Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Validating Microsoft Defender for DNS Alerts
Published Mar 22 2021 08:41 AM 12.1K Views

This document is provided “as is.” MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.  This document does not provide you with any legal rights to any intellectual property in any Microsoft product.  You may copy and use this document for your internal, reference purposes.


Microsoft Defender for DNS plan provides threat detection for azure resources connected to the Azure DNS, the intent is to detect malicious communication from an Azure resource and malicious DNS servers trying to compromise with an Azure resource. To learn more about Azure Defender for DNS, read our official documentation. You can enable Microsoft Defender for DNS on your subscription via Microsoft Defer for Cloud environment settings, select the subscription, change the plan to ON (as shown below) and click Save to commit the change.




Now that you have this plan set to ON, you can use the steps below to validate this threat detection:

  1. Provision a new VM and keep the default TCP/IP configuration (by default all VMs will connect to Azure DNS).
  2. Connect to this machine using RDP.
  3. Create a file on this machine called DNSAlertSim.ps1 and paste the content below in this file:







Resolve-DnsName  -ErrorAction Ignore

For($i=0; $i -le 150; $i++) {
$rand = -join ((97..122) | Get-Random -Count 32 | % {[char]$_})
Resolve-DnsName "$" -ErrorAction Ignore

For($i=0; $i -le 1000; $i++) {
$rand = -join ((97..122) | Get-Random -Count 63 | % {[char]$_})
Resolve-DnsName "$" -ErrorAction Ignore


Write-Host -NoNewLine 'Press any key to continue...';
$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');






Note: if you receive an error at the end, please ignore, this will not impact the alert generation. 


  1. Save this file
  2. Execute DNSAlertSim.ps1

After a few minutes, you should see Microsoft Defender for DNS alerts showing up on your dashboard, similar to the one below:




For a complete list of all analytics available for Microsoft Defender for DNS, read this documentation.


Another alternative to simulate the alert, is to run the following commands in your VM:



Note 1: It takes up to 2 hours to onboard the Defender for DNS plan (from when the plan was first enabled in the UI until the first alert can be received).

Note 2: If it's a newly created VM, you need to wait 4 hours for any new alerts to be generated in Defender for DNS. 

Note 3: If you try to run these commands multiple times on the same VM, you will not receive multiple alerts, unless you flush your local DNS using ipconfig /flushdns (using command prompt in the VM itself).

Note 4: It will take a few minutes for the alert to generate in the Defender for Cloud alerts UI once the DNS query was made.


Below you have a sample of how the alert will look like:



Next Steps

Block this attack from occurring through the Logic App here



Tal Rosler, Program Manager

Script by John Booth, Senior Software Engineer


Version history
Last update:
‎Feb 22 2022 10:10 AM
Updated by: