Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Check for Azure DNS Security Policies

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Azure DNS Security Policies are used to enable the filtering and logging of DNS queries at the virtual network (VNet) level for both public and private DNS traffic. This allows for the creation of rules to protect against DNS-based attacks by blocking or alerting on the resolution of known malicious domains. A DNS Security Policy is composed of several key elements, including DNS traffic rules that specify allow, block, or alert actions based on priority and domain lists, virtual network links that associate the policy with a VNet, and DNS domain lists that are organized by location.

Security

Enabling and configuring Azure DNS Security Policies is crucial for enhancing network security by providing the capability to filter and log DNS traffic at the virtual network (VNet) level. This measure enables administrators to define rules that allow, alert, or block DNS queries, therefore protecting against known malicious domains and DNS-based attacks.

Audit

To determine if Azure DNS Security Policies are used to filter and log DNS traffic, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to DNS Security Policies blade available at https://portal.azure.com/#browse/Microsoft.Network%2FdnsResolverPolicies.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply to list the Azure DNS Security Policies created for the selected subscription. If no results are returned, there are no Azure DNS Security Policies available in the selected subscription, therefore, the Audit process ends here. Otherwise, you can continue the Audit process with the next step.

04 Click on the name (link) of the Azure DNS Security Policy that you want to examine.

05 In the resource navigation panel, under Settings, select DNS Traffic Rules to list the DNS traffic rules created for the selected DNS Security Policy. DNS traffic rules define how DNS queries are handled based on various criteria, such as the destination domain. An active policy must have at least one rule. If no rules are listed on the DNS Traffic Rules page, the selected Azure DNS Security Policy is not operational and compliant, therefore, the Audit process ends here. If one or more active rules are listed on this page, you can continue the Audit process with the next step. An active rule has the Rule State set to Enabled.

06 In the resource navigation panel, under Settings, select Virtual Network Links to list the virtual networks (VNets) linked to the selected Azure DNS security policy. If no VNet links are listed on the Virtual networks linked to this DNS security policy page, the selected Azure DNS Security Policy is not operational and compliant. As a result, filtering and logging of DNS queries at the virtual network level is not enabled.

07 Repeat steps no. 4 - 6 for each Azure DNS Security Policy deployed in the selected Azure subscription.

08 Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run dns-resolver policy list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure DNS Security Policy available in the selected subscription: 

az dns-resolver policy list
	--output table
	--query '[*].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested DNS zone identifiers. If the dns-resolver policy list command does not return an output, there are no Azure DNS Security Policies available in the selected subscription, therefore, the Audit process ends here. Otherwise, you can continue the Audit process with the next step: 

Name                       ResourceGroup
-----------------------    ------------------------------
cc-project5-dns-policy     cloud-shell-storage-westeurope
cc-web-app-dns-policy      cloud-shell-storage-westeurope

06 Run dns-resolver policy dns-security-rule list command (Windows/macOS/Linux) to list the active DNS traffic rules created for the selected Azure DNS Security Policy. DNS traffic rules define how DNS queries are handled based on various criteria, such as the destination domain. An active policy must have at least one traffic rule: 

az dns-resolver policy dns-security-rule list
	--policy-name cc-project5-dns-policy
	--resource-group cloud-shell-storage-westeurope
	--output table
	--query '[*].{name:name, ruleState:dnsSecurityRuleState}'

07 The command output should return the requested rule identifiers (names). If the dns-resolver policy dns-security-rule list command does not return an output, the selected Azure DNS Security Policy is not operational and compliant, therefore, the Audit process ends here. If one or more active rules are returned, you can continue the Audit process with the next step. An active rule has the RuleState set to Enabled: 

Name                        RuleState
--------------------------  ---------
cc-block-malicious-domains  Enabled
cc-allow-trusted-clients    Enabled

