Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Azure DNS

Azure DNS
Azure DNS icon

Coralogix Extension For Azure DNS Includes:

Alerts - 21

Stay on top of Azure DNS key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

A DNS zone was created or updated

This alert detects when a DNS zone was created or updated. Impact With a DNS zone, An adversary can create custom DNS records and configure other DNS settings to control how domain names and subdomains are resolved. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A DNS zone was deleted

This alert detects when a DNS zone was deleted. An Azure DNS zone is used to host the DNS records for a particular domain. With a DNS zone, An adversary can create custom DNS records and configure other DNS settings to control how domain names and subdomains are resolved. Impact Deleting a DNS Zone can disrupt all network operations for the relevant domain and cripple network naming resolution for that domain. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

Multiple DNS zones were deleted

This alert detects when multiple DNS zones were deleted. An Azure DNS zone is used to host the DNS records for a particular domain. With a DNS zone, An adversary can create custom DNS records and configure other DNS settings to control how domain names and subdomains are resolved. Impact Deleting multiple DNS zones can disrupt all network operations for the relevant domains and cripple network naming resolution for these domains. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A A record was created or updated

This alert detects when a A record was created or updated. The main use of A record is for IPv4 address lookup. Using an A record, a web browser is able to load a website using the domain name. Impact With a A record, An adversary can create a custom domain or point existing domains to an attacker controlled IP. Changing a A record could also disrupt DNS Name resolution and normal network operations Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A A record was deleted

This alert detects when a A record was deleted. The main use of A record is for IPv4 address lookup. Using an A record, a web browser is able to load a website using the domain name. Impact With a A record, An adversary can create a custom domain or point existing domains to an attacker controlled IP. Deleting an A record could disrupt DNS Name resolution and normal network operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A AAAA record was created or updated

This alert detects when a AAAA record was created or updated. The main use of AAAA records is for IPv6 address lookup. Using an AAAA record, a web browser is able to load a website using the domain name. Impact With a AAAA record, An adversary can create a custom domain or point existing domains to an attacker controlled IP. Changing a AAAA record could also disrupt DNS Name resolution and normal network operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A AAAA record was deleted

This alert detects when a AAAA record was deleted. The main use of AAAA records is for IPv6 address lookup. Using an AAAA record, a web browser is able to load a website using the domain name. With a AAAA record, An adversary can create a custom domain or point existing domains to an attacker controlled IP. Impact Deleting a AAAA record can disrupt DNS Name resolution and normal network operations for the relevant domain. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A NS record was created or updated

This alert detects when a NS record was created or updated. A nameserver (NS) record specifies the authoritative DNS server for a domain. In other words, the NS record helps point to where internet applications like a web browser can find the IP address for a domain name. Usually, multiple nameservers are specified for a domain. Impact With a NS record, an adversary can disrupt normal network naming resolution or point existing naming resolution in the network to an attacker controlled nameserver. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A NS record was deleted

This alert detects when a NS record was deleted. A nameserver (NS) record specifies the authoritative DNS server for a domain. In other words, the NS record helps point to where internet applications like a web browser can find the IP address for a domain name. Usually, multiple nameservers are specified for a domain. Impact Deleting a NS record can disrupt normal network naming resolution for the relevant domain. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A PTR record was created or updated

This alert detects when a PTR record was created or updated. Pointer record (PTR for short) provides the domain name associated with an IP address. A DNS PTR record is exactly the opposite of a A record, which provides the IP address associated with a domain name. DNS PTR records are used in reverse DNS lookups. When a user attempts to reach a domain name in their browser, a DNS lookup occurs, matching the domain name to the IP address. A reverse DNS lookup is the opposite of this process: it is a query that starts with the IP address and looks up the domain name. Impact With a PTR record, an adversary can change email anti-spam definitions or harm email delivery troubleshooting issues. He can also harm the logging on DNS traffic as PTR are used to convert IPs to a human readable domain name format. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A PTR record was deleted

This alert detects when a PTR record was deleted. Pointer record (PTR for short) provides the domain name associated with an IP address. A DNS PTR record is exactly the opposite of a A record, which provides the IP address associated with a domain name. DNS PTR records are used in reverse DNS lookups. When a user attempts to reach a domain name in their browser, a DNS lookup occurs, matching the domain name to the IP address. A reverse DNS lookup is the opposite of this process: it is a query that starts with the IP address and looks up the domain name. Impact Deleting a PTR record can remove email anti-spam definitions or harm email delivery troubleshooting issues. It can also harm the logging on DNS traffic as PTR are used to convert IPs to a human readable domain name format. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A TXT record was created or updated

