question

BrockHarris-3367 avatar image
0 Votes"
BrockHarris-3367 asked ajkuma-MSFT edited

App Service Container running open DNS resolver service by default

We recently had a vulnerability assessment done against our Azure App Service Container and it showed a DNS service listening on UDP/53. It appears to be Unbound, a DNS resolver. This is listed as a Medium vulnerability as it provides for potential cache poisoning or be used for DoS bounce attacks.

I could not find anything on this in any documentation or any other discussions about it. It appears in all of our different App Service Containers.

Can anyone please provide any insight on this service and if it's needed or if it's possible to disable it?

We have a Basic multi-tenant plan for our App Services so I think we may need to upgrade to provide additional features to block access to the service but I wanted to reach out before making that assumption.

azure-webapps
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Could you please give a bit more details?
- Do you use custom Docker container?
- What is the tool you are making an assessment?
- Please specify the name and code of the vulnerability?

I run netstat -na command in Linux WebApp and see only the above services

194780-image.png


0 Votes 0 ·
image.png (24.2 KiB)
  • Do you use custom Docker container?
    Yes.

  • What is the tool you are making an assessment?
    Nessus, verified with Nmap.

  • Please specify the name and code of the vulnerability?
    Vulnerability Information
    CPE: cpe:/a:isc:bind
    Exploit Available: false
    Exploit Ease: No known exploits are available
    Vulnerability Pub Date: August 1, 1997
    Reference Information
    CERT-CC: CA-1997-22
    BID: 136, 678
    CVE: CVE-1999-0024

Given your line of questioning and for some reason writing things out always seems to help troubleshoot, coupled with the fact that I can't find anything in the documentation or find others writing about it...seems like the DNS service is likely from the custom container and not anything in front of it as I had thought. It uses the node:14 docker image as a base.

I will explore that route further.

0 Votes 0 ·

Ok, tested custom container. DNS is not running there. The only service that runs there is nginx on port 80.

I guess that makes sense as we would need to be purposely exposing UDP/53 to the container host for it to be externally accessible...and we aren't, we only expose 80.

It seems like the Azure front end HTTPS "helper/unwrapper/reverse proxy" is running the expose UDP/53 DNS resolver, in front of the container.

0 Votes 0 ·

Hi, You may have did misconfuguration of it thats why it showing DNS server to unbound. As I am not techy so while confuguring it for apk reservoir I did minor mistake when the developer of my team checked the issue so he resolved it with just two steps. So kindly check all the nodes again it will be fixed.


0 Votes 0 ·

If anyone using App Service - Web App for Containers (as opposed to Web App - Windows or Web App - Linux) would be willing to please check to see if UDP port 53 is running a DNS resolver in front of your service, I would be most appreciative. It appears to be part of Azure's HTTPS reverse proxy or front end or helper or whatever they are calling it. Thank you!

0 Votes 0 ·

0 Answers