services / Azure / DNS A record set
Azure DNS A record set mapping a hostname to one or more IPv4 addresses within a DNS zone. Controls public name resolution to IPv4 endpoints for the domain.
Write access enables repointing traffic (domain takeover); delete breaks resolution (DoS).
Microsoft.Network/dnszones/A/write
Creating/replacing the A record set repoints a hostname's IPv4 traffic to attacker-controlled infrastructure, enabling domain/subdomain takeover, defacement of public-facing services, and manipulation of routing config.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog