You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/dns/secure-dns.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,15 +20,15 @@ This article provides guidance on how to best secure your Azure DNS deployment.
20
20
21
21
Network security for Azure DNS focuses on protecting DNS infrastructure from external threats and ensuring that DNS resolution services remain available and secure. Proper network controls help prevent DNS attacks and maintain service integrity.
22
22
23
-
***Use private DNS zones for internal resources**: Deploy Azure Private DNS zones for internal name resolution within virtual networks to prevent exposure of internal DNS records to public DNS servers. This keeps your internal infrastructure hidden from external reconnaissance.
23
+
***Use private DNS zones for internal resources**: Deploy Azure Private DNS zones for internal name resolution within virtual networks to prevent exposure of internal DNS records to public DNS servers. Private DNS zones keep your internal infrastructure hidden from external reconnaissance.
24
24
25
25
***Configure DNS security policies**: Use DNS security policies to control and monitor DNS queries, block access to malicious domains, and implement traffic actions such as allow, block, or alert for specific domain lists. For more information, see [DNS security policy](dns-security-policy.md).
26
26
27
27
***Implement alias records for automatic updates**: Use DNS alias records to automatically update IP address references when underlying resources change, preventing security risks from stale DNS entries that might redirect users to compromised or incorrect resources. For more information, see [Azure DNS alias records overview](dns-alias.md).
28
28
29
29
## Privileged access
30
30
31
-
Privileged access management for Azure DNS ensures that only authorized users can modify DNS zones and records while following the principle of least privilege. Proper access controls prevent unauthorized DNS changes that could redirect traffic or compromise your services.
31
+
Privileged access management for Azure DNS ensures that only authorized users can modify DNS zones and records while following the principle of least privilege. Proper access controls prevent unauthorized DNS changes that redirect traffic or compromise your services.
32
32
33
33
***Implement role-based access control**: Use Azure role-based access control (RBAC) to manage access to DNS resources through built-in role assignments. Assign roles to users, groups, service principals, and managed identities based on their specific responsibilities. For more information, see [How to protect DNS zones and records](dns-protect-zones-recordsets.md#azure-role-based-access-control).
34
34
@@ -40,7 +40,7 @@ Privileged access management for Azure DNS ensures that only authorized users ca
40
40
41
41
***Apply least privilege principles**: Grant users only the minimum permissions necessary to perform their DNS management tasks. Use specific DNS roles rather than broad administrative roles to limit potential security exposure.
42
42
43
-
***Secure administrative access**: Implement multi-factor authentication and privileged access workstations for all users who have permissions to modify DNS zones and records.
43
+
***Secure administrative access**: Implement multifactor authentication and privileged access workstations for all users who have permissions to modify DNS zones and records.
44
44
45
45
***Regular access reviews**: Conduct periodic reviews of user permissions and access rights to DNS resources to ensure that access remains appropriate and follows the principle of least privilege.
46
46
@@ -50,15 +50,15 @@ Data protection for Azure DNS focuses on protecting DNS data integrity and preve
50
50
51
51
***Use defense-in-depth for zone protection**: Implement both custom roles and resource locks simultaneously as a comprehensive defense-in-depth approach to protect critical DNS zones from accidental or malicious changes.
52
52
53
-
***Implement two-step deletion process**: For critical zones, use custom roles that don't include zone delete permissions, requiring administrators to first grant delete permissions and then perform the deletion as a two-step process to prevent accidental zone deletion.
53
+
***Implement two-step deletion process**: For critical zones, use custom roles that don't include zone delete permissions. Without delete permissions, administrators must first grant delete permissions and then perform the deletion as a two-step process to prevent accidental zone deletion.
54
54
55
55
***Protect DNS query integrity**: Monitor DNS query patterns to detect potential DNS tunneling attempts, queries to known malicious domains, or other indicators of compromise that could indicate data exfiltration through DNS channels.
56
56
57
57
## Logging and threat detection
58
58
59
-
Comprehensive logging and monitoring for Azure DNS enables threat detection, security investigation, and compliance requirements while providing visibility into DNS query patterns and potential security events.
59
+
Comprehensive logging and monitoring for Azure DNS provides essential visibility into DNS query patterns and potential security events. Logging and monitoring enables effective threat detection, security investigation, and helps meet compliance requirements.
60
60
61
-
***Enable Microsoft Defender for DNS**: Use Azure Defender for DNS to monitor DNS queries and detect suspicious activities without requiring agents on your resources. This provides real-time threat detection for DNS-based attacks. For more information, see [Overview of Microsoft Defender for DNS](/azure/defender-for-cloud/defender-for-dns-introduction).
61
+
***Enable Microsoft Defender for DNS**: Use Azure Defender for DNS to monitor DNS queries and detect suspicious activities without requiring agents on your resources. Azure Defender for DNS provides real-time threat detection for DNS-based attacks. For more information, see [Overview of Microsoft Defender for DNS](/azure/defender-for-cloud/defender-for-dns-introduction).
62
62
63
63
***Configure Azure resource logs**: Enable resource logs for Azure DNS service to capture detailed DNS query information and send them to Log Analytics workspaces, storage accounts, or event hubs for analysis and long-term retention. For more information, see [Azure DNS Metrics and Alerts](dns-alerts-metrics.md).
64
64
@@ -68,7 +68,7 @@ Comprehensive logging and monitoring for Azure DNS enables threat detection, sec
68
68
69
69
***Enable audit logging**: Track all administrative changes to DNS zones and records to maintain a comprehensive audit trail for compliance and security investigation purposes.
70
70
71
-
***Monitor for accidental changes**: Set up alerts for unexpected modifications or deletions of DNS zones and records to quickly detect and respond to potential security incidents or operational errors.
71
+
***Monitor for accidental changes**: Create alerts to detect unexpected DNS zone or record changes and respond quickly to security incidents or errors.
72
72
73
73
## Asset management
74
74
@@ -78,15 +78,15 @@ Asset management for Azure DNS involves implementing governance controls, monito
78
78
79
79
***Use Microsoft Defender for Cloud**: Configure Azure Policy through Microsoft Defender for Cloud to audit and enforce configurations of your DNS resources. Create alerts when configuration deviations are detected.
80
80
81
-
***Apply configuration enforcement**: Use Azure Policy deny and deploy-if-not-exists effects to enforce secure configurations across Azure DNS resources and prevent non-compliant deployments.
81
+
***Apply configuration enforcement**: Use Azure Policy deny and deploy-if-not-exists effects to enforce secure configurations across Azure DNS resources and prevent noncompliant deployments.
82
82
83
83
***Maintain resource inventory**: Keep detailed records of your DNS zones, record sets, and their configurations to support security assessments and compliance reporting.
84
84
85
85
***Implement resource tagging**: Apply consistent resource tags to DNS resources for organization, cost tracking, and security compliance purposes.
86
86
87
87
***Monitor configuration compliance**: Regularly review DNS configurations against your organization's security standards and use Azure Policy to automatically detect and remediate configuration drift.
88
88
89
-
***Document zone dependencies**: Maintain documentation of DNS zone relationships and dependencies to understand the impact of changes and ensure proper change management processes.
89
+
***Document zone dependencies**: Maintain documentation of DNS zone relationships and dependencies to understand the effect of changes and ensure proper change management processes.
0 commit comments