| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1658 - Secure Name / Address Resolution Service (Recursive Or Caching Resolver) | ||
| Id | 063b540e-4bdc-4e7a-a569-3a42ddf22098 | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this System and Communications Protection control | ||
| Additional metadata |
Name/Id: ACF1658 / Microsoft Managed Control 1658 Category: System and Communications Protection Title: Secure Name / Address Resolution Service (Recursive Or Caching Resolver) Ownership: Customer, Microsoft Description: The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources. Requirements: Azure DNS resolvers do not support DNSSEC and hence do not verify the integrity of a DNS response. Customers who require DNSSEC are required to bring their own DNS resolver servers. Microsoft implements compensating controls that mitigate the risk of not enacting DNSSEC according to IPSEC policy. HTTPS/TLS is required for all connections into the Azure environment, establishing secure connections with Azure resources. A customer connecting to an invalid server still needs to be presented with a valid certificate to risk a security breach. Because the TLS/HTTPS implementation provides both authentication and encryption, Microsoft considers it sufficient for mitigating the risks of internal servers not being configured with DNSSEC. Outside of the effectiveness of TLS/HTTPS, customers can deploy their own VM-based DNS servers in the virtual networks. Customers can also choose to host DNS Zones with third-party DNS hosting providers that support DNSSEC. Customers can also configure their own DNS servers to support DNSSEC validation/verification and use these servers to resolve DNS queries instead of Azure provided recursive resolver. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|