More Info:
Ensure Azure Subdomain NS Records are not vulnerableRisk Level
MediumAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the Azure Subdomain NS Records vulnerability in the Azure Network using the Azure console, follow these steps:
- Log in to the Azure portal (portal.azure.com) using your Azure account credentials.
- Navigate to the Azure DNS service by searching for “DNS” in the search bar at the top of the portal and selecting “DNS zones” from the results.
- In the DNS zones blade, select the DNS zone that contains the vulnerable subdomain NS records.
- Once you’ve selected the DNS zone, you will see a list of DNS records associated with it. Look for the NS records related to the vulnerable subdomain.
- Select the vulnerable NS record to open the record details.
- In the record details, click on the “Edit” button to modify the NS record.
- Replace the existing vulnerable NS record with the correct NS record provided by your DNS provider or the authoritative DNS server for the subdomain.
- Save the changes by clicking on the “Save” button.
- Repeat steps 5 to 8 for all the vulnerable NS records associated with the subdomain.
- Once you have updated all the NS records, monitor the DNS propagation to ensure the changes are reflected across the DNS infrastructure. This may take some time depending on the TTL (Time to Live) settings of the DNS records.
- After the DNS changes have propagated, verify the subdomain NS records using DNS lookup tools or commands to ensure they are pointing to the correct authoritative DNS servers.
Using CLI
Using CLI
To remediate the Azure Subdomain NS Records vulnerability using Azure CLI, follow these step-by-step instructions:
-
Install and configure Azure CLI: If you haven’t already, install Azure CLI on your local machine and sign in to your Azure account using the command
az login
. - Identify the affected subdomain: Determine the subdomain that has the vulnerable NS records.
-
Retrieve the current NS records: Use the following command to retrieve the current NS records for the subdomain:
Replace
<zone_name>
with the name of the DNS zone containing the subdomain and<resource_group_name>
with the name of the resource group where the DNS zone is located. -
Update the NS records: Remove the vulnerable NS records and add the correct ones using the following command:
Replace
<record_set_name>
with the name of the record set containing the NS records,<zone_name>
with the name of the DNS zone,<resource_group_name>
with the resource group name, and<new_ns_records>
with the correct NS records. Note: Ensure that you remove the vulnerable NS records and add the correct ones in the--remove
and--add
parameters, respectively. -
Verify the changes: Use the following command to verify that the NS records have been updated:
Ensure that the output reflects the updated NS records.
Using Python
Using Python
To remediate the Azure subdomain NS records vulnerability using Python, you can follow these steps:
-
Install the required Python packages:
-
Import the necessary modules in your Python script:
-
Authenticate with Azure using the DefaultAzureCredential:
-
Retrieve the list of DNS zones in your Azure subscription:
-
Iterate through each DNS zone and check for subdomains with vulnerable NS records:
- Save the Python script and execute it. Ensure that you have the necessary permissions to modify DNS records in your Azure subscription.
subscription_id
with your Azure subscription ID in the authentication step.Note: This script assumes that you have already authenticated with Azure and have the necessary permissions to modify DNS records.