services / Azure / Private DNS SRV record set

An SRV (service-location) record set within an Azure Private DNS zone, which advertises the host and port of internal services (e.g. LDAP, SIP, Kerberos) for resources in linked virtual networks.

SRV records direct service-discovery clients to host/port endpoints; manipulating them can redirect client traffic to attacker-controlled endpoints.


Microsoft.​Network/​privateDnsZones/​SRV/​delete

Deleting the SRV record set breaks internal service discovery, causing denial of service for dependent applications.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Network
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog