Announcing Azure DNS security policy with Threat Intelligence feed general availability

A successful protective DNS strategy seamlessly hardens an entire environment without adding friction: it must protect every virtual network and region consistently, apply real-time and highly accurate threat intelligence, deliver clear visibility into what was blocked and why, integrate smoothly with existing DNS infrastructure, and maintain near-zero performance impact.

Above all, it should reduce operational noise—lowering incident volume, SOC workload, and risk—while being easy to deploy, easy to trust, and impossible for attackers to slip past.

If customers do not have visibility into their DNS traffic, reliable detection and mitigation functionality, there is a risk of exposure to attacks which can turn into data theft. This translates into financial and intellectual property loss.

Therefore, it’s key to enable scenarios where Azure DNS customers can mitigate security threats such as data theft, compromised workloads with Zero Day threats, and provide the customers with the right service to detect, visualize, and mitigate this overseen attack vector.

With DNS security policy customers have access to a rich value proposition where not only is it possible to filter DNS traffic with allow/block functionality but also gain visibility of DNS traffic at the virtual network level in all regions whilst integrating with known facilities such as Log Analytics, Event Hubs, or storage accounts to keep their logs.

We are excited to share that Azure DNS security policy with Threat Intelligence is now in general availability.

A quick overview of Azure DNS security policy

DNS security policy was launched recently and offers the ability to filter and log DNS queries at the virtual network (VNET) level. Policy applies to both public and private DNS traffic within a VNET. DNS logs can be sent to a storage account, log analytics workspace, or event hubs. You can choose to allow, alert, or block DNS queries.

With DNS security policy you can:

• Create rules to protect against DNS-based attacks by blocking name resolution of known or malicious domains.
• Save and view detailed DNS logs to gain insight into your DNS traffic.

A DNS security policy has the following associated elements and properties:

• Location: The Azure region where the security policy is created and deployed.
• DNS traffic rules: Rules that allow, block, or alert based on priority and domain lists.
• Virtual network links: A link that associates the security policy to a virtual vetwork.
• DNS domain lists: Location-based lists of DNS domains.

What is being announced today? 

Azure DNS security policy with Threat Intelligence feed allows early detection and prevention of security incidents on customer Virtual Networks where known malicious domains sourced by Microsoft’s Security Response Center (MSRC) can be blocked from name resolution.

Azure DNS security policy with Threat Intelligence feed is being announced to all customers and will have regional availability in all public regions.

For more information about the capabilities available, please visit the Azure DNS security policy technical documentation webpage. 

What can customers start doing with Azure DNS Threat Intelligence feed today?

Apart from the features which were announced earlier for DNS security policy, the feed will be available as a managed domain list and will enable you to protect your workloads against known malicious domains with Microsoft’s own managed Threat Intelligent feed.

With Threat Intelligence you will benefit from the following:

 Smart protection

• Almost all attacks begin with a DNS query. Threat Intelligence managed domain list enables you to detect and prevent security incidents early.

 Continuous updates

• The feed is automatically updated by Microsoft so that you stay protected against newly detected malicious domains.

Monitoring and blocking known malicious domains

• You have the flexibility of just observing the activity in Alert only mode or block the suspected activity in blocking mode.
• Enabling logging gives you visibility into all DNS traffic in the virtual network.

DNS security policy Threat Intelligence feed in GA is also available to use via PowerShell, CLI, .NET, Java, Python, REST, Typescript, Go, ARM, and Terraform.

Key use cases for this service:

• Configure Threat Intelligence as a managed domain list in your DNS security policies for an additional layer of protection against known malicious domains.
• Get visibility of compromised hosts which are trying to resolve known malicious domains from your virtual networks.
• Log and setup alerts if malicious domains are being resolved in any given virtual network where the Threat Intel feed is configured.
• Seamlessly integrate with your virtual networks and other services such as Azure Private DNS Zones, Private Resolver, and other services in the VNET.

Fully managed:

Built-in high availability, zone redundancy, and low latency name resolution.

Cost reduction:

Reduce operating costs and run at a fraction of the price of traditional IaaS solutions. There is no need to provision additional instances of IaaS Virtualization Appliances or VM-based solutions and added operational complexity.

Protect and monitor your DNS traffic:

Capture DNS logs from your virtual networks into Log Analytics, Event Hubs, storage accounts, and apply Threat Intelligence as a managed domain list to your DNS filtering rules for additional protection of your workloads.

DevOps friendly

Build your pipelines with Terraform, ARM, or Bicep.

Get started and share your feedback

You can try Azure DNS security policy with Threat Intelligence feed today. For more information about the capabilities available, please visit the Azure DNS security policy technical documentation webpage. Post your ideas and suggestions on the networking community page.