[dns-operations] More detail on the EA/Origin "subdomain hijack"?

[Daniel Stirnimann]

I like what AWS is doing. Each time you create a "resource" with a hostname it adds it's random token to the hostname. The downside is of course, users don't get short/nice domain names. I'm not sure if short hostnames are in demand. If so, then cloud providers should not default to short hostnames. Most enterprise customer will create an alias (CNAME) from their main domain anyway.

In Azure if you create your website with a domain name site.mybrowser.p.azurewebsites.net but want it to work with mybrowser.microsoft.com as well, then you currently need to go through a validation step. I guess this is some kind of live checking if a CNAME from mybrowser.microsoft.com to site.mybrowser.p.azurewebsites.net exists and if it does, it adds the additional name-based virtual host to your website. It looks like this validation step could be extended with some kind of domain owner-ship check. Clearly, a Microsoft unrelated Azure account should not be allowed to add mybrowser.microsoft.com.

For the attack vector of delegation hijacking or reuse of previously used IP addresses, some domain ownership to cloud account check needs to exist as well.

Daniel


________________________________________
Von: Dave Lawrence [tale at dd.org]
Gesendet: Donnerstag, 27. Juni 2019 16:01
An: Daniel Stirnimann
Cc: dns-operations at dns-oarc.net
Betreff: Re: [dns-operations] More detail on the EA/Origin "subdomain hijack"?

Daniel Stirnimann writes:
> I did a little research on this in 2017 [1]. I have not seen any
> cloud provider trying to prevent this kind of attack.

What defense, other than education and admonitions to their customers,
do you envision cloud providers should be employing for this?