08 Run dns-resolver policy vnet-link list command (Windows/macOS/Linux) to list the virtual networks (VNets) linked to the selected Azure DNS security policy: 

az dns-resolver policy vnet-link list
	--policy-name cc-project5-dns-policy
	--resource-group cloud-shell-storage-westeurope
	--query '[*].{name:name, provisioningState:provisioningState}'

09 The command output should return the requested VNet link identifiers (names). If the dns-resolver policy vnet-link list command output returns an empty array, i.e., [], the selected Azure DNS Security Policy is not operational and compliant. As a result, filtering and logging of DNS queries at the virtual network level is not enabled: 

[]

10 Repeat steps no. 6 - 9 for each Azure DNS Security Policy available in the selected Azure subscription.

11 Repeat steps no. 3 – 10 for each Azure subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To define Azure DNS Security Policies in order to enable the filtering and logging of DNS queries at the virtual network (VNet) level, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to DNS Security Policies blade available at https://portal.azure.com/#browse/Microsoft.Network%2FdnsResolverPolicies.

03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

04 Choose Create and perform the following actions to create and configure a new Azure DNS Security Policy:

  1. For Basics, provide the following information:
    1. Ensure that the correct Azure subscription is selected for Subscription.
    2. Choose the appropriate resource group from the Resource group dropdown list.
    3. Enter a unique name for your new security policy in the Instance Name box.
    4. Select the Azure region where to deploy the new policy from the Region dropdown list.
    5. Choose Next : Virtual Network Links to continue the setup.
  2. For Virtual Network Links, choose Add, select the Azure virtual network (VNet) that you want to link to your new security policy, and choose Add again for confirmation. Virtual networks can only be linked to a security policy within the same Azure region. Choose Next : DNS Traffic Rules to continue.
  3. For DNS Traffic Rules choose Add a Rule, and provide the following information:
    1. For Priority, enter the priority of the rule. Lower numbers are higher priority.
    2. Enter a unique name for your new traffic rule in the Rule Name box.
    3. Click inside the DNS Domain Lists box, choose Create new Domain List, and perform the following actions to create the required DNS domain list:
      1. Ensure that the correct Azure subscription is selected for Subscription.
      2. Choose the appropriate resource group from the Resource group dropdown list.
      3. Enter a unique name for the domain list in the Domain List Name box.
      4. For Add Domains, choose Manually, and enter the domain that you want to apply the DNS traffic rules to, in the Domain Name box. Add as many domain names as required.
      5. Choose Save to deploy your new DNS domain list.
    4. Select the DNS domain list created in the previous step from the DNS Domain Lists dropdown menu.
    5. Select the appropriate rule action from the Traffic Actions dropdown list. The supported actions are Allow - which permits the query to the associated domain lists and log the query, Block - blocks the query to the associated domain lists and log the block action, and Alert, permits the query to the associated domain lists and log an alert.
    6. Ensure that Rule State is set to Enabled.
    7. Choose Next : Tags to continue teh setup.
  4. For Tags, use the Name and Value fields to create tags that will help organize the identity of the resource. Choose Next : Review + Create > to validate the policy setup.
  5. For Summary, review the resource configuration details, then choose Create to create your new, operational Azure DNS Security Policy.

05 lRepeat steps no. 3 and 4 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run dns-resolver policy create command (Windows/macOS/Linux) to create a new Azure DNS Security Policy in the specified location: 

az dns-resolver policy create
	--dns-resolver-policy-name cc-dns-security-policy
	--resource-group cloud-shell-storage-westeurope
	--location westeurope

05 The command output should return the information available for the new security policy: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnsResolverPolicies/cc-dns-security-policy",
	"location": "westeurope",
	"name": "cc-dns-security-policy",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"systemData": {
		"createdAt": "2025-08-13T18:01:53.094925Z",
		"createdByType": "User",
		"lastModifiedAt": "2025-08-13T18:01:53.094925Z",
		"lastModifiedByType": "User"
	},
	"type": "Microsoft.Network/dnsResolverPolicies"
}

