Why do you need the awverify CNAME record for Azure?
Solution 1
If you have control of a DNS lookup for a computer, or are able to inject a host record, then you could spoof an A record for that machine and point it to an Azure website (there's actually nothing to stop you doing that for a VM though)
By making you create a cname record, and independently verifying it (via their internal / public DNS system), it means that you do have control over the domain, and you're not spoofing somebody else's domain.
Solution 2
Let me try to answer your question by providing two cases. In both cases, you will still need to verify that you are the owner, it is just a security step.
1) www.example.com is not being visited and not in production
2) www.example.com is currently in production and is heavily being used
1) If your domain is now being setup or is not in production/being accessed, you can create a CNAME record that points to yoursite.azurewebsites.net. No awverify.myhost.azurewebsites.net needed.
2) If your domain is in heavy use and being accessed currently, and you wish to test to see if Azure sees the changes in your DNS records, you can create a sub-domain named 'awverify' as in awverify.example.com and point it to a created sub-domain awverify.myhost.azurewebsites.net. This will not affect your current users accessing your website going to www.example.com. Once Azure verifies that it sees the change in the CNAME, you can then notify users of maintenance and change the A record. If you just change the A record, the site may be seen as offline for up to 8 hours.
So to answer your question simply, you don't need to use awverify. Just changing the CNAME can work as well. Also, just changing the A record will redirect all traffic from yourdomain.com to yoursite.azurewebsites.net
Hope this helps.
Solution 3
In order to prove control of the domain, you need to put some information in a DNS record on the domain, which will identify your Azure account.
Such information can be embedded in the domain name which a CNAME points to. The part of the domain which was omitted from your post I would expect to identify your particular Azure account.
You don't actually need to keep that name secret. After all, it is going to be publicly visible once you put it in a DNS record.
The reason they couldn't do the same with an A record is that there is not sufficient entropy in an A record to achieve the same security.
That doesn't mean the CNAME is the only method they could have used. Other methods which could have worked include:
- A TXT record
- An AAAA record
- Multiple A records
Personally I consider a TXT record on a subdomain randomly generated by the verifier to be the best method, since it is the least intrusive. But that appears not to be supported in your case.
Related videos on Youtube
29 : 23
07 : 42
04 : 11
03 : 54
20 : 14
00 : 47
Dirk Boer
Updated on September 18, 2022Comments
-
Dirk Boer almost 2 years
See i.e.: How to set up CNAME to point to Azure
or the text within the azure portal:
Why is this necessary in the first place? Why does pointing the domain name through an A record not prove that I am the owner of the domain?
I mean.. how can you otherwise change a DNS record in the first place?
What abuse does this rule prevent?
-
Dirk Boer almost 9 yearsCare to explain the down vote so I can update my question?
-
Dirk Boer almost 9 yearsI'm pretty sure that there is actually a technical reason for this. People that know a lot about DNS and cloud might know the reason why - giving me and others a lot better understanding about these systems and there limitations. Besides that the Azure is actually referring to StackOverflow for questions, so in theory I am asking them.
-
Jenny D almost 9 yearsI am aware that they are referring people here. I am not aware of the people volunteering their help here being employed by Azure. We are smart and helpful, but we are not them. -
Jenny D almost 9 yearsHowever, my guess as to why they're choosing this is that they've made a design decision when they built their verification system that said system will look for a CNAME and not an A record. Why they made that decision is something only they can answer.
-
-
Dirk Boer almost 9 yearsHi @Massimo / Yudhistre, thanks for the extended answer. But what I still don't get - how does a CNAME verify that I am the owner, and an A record does not?
-
Massimo almost 9 yearsA records point to IP addresses, CNAME records point to names (they are aliases). You don't use A records to reference Azure services, because they use dynamic IP addressing and an A record must point to a static IP address; instead, Azure services have fixed names, so you need to use CNAME records to reference them. -
Dirk Boer almost 9 yearsYou can actually reserve a static IP ( blogs.msdn.com/b/benjaminperkins/archive/2014/05/05/… ) - besides that, they explitly talk about pointing an A record to your IP (is i.e. often necessary for naked domains)
-
Dirk Boer almost 9 yearsSo I guess somewhere there must be actually another technical reason for the whole awverify process.
-
Dirk Boer almost 9 yearsHi @kasperd, thanks for your detailed answer. What do you mean with 'not sufficient entropy'? Might have to do with that english is not my native language :)
-
kasperd almost 9 years@DirkBoer If two users were ever to try to get verified for the same domain simultaneously, they would have to have been assigned different IP addresses in order to know which of the users succeeded in verification. And the IP addresses have better be different enough that one doesn't accidentally get turned into the other due to the user making a typo. Doing such a thing in a robust way requires more addresses than are available due to IPv4 shortage. -
kasperd almost 9 years@DirkBoer You cannot reasonably allocate 2^16 IPv4 addresses just for such verifications. And that would still only give 16 bits of entropy. With IPv6 you could allocate 2^80 addresses without the least concern, which would give you plenty of entropy, so an AAAA record would work. A CNAME or a TXT record would contain some text string, which could contain even more entropy.
-
Michael B almost 9 yearsYour second 1) is incorrect, you cannot direct traffic to a website on Azure unless you have performed the awverify step. (I have just verified this) You are simply directed to a page that says "The web app owner has registered a custom domain to point to the Microsoft Azure App Service, but has not yet configured Azure to recognize it." -
Massimo over 8 yearsWhy was this answer accepted when it's imprecise, it does say very little and there are lots of better (and more upvoted) ones?
-
Michael B over 8 years@Massimo there appear to be equally upvoted answers! and feel free to edit it if you think it is 'imprecise' or contribute a correct answer. Personally I felt the other answers didn't answer the question about why a cname is used, so I contributed an answer that explained the reason. At the time of writing there was a single answer that was incorrect.
-
Massimo over 8 yearsThe question was about why a CNAME is used instead of other record types, not the basic topic of "you need to make changes to DNS in order to prove domain ownership"; the correct answer is "because Azure websites have dynamic IP addressing and so you refer to them by their public names". Additionally, your point about spoofing doesn't really mean anything here...
-
Michael B over 8 years@Massimo according to Azure Documentation "Azure also assigns a virtual IP address" and "For web apps, you’ll create either an A record or a CNAME record." also "The IP address may change if you delete and recreate your web app, or change the web app mode back to free" - The question asked 'why is this necessary / what abuse does it stop" which is the question I answered. and the awverify record has nothing to do with connecting to the website - it is to verify (the hint is in the name)