Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Microsoft Defender for Cloud for Azure DNS (Legacy)

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that Microsoft Defender for Cloud is enabled for all the cloud resources that use DNS's Azure-provided name resolution capability. Microsoft Defender for Cloud monitors the queries from the associated resources and detects suspicious activities without the need for any additional agents or scripts.

Security

By default, Microsoft Defender for Cloud is disabled for cloud resources that use the Azure DNS service. Microsoft Defender for Cloud automatically detects suspicious and anomalous activities such as malware, communication with malicious DNS resolvers, data exfiltration from cloud resources using DNS tunneling, traffic with domains used for malicious activities such as phishing and cryptomining (cryptojacking).

Defender for DNS remains active for existing Azure subscribers (legacy). For new customers, Defender for DNS is no longer offered as a separate plan. All Defender for DNS features are now included in Microsoft Defender for Servers P2.

Audit

To determine if Microsoft Defender for Cloud is enabled for resources that use Azure DNS, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade available at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, choose Environment settings.

04 Under Azure, click on the name (link) of the Azure subscription that you want to examine.

05 In the left navigation panel, under Settings, choose Defender plans to access the Defender for Cloud pricing plans available for the selected Azure subscription.

06 In the Cloud Workload Protection (CWP) section, check the pricing plan status listed in the Status column for the DNS plan. If the pricing plan status for DNS is set to Off, Microsoft Defender for Cloud is not enabled for the cloud resources that utilize Azure DNS in the selected subscription. For new Azure subscribers, the DNS plan is no longer listed in the Cloud Workload Protection (CWP) section. All Defender for DNS features are now included in Microsoft Defender for Servers P2.

07 Repeat steps no. 4 – 6 for each Azure subscription created within your Microsoft Azure account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run security pricing list command (Windows/macOS/Linux) with custom output filters to describe the name of the Microsoft Defender for Cloud pricing plan configured for DNS-enabled resources, in the selected Azure subscription: 

az security pricing list
	--query 'value[?(name==`Dns`)].pricingTier'

05 The command output should return the pricing plan (tier) configured for the DNS-enabled cloud resources: 

[
	"Free"
]

If the security pricing list command output returns "Free", as shown in the output example above, Microsoft Defender for Cloud is not enabled for the cloud resources that utilize Azure DNS in the selected subscription.

06 Repeat steps no. 3 - 5 for each Azure subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable Microsoft Defender for Cloud for resources that use DNS's Azure-provided name resolution capability, perform the following operations:

Turning on Microsoft Defender for Cloud for Azure DNS-enabled resources incurs an additional cost per resource management operation.

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade available at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, choose Environment settings.

04 Under Azure, click on the name (link) of the Azure subscription that you want to examine.

05 In the left navigation panel, under Settings, choose Defender plans to access the Defender for Cloud pricing plans available for the selected Azure subscription.

06 In the Cloud Workload Protection (CWP) section, choose On for the DNS pricing plan from the Status column, to enable Microsoft Defender for Cloud for all the cloud resources that utilize Azure DNS. Choose Save from the top menu to apply the changes. For new Azure subscribers, the DNS plan is no longer listed in the Cloud Workload Protection (CWP) section. All Defender for DNS features are now included in Microsoft Defender for Servers P2.

07 Repeat step no. 4 – 6 for each Azure subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run security pricing create command (Windows/macOS/Linux) to enable the Standard tier (i.e., Standard pricing plan) for the DNS plan. This will enable Microsoft Defender for Cloud for all the cloud resources that utilize Azure DNS: 

az security pricing create
	--name Dns
	--tier standard

05 The command output should return the configuration information available for modified pricing plan: 

{
	"deprecated": true,
	"enablementTime": "2025-02-26T10:00:00.000000+00:00",
	"extensions": null,
	"freeTrialRemainingTime": "29 days, 23:59:00",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Security/pricings/Dns",
	"name": "Dns",
	"pricingTier": "Standard",
	"replacedBy": [
		"VirtualMachines"
	],
	"subPlan": null,
	"type": "Microsoft.Security/pricings"
}

06 Repeat steps no. 3 - 5 for each Azure subscription available in your Microsoft Azure cloud account.

References

Publication date Feb 28, 2025

Related SecurityCenter rules