This alert detects when a TXT record was created or updated. TXT records are a type of DNS record that contains text information for sources outside of your domain. You add these records to your domain settings. You can use TXT records for various purposes as verifying domain ownership or Email security (as DKIM and SPF records). Impact With a TXT record, an adversary can change email security definitions or harm the domain ownership verification. Changing a TXT record could disrupt normal network operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A TXT record was deleted

This alert detects when a TXT record was deleted. TXT records are a type of DNS record that contains text information for sources outside of your domain. You add these records to your domain settings. You can use TXT records for various purposes as verifying domain ownership or Email security (as DKIM and SPF records). Impact Deleting a TXT record can remove email security definitions or harm the domain ownership verification which will lead to disruption of normal network operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A MX record was created or updated

This alert detects when a MX record was created or updated. A mail exchange (MX) record, is a DNS record type that shows where emails for a domain should be routed to. In other words, an MX record makes it possible to direct emails to a mail server. Impact With a MX record, an adversary can disrupt normal Email operations or point existing email delivery in the network to an attacker controlled Email server. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A MX record was deleted

This alert detects when a MX record was deleted. A mail exchange (MX) record, is a DNS record type that shows where emails for a domain should be routed to. In other words, an MX record makes it possible to direct emails to a mail server. Impact Deleting a MX record can disrupt normal Email operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A CAA record was created or updated

This alert detects when a CAA record was created or updated. CAA records allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain. They also provide a means of indicating notification rules in case someone requests a certificate from an unauthorized certificate authority. If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname. Impact With a CAA record, An adversary can point existing certificate approval requests to an attacker controlled CA. Changing a CAA record could also disrupt normal network operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A CAA record was deleted

This alert detects when a CAA record was deleted. CAA records allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain. They also provide a means of indicating notification rules in case someone requests a certificate from an unauthorized certificate authority. If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname. Impact With a CAA record, An adversary can point existing certificate approval requests to an attacker controlled CA. Changing a CAA record could also disrupt normal network operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A CNAME record was created or updated

This alert detects when a CNAME record was created or updated. CNAME - or, in full, "canonical name" - is a DNS record that points a domain name (an alias) to another domain. In a CNAME record, the alias doesn't point to an IP address. And the domain name that the alias points to is the canonical name. Impact With a CNAME record, An adversary can create a custom domain or point existing domains to an attacker controlled host. Changing a CNAME record could also distrupe DNS Name resolutions and normal network operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

A CNAME record was deleted

This alert detects when a CNAME record was deleted. CNAME - or, in full, "canonical name" - is a DNS record that points a domain name (an alias) to another domain. In a CNAME record, the alias doesn't point to an IP address. And the domain name that the alias points to is the canonical name. Impact Deleting a CNAME record could distrupe DNS Name resolutions and normal network operations. Mitigation Validate that the action was authorized and intended, revert changes and investigate further if not. Monitor your DNS records regularly to detect any unauthorized or malicious records that may have been created. Use access controls and authentication measures to limit who has permission to create DNS records in Azure. This can help prevent unauthorized users from creating DNS records that could be used to launch attacks against your system. MITRE Tactic: TA0042 MITRE Technique: T1584

An attempt has been made to delete a locked DNS zone

This alerts detects when a user has tried to delete a DNS zone that has been locked from deletion. Locks are an Azure feature to prevent the accidental deletion of resources. Impact An attempt to delete a locked DNS zone should be inspected and validated as legitimate as it could mean an attacker trying to delete legitimate resources. Mitigation Validate that the deletion attempt was authorized and intended, revert and further investigate if not. If this alert is followed by a successful deletion alert, pay close attention to the performing user and quickly validate it as it might mean an attacker has managed to disable or circumvent the lock. MITRE Tactic: TA0040 MITRE Technique: T1531

No logs from Azure DNS

This rule detects if there are no logs in the last 4 hours for Azure DNS in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Integration

Learn more about Coralogix's out-of-the-box integration with Azure DNS in our documentation.

Read More
Schedule Demo