE_DOMAINS[@]}"; do
    echo "Checking for dangling records pointing to $domain..."
    # This would integrate with your DNS provider's API
    # Example: dig +short CNAME records for the domain
    # Check if corresponding Azure resources exist
    echo "Implement DNS provider API calls here"
done

middleBrick Azure API Security Scanning: middleBrick's Azure-specific scanning identifies dangling DNS vulnerabilities by:

• Analyzing DNS records for Azure-specific endpoint patterns
• Checking if referenced Azure resources exist
• Testing for unauthenticated access to claimed resources
• Identifying misconfigured CORS policies that could enable exploitation

Azure Resource Graph Queries: Use Azure Resource Graph to inventory your resources:

# Query Azure Resource Graph for all App Services
Resources
| where type == "microsoft.web/sites"
| project name, location, resourceGroup, tags

Azure Security Center Integration: Azure Security Center includes recommendations for exposed DNS records and can alert on suspicious resource creation patterns that might indicate dangling DNS exploitation attempts.

Remediating dangling DNS in Azure environments requires both immediate fixes and preventive measures using Azure's native capabilities.

Immediate Remediation Steps:

# Remove dangling DNS records
# This varies by DNS provider, but typically involves:
# 1. Identify the DNS provider (Azure DNS, GoDaddy, Route53, etc.)
# 2. Remove CNAME or A records pointing to deleted Azure resources
# 3. Update any load balancer or traffic manager configurations

Azure DNS Best Practices: When using Azure DNS, implement these patterns:

# Azure Resource Manager template for DNS with cleanup
{
  "type": "Microsoft.Network/dnsZones/CNAME",
  "apiVersion": "2018-05-01",
  "name": "example.com/api",
  "properties": {
    "TTL": 3600,
    "CNAMERecord": {
      "cname": "api-example.azurewebsites.net"
    }
  }
}

Automated Cleanup with Azure Functions: Deploy an Azure Function to monitor and clean up dangling references:

# Azure Function to check for dangling DNS records
import os
import dns.resolver
import azure.functions as func
from azure.identity import DefaultAzureCredential
from azure.mgmt.web import WebSiteManagementClient

def main(req: func.HttpRequest) -> func.HttpResponse:
    credential = DefaultAzureCredential()
    subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]
    web_client = WebSiteManagementClient(credential, subscription_id)
    
    # Check if App Service exists for a given DNS record
    app_service_name = "api-example-com"  # From DNS record
    resource_group = "example-rg"
    
    try:
        app = web_client.web_apps.get(resource_group, app_service_name)
        return func.HttpResponse(f"App Service exists: {app.name}")
    except Exception as e:
        # App Service doesn't exist - potential dangling DNS
        return func.HttpResponse(f"Potential dangling DNS: {app_service_name}")

Azure Policy for Prevention: Implement Azure Policy to prevent dangling DNS scenarios:

# Azure Policy to prevent deletion of resources with active DNS records
def policy_definition():
    return {
        "if": {
            "field": "type",
            "equals": "Microsoft.Web/sites"
        },
        "then": {
            "effect": "audit",
            "details": {
                "condition": {
                    "anyOf": [
                        {
                            "field": "Microsoft.Network/dnszones/CNAME",
                            "exists": "true"
                        }
                    ]
                }
            }
        }
    }

Azure DevOps Pipeline Integration: Add dangling DNS checks to your deployment pipeline:

# Azure DevOps YAML pipeline with security scanning
steps:
- task: middleBrick@1
  inputs:
    scanUrl: '$(API_ENDPOINT)'
    failOnSeverity: 'high'
    outputFormat: 'json'
- script: |
    # Custom script to check for dangling Azure DNS records
    echo "Running Azure DNS validation..."
    # Implementation using Azure CLI or SDK

Monitoring and Alerting: Configure Azure Monitor alerts for suspicious resource creation patterns that might indicate dangling DNS exploitation attempts.