Introduction to Microsoft Defender for DNS

Note

Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.

Learn more about the recent renaming of Microsoft security services.

Microsoft Defender for DNS provides an additional layer of protection for resources that use Azure DNS's Azure-provided name resolution capability.

From within Azure DNS, Defender for DNS monitors the queries from these resources and detects suspicious activities without the need for any additional agents on your resources.

Availability

Aspect Details
Release state: General availability (GA)
Pricing: Microsoft Defender for DNS is billed as shown on the pricing page
Clouds: Commercial clouds
Azure China 21Vianet
Azure Government

What are the benefits of Microsoft Defender for DNS?

Microsoft Defender for DNS detects suspicious and anomalous activities such as:

  • Data exfiltration from your Azure resources using DNS tunneling
  • Malware communicating with command and control servers
  • DNS attacks - communication with malicious DNS resolvers
  • Communication with domains used for malicious activities such as phishing and crypto mining

A full list of the alerts provided by Microsoft Defender for DNS is on the alerts reference page.

Dependencies

Microsoft Defender for DNS doesn't use any agents.

To protect your DNS layer, enable Microsoft Defender for DNS for each of your subscriptions as described in Enable enhanced protections.

Respond to Microsoft Defender for DNS alerts

When you receive an alert from Microsoft Defender for DNS, we recommend you investigate and respond to the alert as described below. Microsoft Defender for DNS protects all connected resources, so even if you're familiar with the application or user that triggered the alert, it's important to verify the situation surrounding every alert.

Step 1. Contact

  1. Contact the resource owner to determine whether the behavior was expected or intentional.
  2. If the activity is expected, dismiss the alert.
  3. If the activity is unexpected, treat the resource as potentially compromised and mitigate as described in the next step.

Step 2. Immediate mitigation

  1. Isolate the resource from the network to prevent lateral movement.
  2. Run a full antimalware scan on the resource, following any resulting remediation advice.
  3. Review installed and running software on the resource, removing any unknown or unwanted packages.
  4. Revert the machine to a known good state, reinstalling the operating system if required, and restore software from a verified malware-free source.
  5. Resolve any Microsoft Defender for Cloud recommendations for the machine, remediating highlighted security issues to prevent future breaches.

Next steps

In this article, you learned about Microsoft Defender for DNS.

For related material, see the following article:

  • Security alerts might be generated by Defender for Cloud or received from other security products. To export all of these alerts to Microsoft Sentinel, any third-party SIEM, or any other external tool, follow the instructions in Exporting alerts to a SIEM.