DNS/SubdomainTakeover/Azure/英文について、ここに記述してください。

おかしな日本語訳よりは分かる。

https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/security/fundamentals/subdomain-takeover.md

1. Prevent dangling DNS entries and avoid subdomain takeover

This article describes the common security threat of subdomain takeover and the steps you can take to mitigate against it.

1.1. What is a subdomain takeover?

Subdomain takeovers are a common, high-severity threat for organizations that regularly create, and delete many resources. A subdomain takeover can occur when you have a DNS record that points to a deprovisioned Azure resource. Such DNS records are also known as "dangling DNS" entries. CNAME records are especially vulnerable to this threat.

deprovisioned: 解除; provision: 設備事前準備 ( > provide)

Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.

A common scenario for a subdomain takeover:

1.1.1. CREATION:

You provision an Azure resource with a fully qualified domain name (FQDN) of app-contogreat-dev-001.azurewebsites.net.

You assign a CNAME record in your DNS zone with the subdomain greatapp.contoso.com that routes traffic to your Azure resource.

1.1.2. DEPROVISIONING:

The Azure resource is deprovisioned or deleted after it is no longer needed.

At this point, _the CNAME record greatapp.contoso.com should be removed_ from your DNS zone. If the CNAME record isn't removed, it's advertised as an active domain but doesn't route traffic to an active Azure resource. This is the definition of a “dangling” DNS record.

The dangling subdomain, greatapp.contoso.com, is now vulnerable and can be taken over by being assigned to another Azure subscription’s resource.

1.1.3. TAKEOVER:

Using commonly available methods and tools, a threat actor discovers the dangling subdomain.

The threat actor provisions an Azure resource with the same FQDN of the resource you previously controlled. In this example, app-contogreat-dev-001.azurewebsites.net.

Traffic being sent to the subdomain greatapp.contoso.com is now routed to the malicious actor’s resource where they control the content.

1.2. The risks of subdomain takeover

When a DNS record points to a resource that isn't available, the record itself should have been removed from your DNS zone. If it hasn't been deleted, it's a “dangling DNS” record and creates the possibility for subdomain takeover.

Dangling DNS entries make it possible for threat actors to take control of the associated DNS name to host a malicious website or service. Malicious pages and services on an organization's subdomain might result in:

1.3. Identify dangling DNS entries

To identify DNS entries within your organization that might be dangling, use Microsoft's GitHub-hosted PowerShell tools "Get-DanglingDnsRecords".

This tool helps Azure customers list all domains with a CNAME associated to an existing Azure resource that was created on their subscriptions or tenants.

If your CNAMEs are in other DNS services and point to Azure resources, provide the CNAMEs in an input file to the tool.

The tool supports the Azure resources listed in the following table. The tool extracts, or takes as inputs, all the tenant's CNAMEs.

MoinQ: DNS/脅威/SubdomainTakeover/Azure/英文 (last edited 2022-10-23 00:50:07 by ToshinoriMaeno)