06 Run dns-resolver policy vnet-link create command (Windows/macOS/Linux) to create the required virtual network (VNet) link for your new Azure DNS Security Policy: 

az dns-resolver policy vnet-link create
	--dns-resolver-policy-virtual-network-link-name cc-project5-vnet-link
	--policy-name cc-dns-security-policy
	--resource-group cloud-shell-storage-westeurope
	--virtual-network "{id:/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet}"
	--location westeurope

07 The command output should return the information available for the new VNet link: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnsResolverPolicies/cc-dns-security-policy/virtualNetworkLinks/cc-project5-vnet-link",
	"location": "westeurope",
	"name": "cc-project5-vnet-link",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"systemData": {
		"createdAt": "2025-08-13T18:09:08.5110837Z",
		"createdByType": "User",
		"lastModifiedAt": "2025-08-13T18:09:08.5110837Z",
		"lastModifiedByType": "User"
	},
	"type": "Microsoft.Network/dnsResolverPolicies/virtualNetworkLinks",
	"virtualNetwork": {
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-vnet",
		"resourceGroup": "cloud-shell-storage-westeurope"
	}
}

08 Run dns-resolver domain-list create command (Windows/macOS/Linux) to create a DNS resolver domain list for the DNS traffic rule: 

az dns-resolver domain-list create
	--dns-resolver-domain-list-name cc-project5-domain-list
	--resource-group cloud-shell-storage-westeurope
	--location westeurope
	--domains "[domain.com]"

09 The command output should return the information available for the new domain list: 

{
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnsResolverDomainLists/cc-project5-domain-list",
	"location": "westeurope",
	"name": "cc-project5-domain-list",
	"properties": {
		"domains": [
			"domain.com."
		],
		"provisioningState": "Succeeded",
	},
	"resourceGroup": "cloud-shell-storage-westeurope",
	"systemData": {
		"createdAt": "2025-08-13T12:10:34.3429396Z",
		"createdByType": "User",
		"lastModifiedAt": "2025-08-13T18:19:35.5656579Z",
		"lastModifiedByType": "User"
	},
	"type": "Microsoft.Network/dnsResolverDomainLists"
}

10 Run dns-resolver policy dns-security-rule create command (Windows/macOS/Linux) to create the required DNS traffic rule for your Azure DNS Security Policy. As an example, the following DNS traffic rule stops inspecting the query, block it from going to its intended destination, and log the block action for the query in the DNS logs: 

az dns-resolver policy dns-security-rule create
	--dns-security-rule-name cc-block-malicious-domains
	--policy-name cc-dns-security-policy
	--resource-group cloud-shell-storage-westeurope
	--location westeurope
	--priority 100
	--action "{action-type:Block}"
	--domain-lists "[{id:/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnsResolverDomainLists/cc-project5-domain-list}]"
	--rule-state Enabled

11 The command output should return the information available for the new DNS traffic rule: 

{
	"action": {
		"actionType": "Block"
	},
	"dnsResolverDomainLists": [
		{
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnsResolverDomainLists/cc-project5-domain-list",
			"resourceGroup": "cloud-shell-storage-westeurope"
		}
	],
	"dnsSecurityRuleState": "Enabled",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnsResolverPolicies/cc-dns-security-policy/dnsSecurityRules/cc-block-malicious-domains",
	"location": "westeurope",
	"name": "cc-block-malicious-domains",
	"priority": 100,
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"systemData": {
		"createdAt": "2025-08-13T18:29:39.5572506Z",
		"createdByType": "User",
		"lastModifiedAt": "2025-08-13T18:29:39.5572506Z",
		"lastModifiedByType": "User"
	},
	"type": "Microsoft.Network/dnsResolverPolicies/dnsSecurityRules"
}

12 Repeat steps no. 3 – 11 for each Azure subscription created within your Microsoft Azure cloud account.

References

Publication date Aug 18, 2025

Related DNS rules