| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1657 - Secure Name / Address Resolution Service (Authoritative Source) | ||
| Id | 90f01329-a100-43c2-af31-098996135d2b | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this System and Communications Protection control | ||
| Additional metadata |
Name/Id: ACF1657 / Microsoft Managed Control 1657 Category: System and Communications Protection Title: Secure Name / Address Resolution Service (Authoritative Source) - Security Status of Child Zones to Verify Chain of Trust Ownership: Customer, Microsoft Description: The information system: Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace. Requirements: The Azure DNS infrastructure provides internal name resolution for internal Microsoft assets and external name resolution services to external customers, including Federal Agencies. However, Azure does not support DNSSEC and a customer is required to either bring their own DNS servers into Azure or use a third-party DNS provider if DNSSEC is a requirement. Azure DNS is a public service and anyone from internet can access externally hosted zones. For internal Azure services that depend on DNS, Microsoft employs TLS to mitigate the need for DNSSEC. Azure customers who intend to secure their applications against DNS-based attacks can also use TLS to mitigate the need for DNSSEC. Microsoft implements compensating controls that mitigate the risk of not enacting DNSSEC according to IPSEC policy. HTTPS/TLS is required for all connections into the Azure environment, establishing secure connections with Azure resources. A customer connecting to an invalid server still needs to be presented with a valid certificate to risk a security breach. Because the TLS/HTTPS implementation provides both authentication and encryption, Microsoft considers it sufficient for mitigating the risks of internal servers not being configured with DNSSEC. Outside of the effectiveness of TLS/HTTPS, customers can deploy their own VM-based DNS servers in the virtual networks. Customers can also choose to host DNS Zones with third-party DNS hosting providers that support DNSSEC. Customers can also configure their own DNS servers to support DNSSEC validation/verification and use these servers to resolve DNS queries instead of Azure provided recursive resolver. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|