services / Azure / Azure SQL Database server DNS alias

A SQL server DNS alias is a stable CNAME-like DNS name that maps clients to an Azure SQL logical server, allowing the underlying server to change without updating connection strings.

Controlling an alias controls the connection endpoint clients resolve to reach production databases; it is effectively a routing/domain control for the database service.


Microsoft.​Sql/​servers/​dnsAliases/​write

Creating/updating a DNS alias controls the stable connection hostname clients use, letting an attacker repoint the endpoint and redirect SQL traffic to a server of their choosing.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Sql
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog