Giters

Azure / Azure-Network-Security

Resources for improving Customer Experience with Azure Network Security

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

For Azure Front Door services, the script marks root domains incorrectly as dangled

murraymcpherson opened this issue · comments

commented

Describe the bug
Azurefd.net root domains are incorrectly marked as dangled

I have pasted a snippet of the Get-DanglingDnsRecords.ps1 below where it is supposed to be checking Azure Front Door based subdomains and root domains. First it looks at subdomains by matching against the "." prefix and increments the $count variable when it finds them. If it does it adds to matching resources, if not it adds to missing resources.

If the Azure Front Door domain is a root domain, or in other words does not have a "." prefix, $count is not incremented and it goes straight to the missing resources. It will not successfully perform a check to see if the domain exists in the Azure resource hash.

Reproduce
In this hypothetical scenario we have an Azure front door service on test.azurefd.net, with subdomain subdomain.test.azurefd.net.

If you had a CSV CNameDNSMap.csv with the following contents such as:

CName Fqdn
first.test.com test.azurefd.net
second.test.com subdomain.test.azurefd.net

Then executed:
.\Get-DanglingDnsRecords.ps1 -InputFileDnsRecords .\CNameDNSMap.csv

The result would be first.test.com will be detected as dangling, second.test.com will not. The expected result is both are not detected as dangling.

Solution
This could be fixed (for example) by removing the "." prefix match so it will check both subdomain and root domains:
$count = (($AzResourcesHash.GetEnumerator() | Where { $item.FQDN -match $_.key }) | Measure-Object).Count

<--- original code snippet --->

        #Azurefd can have subdomains also which we cannot mark as dangled
        If ($item.FQDN) {
            $key = $item.Fqdn.trim(" ").tolower()

            #Azurefd can have subdomains also which we cannot mark as dangled
            if($item.FQDN -match "azurefd.net")
            {
               $count = (($AzResourcesHash.GetEnumerator() | Where { $item.FQDN -match  "."+$_.key}) | Measure-Object).Count
               if($count -gt 0)
               {
                 [void]$AzCNameMatchingResources.add($item)
               }
               else
               {
                  [void]$AzCNameMissingResources.add($Item)
               }

            }
            else

<--- original code snippet --->

commented

I am running into similar issue, Especially for FrontDoors we are using the CNAMES that are different from the resource names / FrontEnd domain names. The script is marking all the CNAME are dangling domains. Is it something am i doing wrong?

Ex:
CNAME- ServiceTest
FrontDoorResourceName fd-ServiceTestUI-gbl-dev.azurefd.net
FrontDoor Domain ServiceTest.dnszone.com

commented

FQDN issue fixed in Frontdoor and psd1 files #35