Ha, I first heard "bad barber" and then looked at your hairstyle :) I was just discussing that with during security audit of our digital services in Azure. Once again great explanation and very funny pictures! Thanks for sharing knowledge and making me lough :)
@NTFAQGuy
3 жыл бұрын
Lol
@tony6626
3 жыл бұрын
Awesome video as always John, the cert was an eye opener as i didnt know you could provision these through Azure for web services!
@NTFAQGuy
3 жыл бұрын
Glad to help!
@geroffmilan3328
3 жыл бұрын
The security here is: inadequate CA processes. It should *not* be possible to validate a domain using the method outlined initially. The DV method of creating either a TXT record or a CNAME is approved by the CA/Browser Forum, but the CNAME (if used) must either be temporary, or not point to something unrelated to the solution. Doing so creates this issue.
@robannmateja5000
3 жыл бұрын
Great video; thanks for the heads up on this and the links to the scanning tool and doc.
@OlleHellman
3 жыл бұрын
Great description of the problem!
@cma9br
3 жыл бұрын
I didn't know this could happen. Thank you!!!
@adrianlong7334
3 жыл бұрын
Thanks John, great info as always from you
@NTFAQGuy
3 жыл бұрын
My pleasure!
@mickeyernie1120
3 жыл бұрын
Great stuff as always. Thanks John
@NTFAQGuy
3 жыл бұрын
Glad you enjoyed it
@kenrq63
3 жыл бұрын
Intersting topic, John, thank you. One thing though, I am not sure that having the DNS TXT record as optional is a good idea, maybe it can be made compulsory so that you are better proving that you (the requestor) have the capability to get implemented a DNS TXT record in your domain's DNS rather than just relying on the fact that the CNAME entry exists. Anyway, am looking forward to your next interesting topic.
@NTFAQGuy
3 жыл бұрын
Adding the txt protects you so that if someone else took the name you vacate the uid would not match so app services would know it’s wrong and not service but yes would be nice. Always that balance but as a company definitely add it!
@JeffMossOramoss
3 жыл бұрын
Timely. Had issues with this area this week. An App Service on VNET behind an App Gateway you can't put the CNAME into the Public DNS without interrupting the connectivity through the App Gateway - can't point at both at same time. We temporarily added the CNAME, accepting the temporary connectivity interruption, before the Custom Domain was validated and then we removed the CNAME and replaced the original pointer to the App Gateway - the check is only done once so this approach works albeit with small outage. MS Support gave us a better way of just using the asuid TXT record adding to the public DNS Zone without the CNAME - that way it validated (via the TXT) and the CNAME isn't required at all so the original pointing to the App Gateway can remain in place throughout and no loss of connectivity...tried that on another App Service later and that worked fine and obviously no outage required.
@NTFAQGuy
3 жыл бұрын
Right, you can use validate using the same txt record I showed as the protection mechanism.
@JeffMossOramoss
3 жыл бұрын
@@NTFAQGuy Yes, CNAME not required at all...just the TXT, it seems.
@NoorMohammad-be1jq
3 жыл бұрын
Thank you! As always it was informative :)
@NTFAQGuy
3 жыл бұрын
Very welcome
@paddyland74
3 жыл бұрын
Thanks for creating the awareness.
@NTFAQGuy
3 жыл бұрын
My pleasure
@bronsonmagnan9055
3 жыл бұрын
A+ content John.
@NTFAQGuy
3 жыл бұрын
Thank you!
@TheTerminator317
3 жыл бұрын
Thanks John. Never knew about this security risk. It cannot come at better time as I am going through all domains and their DNS entries. I will try run this tool and hope to see nothing dangling. Only question I had is how easy would it be for someone to find such dangling entry for misuse? Thanks
@NTFAQGuy
3 жыл бұрын
There are tools out there people use to find them so with those it is easy. I'm not going to name the tools obviously :-)
@TheTerminator317
3 жыл бұрын
@@NTFAQGuy thanks John
@satyasmart9280
3 жыл бұрын
Hiii John I'm amazed by seeing this content in your channel. I'm looking for AZ-104 administrator do I have any play list for that ? Or its combined one ? Great work. Thanks in advance 😊
@NTFAQGuy
3 жыл бұрын
My Azure Master Class would be closest thing
@barrybahrami
3 жыл бұрын
Is this a hypothetical or has this attack actually happened to someone?
@NTFAQGuy
3 жыл бұрын
happened to lots of people. Attackers actively are scanning for dangling DNS on companies.
Пікірлер: 34