Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enable DNSSEC for Azure DNS Zones

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: DNS-001

Ensure that your Microsoft Azure DNS zones are using Domain Name System Security Extensions (DNSSEC) to protect against DNS spoofing and cache poisoning attacks. DNSSEC is a suite of extensions that enhance the security of DNS zones. It works by digitally signing DNS records, which allows DNS responses to be validated and protects them from forgery or tampering during transit. When enabled, Azure DNS generates a key-signing key (KSK) and a zone-signing key (ZSK) to sign all records within the zone.

Security

DNSSEC provides a critical layer of authentication and integrity protection for DNS responses, effectively preventing cache poisoning and DNS spoofing attacks. Although not essential for all environments, DNSSEC is highly recommended for public-facing domains due to its role in securing online services and meeting compliance requirements. The risk assessment reflects the significant security enhancement it offers, balanced against the potential for increased operational complexity and the fact that its direct impact on end-users may be indirect in many operational contexts.

Audit

To determine if DNSSEC is enabled for your Microsoft Azure DNS zones, perform the following operations:

Using Azure Console

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

  3. Choose the Azure subscription that you want to examine from the Subscription equalls all filter box and choose Apply.

  4. From the Type equals all filter box, select Type for Filter, Equals for Operator, and DNS zone for Value, then choose Apply to list the Azure DNS zones available in the selected subscription.

  5. Click on the name (link) of the Azure DNS zone that you want to examine.

  6. In the resource navigation panel, under DNS Management, select DNSSEC to access the DNSSEC feature settings available for the selected DNS zone.

  7. On the DNSSEC page, verify the Enable DNSSEC setting checkbox to determine if the security feature is enabled. If the Enable DNSSEC setting checkbox is unchecked, DNSSEC is not enabled for the selected Microsoft Azure DNS zone.

  8. Repeat steps no. 5 – 7 for each Azure DNS zone created within the selected Azure subscription.

  9. Repeat steps no. 3 – 8 for each Azure subscription available in your Microsoft Azure cloud account.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
	--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Run network dns zone list command (Windows/macOS/Linux) with custom output filters to list the ID of each Azure DNS zone available in the selected subscription:

    az network dns zone list
	--query '[*].id'

  5. The command output should return the requested DNS zone identifiers (IDs):

    [
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/trendmicro.com",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/client.trendmicro.com"
]

  6. Run network dns dnssec-config show command (Windows/macOS/Linux) with the ID of the Azure DNS zone that you want to examine as the identifier parameter to describe the DNSSEC feature configuration available for the selected DNS zone:

    az network dns dnssec-config show
	--ids "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/trendmicro.com"

  7. The command output should return the requested configuration information:

    (NotFound) DNSSEC is not enabled for DNS zone 'trendmicro.com' in resource group 'cloud-shell-storage-westeurope' of subscription 'abcdabcd-1234-abcd-1234-abcdabcdabcd'.

    If the network dns dnssec-config show command output returns a NotFound error, as shown in the example above, DNSSEC is not enabled for the selected Microsoft Azure DNS zone.

  8. Repeat steps no. 6 and 7 for each Azure DNS zone created within the selected Azure subscription.

  9. Repeat steps no. 3 – 8 for each Azure subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable and configure Domain Name System Security Extensions (DNSSEC) for your Microsoft Azure DNS zones, perform the following operations:

Using Azure Console

  1. Sign in to the Microsoft Azure Portal.

  2. Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

  3. Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.

  4. From the Type equals all filter box, select Type for Filter, Equals for Operator, and DNS zone for Value, then choose Apply to list the Azure DNS zones available in the selected subscription.

  5. Click on the name (link) of the Azure DNS zone that you want to configure.

  6. In the resource navigation panel, under DNS Management, select DNSSEC to access the DNSSEC feature settings available for the selected DNS zone.

  7. On the DNSSEC page, select the Enable DNSSEC setting checkbox to enable the DNSSEC security feature for the selected DNS zone. Choose OK for confirmation. Enabling DNSSEC will create a new DNSSEC key and DS record for your DNS zone.

  8. To establish a DNSSEC chain of trust, you must add a DS record to the parent DNS zone or registrar using the DNSSEC information listed under DNSSEC delegation information. If you own the parent DNS zone, you can add a DS record directly to the parent yourself. As an example, we use the DNS zone hosted with Azure, selected in step no. 5. To create the required DS record, copy the DS record attribute value (e.g., 12345 13 2 ABCD1234ABCDABCD1234ABCDABCD1234ABCDABCD1234ABCDABCD1234ABCDABCD).

