Talk: Running Azure DNS Securely

On 22-Oct-2019 I spoke at Boston Azure about network security and focused on some of the edges of using Azure DNS, and included some DNS subdomain hijacking awareness.

The command

dig CNAME +short

will check public DNS records for a CNAME, returning whatever it is mapped to, if anything.


In the above screenshot:

  1. nothing returned from dig – this is before any DNS entry was created for the demo subdomain
  2. a cascade of CNAMES are returned from dig – this is after a DNS entry was created for the demo subdomain – and it pointed at an Azure Web App — the cascade here includes my subdomain => an subdomain ( => a second subdomain (waws-prod-dm1-139.sip….) => a domain => and finally an IP address
  3. a single CNAME is returned from dig – this is after the Azure Web App was deleted (), but the DNS subdomain entry ( was left intact – creating a dangling subdomain at risk of being hijacked — anyone who registered (and it was open for anyone) would automatically have already wired up to it.
  4. a cascade of CNAMES are returned from dig – but different than the first – this is after was registered again, by a hacker, and was hijacked


Some other notes from the session:

Subdomain takeover examples:



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.