DNS OverDoS Are Private Endpoints Too Private?

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://unit42.paloaltonetworks.com/dos-attacks-and-azure-private-endpoint/
• Blog Title: DNS OverDoS: Are Private Endpoints Too Private?
• Suggested Section: Azure Pentesting -> Az - Services -> (new subsection) Az - Private Link / Private Endpoints / Private DNS Zones (or under Az - Virtual Machines & Network Post Exploitation as a 'Control-plane DoS via Private DNS zone links')

🎯 Content Summary

Title: DNS OverDoS: Are Private Endpoints Too Private? (Unit 42, published January 20, 2026)

What the post reveals (no CVE): A DNS-driven, configuration-triggered denial-of-service condition in Azure Private Link / Private Endpoints that primarily impacts hybrid architectures (some workloads use public endpoints while others use Private Endpoints). The issue stems from Azure’s forced DNS resolution behavior when a VNET is linked to a se...

🔧 Technical Details

Trick 1 — Forced Private DNS resolution can create an availability kill-switch: In Azure Private Link, if a VNET has a virtual network link to a service-type Private DNS zone (e.g., privatelink.blob.core.windows[.]net), Azure DNS logic can force resolution of matching service hostnames through that zone for Private Link registered resources. If the zone lacks the required A record for a target resource, DNS fails and the client never obtains an IP address, producing a DoS even though the public endpoint remains reachable.

Trick 2 — Control-plane DoS via RBAC-enabled Private Endpoint + DNS link manipulation: With sufficient Azure RBAC permissions, an attacker (or automation) can create Private Endpoints and/or link Private DNS zones to additional VNETs to impose the “forced resolution” behavior on victim networks. If DNS record coverage is incomplete (no A record for a critical resource), victims ...

🤖 Agent Actions

Summary:

• Added a “DNS OverDoS via service Private DNS zone links” subsection under Azure Private Link explaining the forced-resolution DoS mechanism, attack chain, and mitigations for mis-linked Private DNS zones without A records.
• Included Azure Resource Graph queries to enumerate at-risk VNets linked to service Private DNS zones and storage accounts still reliant on public endpoints.
• Added a References section citing the Unit42 research and relevant Microsoft DNS/Private Endpoint documentation.

Tests:

• Not run (not applicable for documentation changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://unit42.paloaltonetworks.com/dos-attacks-and-azure-private-endpoint/

Content Categories: Based on the analysis, this content was categorized under "Azure Pentesting -> Az - Services -> (new subsection) Az - Private Link / Private Endpoints / Private DNS Zones (or under Az - Virtual Machines & Network Post Exploitation as a 'Control-plane DoS via Private DNS zone links')".

Repository Maintenance:

• MD Files Formatting: 574 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0