Why do you need the awverify CNAME record for Azure?

security domain-name-system azure

Solution 1:

If you have control of a DNS lookup for a computer, or are able to inject a host record, then you could spoof an A record for that machine and point it to an Azure website (there's actually nothing to stop you doing that for a VM though)

By making you create a cname record, and independently verifying it (via their internal / public DNS system), it means that you do have control over the domain, and you're not spoofing somebody else's domain.

Solution 2:

In order to prove control of the domain, you need to put some information in a DNS record on the domain, which will identify your Azure account.

Such information can be embedded in the domain name which a CNAME points to. The part of the domain which was omitted from your post I would expect to identify your particular Azure account.

You don't actually need to keep that name secret. After all, it is going to be publicly visible once you put it in a DNS record.

The reason they couldn't do the same with an A record is that there is not sufficient entropy in an A record to achieve the same security.

That doesn't mean the CNAME is the only method they could have used. Other methods which could have worked include:

  • A TXT record
  • An AAAA record
  • Multiple A records

Personally I consider a TXT record on a subdomain randomly generated by the verifier to be the best method, since it is the least intrusive. But that appears not to be supported in your case.

Solution 3:

Let me try to answer your question by providing two cases. In both cases, you will still need to verify that you are the owner, it is just a security step.

1) www.example.com is not being visited and not in production

2) www.example.com is currently in production and is heavily being used

1) If your domain is now being setup or is not in production/being accessed, you can create a CNAME record that points to yoursite.azurewebsites.net. No awverify.myhost.azurewebsites.net needed.

2) If your domain is in heavy use and being accessed currently, and you wish to test to see if Azure sees the changes in your DNS records, you can create a sub-domain named 'awverify' as in awverify.example.com and point it to a created sub-domain awverify.myhost.azurewebsites.net. This will not affect your current users accessing your website going to www.example.com. Once Azure verifies that it sees the change in the CNAME, you can then notify users of maintenance and change the A record. If you just change the A record, the site may be seen as offline for up to 8 hours.

So to answer your question simply, you don't need to use awverify. Just changing the CNAME can work as well. Also, just changing the A record will redirect all traffic from yourdomain.com to yoursite.azurewebsites.net

Hope this helps.

Related

Is it safe to serve HTTP/HTTPS over ports 8080/8443
svchost.exe -k netsvcs occupying >1GB memory
Linux support for proxy PAC files
Password similarity
Is SATA-2 backwards compatible with SATA-1?
Call to daemon in a /etc/init.d script is blocking, not running in background
Is brand-name NAS overpriced?
AMaViS: missing X-Spam-Status header
Is it possible to change the EBS volume to different availability zones?
Trying to setup mail server, can't get ports (25, 587) to work
API Management Solutions [closed]
nginx access logs ignore certain requests