I'm looking for insights on my setup where I have an on-prem Active Directory DNS hosting the `int.zn` domain and an Azure Private DNS zone that has `something.int.zn`. The on-prem DNS uses a conditional forwarder for the `something.int.zn` namespace, and queries are resolved through a VPN to the Azure Private DNS Resolver, effectively trusting Azure DNS as the authoritative source for that subdomain. My concern is that if an attacker were to gain write access to the Azure Private DNS zone due to any vulnerabilities like RBAC compromises or stolen admin credentials, they could potentially alter critical records such as `api.something.int.zn` and `db.something.int.zn`. This could lead to internal DNS hijacking or service redirection, and I want to know if this risk is real in hybrid environments or if it's a mostly theoretical concern given security measures like TLS and authentication. Additionally, how should security be treated for Azure Private DNS zones in setups like mine? Also curious about the implications if someone had SPN access with only Contributor permissions on the `something.int.zn` zone.
4 Answers
I actually think the risk you're describing is quite real and often underestimated in hybrid setups. We faced a similar situation where a service principal was granted DNS Zone Contributor access, and it went unnoticed for months. We took precautions by giving dedicated SP access only to the specific zone, plus we set up alerts to monitor changes in the DNS records. Since you're using Pulumi, I recommend managing RBAC assignments in code rather than the portal to ensure better oversight.
If someone manages to compromise your Azure environment, you likely have bigger issues to worry about than just the DNS. Essentially, if your security is breached, it's a pretty serious problem across the board.
Your question boils down to whether being compromised leads to more risks, and the answer is definitely yes. If there’s a breach, your security is already in jeopardy, including DNS.
Gaining admin credentials in Azure poses a higher risk than just DNS redirects. This situation is similar to on-prem breaches: if an attacker gains domain admin rights, you're in a tough spot. It's vital to implement security measures like MFA for Azure admin users to mitigate this risk.
Thanks for the detailed insights! I plan to handle it through Pulumi, and it's already defined in code with Ansible, so that should help.