Validating Microsoft Defender for DNS Alerts

Published Mar 22 2021 08:41 AM 4,776 Views

This document is provided “as is.” MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.  This document does not provide you with any legal rights to any intellectual property in any Microsoft product.  You may copy and use this document for your internal, reference purposes.


Microsoft Defender for DNS plan provides threat detection for azure resources connected to the Azure DNS, the intent is to detect malicious communication from an Azure resource and malicious DNS servers trying to compromise with an Azure resource. To learn more about Azure Defender for DNS, read our official documentation. You can enable Microsoft Defender for DNS on your subscription via Microsoft Defer for Cloud environment settings, select the subscription, change the plan to ON (as shown below) and click Save to commit the change.




Now that you have this plan set to ON, you can use the steps below to validate this threat detection:

  1. Provision a new VM and keep the default TCP/IP configuration (by default all VMs will connect to Azure DNS).
  2. Connect to this machine using RDP.
  3. Create a file on this machine called DNSAlertSim.ps1 and paste the content below in this file:




For($i=0; $i -le 150; $i++) {
$rand = -join ((97..122) | Get-Random -Count 32 | % {[char]$_})
Resolve-DnsName "$"

$rand = -join ((97..122) | Get-Random -Count 63 | % {[char]$_})
Resolve-DnsName "$"

For($i=0; $i -le 1000; $i++) {

$rand = -join ((97..122) | Get-Random -Count 63 | % {[char]$_})
Resolve-DnsName "$"


Write-Host -NoNewLine 'Press any key to continue...';
$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');



  1. Save this file
  2. Execute DNSAlertSim.ps1

After some minutes you should see Microsoft Defender for DNS alerts showing up on your dashboard, similar to the one below:




For a complete list of all analytics available for Microsoft Defender for DNS, read this documentation.



Tal Rosler, Program Manager

Script by John Booth, Senior Software Engineer


1 Comment
Version history
Last update:
‎Oct 24 2021 01:56 AM
Updated by: