Skip to content

Commit 485a7a8

Browse files
greg-lindsaygreg-lindsay
committed
note about CNAME chains
1 parent f28d900 commit 485a7a8

File tree

2 files changed

+11
-3
lines changed

2 files changed

+11
-3
lines changed

articles/dns/dns-security-policy.md

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ author: greg-lindsay
55
manager: KumuD
66
ms.service: azure-dns
77
ms.topic: article
8-
ms.date: 02/10/2025
8+
ms.date: 02/24/2025
99
ms.author: greglin
1010
---
1111

@@ -80,7 +80,12 @@ The following example shows a DNS security policy linked to two VNets (**myeastv
8080

8181
DNS domain lists are lists of DNS domains that you associate to traffic rules.
8282

83-
Select **DNS Domain Lists** under **Settings** for a DNS security policy to view the current domain lists associated with the policy. The following example shows the DNS domain lists that are associated with the DNS security policy **myeast-secpol**:
83+
Select **DNS Domain Lists** under **Settings** for a DNS security policy to view the current domain lists associated with the policy.
84+
85+
> [!NOTE]
86+
> CNAME chains are examined ("chased") to determine if the traffic rules that are associated with a domain should apply. For example, a rule that applies to **malicious.contoso.com** also applies to **adatum.com** if **adatum.com** maps to **malicious.contoso.com** or if **malicious.contoso.com** appears anywhere in a CNAME chain for **adatum.com**.
87+
88+
The following example shows the DNS domain lists that are associated with the DNS security policy **myeast-secpol**:
8489

8590
[ ![Screenshot of the list of DNS domain lists.](./media/dns-security-policy/domain-list.png) ](./media/dns-security-policy/domain-list.png#lightbox)
8691

articles/dns/dns-traffic-log-how-to.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ description: Learn how to filter and view Azure DNS traffic
44
author: greg-lindsay
55
ms.service: azure-dns
66
ms.topic: how-to
7-
ms.date: 01/29/2025
7+
ms.date: 02/24/2025
88
ms.author: greglin
99
---
1010

@@ -116,6 +116,9 @@ Multiple domain lists can be dynamically added or removed from a single DNS traf
116116

117117
Now that you have a DNS domain list, configure the diagnostic settings in your security policy to use this workspace.
118118

119+
> [!NOTE]
120+
> CNAME chains are examined ("chased") to determine if the traffic rules that are associated with a domain should apply. For example, a rule that applies to **malicious.contoso.com** also applies to **adatum.com** if **adatum.com** maps to **malicious.contoso.com** or if **malicious.contoso.com** appears anywhere in a CNAME chain for **adatum.com**.
121+
119122
To configure diagnostic settings:
120123

121124
1. Select the DNS security policy that you created (**myeast-secpol** in this example).

0 commit comments

Comments
 (0)