App Service custom domain mapping - can we delete TXT record from DNS after successful validation?

Boris Kudryavtsev 1 Reputation point
2022-01-10T00:52:25.78+00:00

Hi,

In order to map a custom domain name to an Azure Web App we need to validate the domain by adding A and TXT records.
https://learn.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain

Question - can the TXT record be deleted from the DNS server after successful domain name validation?

Thank you.

Cheers,
Boris

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,865 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. MughundhanRaveendran-MSFT 12,421 Reputation points
    2022-01-10T09:39:14.54+00:00

    @Anonymous ,

    Thanks for reaching out to Q&A.

    Yes. The txt records can be deleted after the domain verification. However we highly recommend not to delete the txt records as it can lead to domain hijacks due to dangling domains.

    Prevent dangling DNS entries and avoid subdomain takeover - https://learn.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover

    I hope this helps!

    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

    2 people found this answer helpful.
  2. Jessica Chindemi 5 Reputation points
    2024-01-12T04:53:41.0233333+00:00

    I always advise folks to remove domain verification records as soon as the domain is successfully verified. Keeping them in your Public record makes it easier for threat actors to discover information about your environment and the tools, systems, and services you're using. This gives them a head start on figuring out what exploits you're most likely to be vulnerable to. Any record used only for the initial domain verification has nothing to do with dangling DNS records or subdomain hijacks and doesn't have any impact on preventing them. Dangling DNS refers to CNAME entries that point a subdomain to a 3rd party FQDN, and then you stop using that subdomain and discontinue the 3rd party service, but don't remove the CNAME record from your DNS zone records. Now it's "dangling" because it's in the public record but doesn't go anywhere. Subdomain hijacking refers to someone else finding your dangling DNS CNAME, starting their own service with that 3rd party using the same FQDN you did, and now they can impersonate you on your own domain to phish or infect anyone that goes to that site. None of that has anything to do with a text record that was used for 5 seconds to check and see if you really did have access to edit the DNS records of the domain you were trying to configure with any given service.

    1 person found this answer helpful.
    0 comments
  3. Alan Kinane 16,786 Reputation points MVP
    2022-01-10T09:27:01.603+00:00

    Yes, this is only required for validation purposes so it can be safely deleted once the domain has been verified. If you ever need to remove and add the domain again then you will have to create the TXT record again.

    0 comments