  9. In the resource navigation panel, under DNS Management, select Recordsets, choose Add, and perform the following actions to create a new DS record set:

    1. For Name, enter a name for the record.
    2. For Type, select DS - Delegation Signer records.
    3. For TTL and TTL unit, enter the Time-to-Live (TTL) duration.
    4. For Value, paste the DS record attribute value copied in step no. 8.
    5. Choose Add to create the required DS record.

  10. In the resource navigation panel, under DNS Management, select DNSSEC, and check the feature Status available under DNSSEC Details. If the Status is set to Signed and delegation established, your DNS zone is now fully DNSSEC signed.

  11. Repeat steps no. 5 - 7 for each Azure DNS zone that you want to configure, deployed in the selected Azure subscription.

  12. Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

Using Azure CLI

  1. Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

    az account list
	--query '[*].id'

  2. The command output should return the requested subscription identifiers (IDs):

    [
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

  3. Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

    az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

  4. Run network dns dnssec-config create command (Windows/macOS/Linux) to enable the DNSSEC security feature for the selected Azure DNS zone:

    az network dns dnssec-config create
	--resource-group "cloud-shell-storage-westeurope"
	--zone-name "trendmicro.com"

  5. The command output should return the DNSSEC configuration information available for the selected DNS zone:

    {
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/trendmicro.com/dnssecConfigs/default",
	"name": "default",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"signingKeys": [
		{
			"delegationSignerInfo": [],
			"flags": 256,
			"keyTag": 8337,
			"protocol": 3,
			"publicKey": "abcd1234abcd1234",
			"securityAlgorithmType": 13
		},
		{
			"delegationSignerInfo": [
				{
					"digestAlgorithmType": 2,
					"digestValue": "ABCD1234ABCDABCD1234ABCDABCD1234ABCDABCD1234ABCDABCD1234ABCDABCD",
					"record": "12345 13 2 ABCD1234ABCDABCD1234ABCDABCD1234ABCDABCD1234ABCDABCD1234ABCDABCD"
				}
			],
			"flags": 257,
			"keyTag": 12345,
			"protocol": 3,
			"publicKey": "abcd1234abcd1234",
			"securityAlgorithmType": 13
		}
	],
	"type": "Microsoft.Network/dnszones/dnssecConfigs"
}

  6. To establish a DNSSEC chain of trust, you must add a DS record to the parent DNS zone or registrar using the DNSSEC information listed under DNSSEC delegation information. If you own the parent DNS zone, you can add a DS record directly to the parent yourself. As an example, we use the DNS zone hosted with Azure, selected in the previous steps. To create the required DS record, run network dns record-set ds add-record command (Windows/macOS/Linux). For the --key-tag parameter use the "keyTag" attribute value returned in the previous step. For --algorithm use the "securityAlgorithmType" attribute value. For --digest, use the "digestValue" attribute value, and for --digest-type use the "digestAlgorithmType" value:

    az network dns record-set ds add-record
	--resource-group "cloud-shell-storage-westeurope"
	--zone-name "trendmicro.com"
	--record-set-name "secure"
	--key-tag 12345
	--algorithm 13
	--digest "ABCD1234ABCDABCD1234ABCDABCD1234ABCDABCD1234ABCDABCD1234ABCDABCD"
	--digest-type 2

  7. The command output should return the information available for the new DNS record:

    {
	"DSRecords": [
		{
			"algorithm": 13,
			"digest": {
				"algorithmType": 2,
				"value": "ABCD1234ABCDABCD1234ABCDABCD1234ABCDABCD1234ABCDABCD1234ABCDABCD"
			},
			"keyTag": 12345
		}
	],
	"TTL": 3600,
	"fqdn": "secure.trendmicro.com.",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/dnszones/trendmicro.com/DS/secure",
	"name": "secure",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"targetResource": {},
	"trafficManagementProfile": {},
	"type": "Microsoft.Network/dnszones/DS"
}

  8. Repeat steps no. 4 - 7 for each Azure DNS zone that you want to configure, deployed in the selected Azure subscription.

  9. Repeat steps no. 3 – 8 for each Azure subscription created in your Microsoft Azure cloud account.

References

Publication date Aug 18, 2025

Related DNS rules