DNS/SubdomainTakeover/Azure/英文について、ここに記述してください。
おかしな日本語訳よりは分かる。
1. Prevent dangling DNS entries and avoid subdomain takeover
This article describes the common security threat of subdomain takeover and the steps you can take to mitigate against it.
1.1. What is a subdomain takeover?
Subdomain takeovers are a common, high-severity threat for organizations that regularly create, and delete many resources. A subdomain takeover can occur when you have a DNS record that points to a deprovisioned Azure resource. Such DNS records are also known as "dangling DNS" entries. CNAME records are especially vulnerable to this threat.
deprovisioned: 解除; provision: 設備事前準備 ( > provide)
Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.
A common scenario for a subdomain takeover:
1.1.1. CREATION:
You provision an Azure resource with a fully qualified domain name (FQDN) of app-contogreat-dev-001.azurewebsites.net.
You assign a CNAME record in your DNS zone with the subdomain greatapp.contoso.com that routes traffic to your Azure resource.
1.1.2. DEPROVISIONING:
The Azure resource is deprovisioned or deleted after it is no longer needed.
At this point, _the CNAME record greatapp.contoso.com should be removed_ from your DNS zone. If the CNAME record isn't removed, it's advertised as an active domain but doesn't route traffic to an active Azure resource. This is the definition of a “dangling” DNS record.
The dangling subdomain, greatapp.contoso.com, is now vulnerable and can be taken over by being assigned to another Azure subscription’s resource.
1.1.3. TAKEOVER:
Using commonly available methods and tools, a threat actor discovers the dangling subdomain.
The threat actor provisions an Azure resource with the same FQDN of the resource you previously controlled. In this example, app-contogreat-dev-001.azurewebsites.net.
Traffic being sent to the subdomain greatapp.contoso.com is now routed to the malicious actor’s resource where they control the content.
1.2. The risks of subdomain takeover
When a DNS record points to a resource that isn't available, the record itself should have been removed from your DNS zone. If it hasn't been deleted, it's a “dangling DNS” record and creates the possibility for subdomain takeover.
Dangling DNS entries make it possible for threat actors to take control of the associated DNS name to host a malicious website or service. Malicious pages and services on an organization's subdomain might result in:
- Loss of control over the content of the subdomain - Negative press about your organization's inability to secure its content, as well as the brand damage and loss of trust.
- Cookie harvesting from unsuspecting visitors - It's common for web apps to expose session cookies to subdomains (*.contoso.com), consequently any subdomain can access them. Threat actors can use subdomain takeover to build an authentic looking page, trick unsuspecting users to visit it, and harvest their cookies (even secure cookies). A common misconception is that using SSL certificates protects your site, and your users' cookies, from a takeover. However, a threat actor can use the hijacked subdomain to apply for and receive a valid SSL certificate. Valid SSL certificates grant them access to secure cookies and can further increase the perceived legitimacy of the malicious site.
- Phishing campaigns - Authentic-looking subdomains might be used in phishing campaigns. This is true for malicious sites and for MX records that would allow the threat actor to receive emails addressed to a legitimate subdomain of a known-safe brand.
- Further risks - Malicious sites might be used to escalate into other classic attacks such as XSS, CSRF, CORS bypass, and more.
1.3. Identify dangling DNS entries
To identify DNS entries within your organization that might be dangling, use Microsoft's GitHub-hosted PowerShell tools "Get-DanglingDnsRecords".
This tool helps Azure customers list all domains with a CNAME associated to an existing Azure resource that was created on their subscriptions or tenants.
If your CNAMEs are in other DNS services and point to Azure resources, provide the CNAMEs in an input file to the tool.
The tool supports the Azure resources listed in the following table. The tool extracts, or takes as inputs, all the tenant's CNAMEs.