| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative Source) | ||
| Id | 1cb067d5-c8b5-4113-a7ee-0a493633924b | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this System and Communications Protection control | ||
| Additional metadata |
Name/Id: ACF1656 / Microsoft Managed Control 1656 Category: System and Communications Protection Title: Secure Name / Address Resolution Service (Authoritative Source) - Additional Info in Response to External Queries Ownership: Customer, Microsoft Description: The information system: Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and Requirements: The Azure DNS infrastructure provides internal name resolution for internal Microsoft assets and external name resolution services to external customers, including Federal Agencies. However, Azure does not support DNSSEC and a customer is required to either bring their own DNS servers into Azure or use a third-party DNS provider if DNSSEC is a requirement. Azure uses three types of DNS servers. Azure DNS servers act as non-authoritative sources for DNS requests only from clients hosted inside Azure. A client makes a DNS query to a system DNS server; the system DNS server in turn queries an authoritative source outside the system. System DNS servers do not support the DNSSEC protocol. This control requires system DNS servers, when requested by clients, to perform origin/integrity verification of the response provided by authoritative sources. The control assumes that the client makes a DNS query of a system DNS server and that the DNS server must then query an authoritative source outside the system. The risk that the external authoritative source has been compromised is mitigated by the origin/integrity verification. Azure internal DNS servers resolve DNS queries from Azure servers. Azure servers do not request origin/integrity verification of the DNS query; instead origin/integrity is assured via other means such as the communications channel using TLS. Azure DNS production servers act as authoritative sources for DNS requests from external clients for various Azure domains and do not respond to any DNS queries against zones for which they are not the authority. This control requires system DNS servers, when requested by clients, to perform origin/integrity verification of the response provided by authoritative sources. The control assumes that the client makes a DNS query of a system DNS server and that the DNS server must then query an authoritative source outside the system. The risk that the external authoritative source has been compromised is mitigated by the origin/integrity verification. Azure DNS servers perform two functions: 1. Resolving DNS queries from Azure servers. 2. Acting as authoritative sources for DNS requests from external clients for certain Microsoft.com subdomains. For case 1, queries are either for internal domains for which Azure DNS servers are authoritative, or for external domains used by Azure’s services. In either case, Azure servers do not request origin/integrity verification of the DNS query. For case 2, this case is not possible for Azure DNS servers. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|