You dont have javascript enabled! Please enable it!

Azure Defender for Azure DNS in Azure Security Center

5 Min. Read

During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.

This article will share with you how to use Azure Defender for Azure DNS in Azure Security Center.


Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two main value propositions:

1) Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS). CSPM in Security Center is available for free to all Azure users.

2) Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or different clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts. CWPP is part of the Azure Defender plan (formerly known as the Standard Tier).

Azure Defender is an evolution of the threat-protection technologies in Azure Security Center, protecting Azure and hybrid environments. When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:

Azure Security Center is continuously expanding, the Azure Security Center team just announced the public preview for two new offerings for Azure Defender. Advanced Threat Protection (ATP) for the Azure Resource Manager (ARM) and Azure DNS layer. The two new offerings expanding Azure Security Center’s breadth of threat protection coverage for Azure environments.

In this article, I will share with you how to use advanced threat protection for Azure DNS, and in the next article, I will share with you how to use advanced threat protection for Azure Resource Management (ARM) layer in Azure Security Center.


To follow this article, you need to have the following:

  1. Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
  2. Azure Security Center with Azure Defender enabled. Azure Defender for DNS enabled per subscription under the Pricing & Settings page as shown below. Please note there is no additional cost during the (preview) period. Please note that effective 1 July 2021, the price and meter IDs for Azure Defender for DNS queries will change. The price will be $70/100Million DNS queries. Please read the complete details about these changes and review the new pricing here.

    Enable Azure DNS in Azure Defender
    Enable Azure DNS in Azure Defender
  3. Choose one of you existing Azure virtual machine deployed in any of your subscription with Azure Defender for DNS enabled, and make sure it’s connected to the Azure default DNS resolvers (by default all Azure VMs are connected to the Azure default DNS), or you can create a new virtual machine.

Simulate Azure DNS alert in Security Center

Assuming you have all the prerequisites in place, take now the following steps:

You first need to connect to the virtual machine using RDP for Windows or SSH for Linux.

Next, open the PowerShell window and run the following query. The script will try to resolve random domain names that do not exist on the Internet.


For($i=0; $i -le 150; $i++) {
$rand = -join ((97..122) | Get-Random -Count 32 | % {[char]$_})
Resolve-DnsName "$"

Resolve-DnsName # investigate

$rand = -join ((97..122) | Get-Random -Count 63 | % {[char]$_})
Resolve-DnsName "$"

For($i=0; $i -le 1000; $i++) {

$rand = -join ((97..122) | Get-Random -Count 63 | % {[char]$_})
Resolve-DnsName "$"


Write-Host -NoNewLine 'Press any key to continue...';
$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');

Please note that Advanced Threat Protection (ATP) for Azure DNS can catch things more sophisticated than that, it’s just a basic script that will fire numerous queries to unresolved domain names. This detection and analysis apply to all DNS communications via Azure DNS. Learn more about the current detection capabilities for Azure DNS in the summary section.

Investigate security alerts for DNS

At this point, you just need to wait for the advanced threat detection engine to kick in (which can take a little while, in my example, it took around one hour, I hope that Microsoft will improve the detection time once the public preview is over).

Once the detection takes place, a new alert with ‘Medium/Low Severity‘ will be generated in Security Center | Security alerts dashboard, similar to the one below:

Security Alerts
Security Alerts

Please note that the simulation script that I used in the previous step, will fire numerous queries and each one is triggering different alert to demonstrate ATP for DNS. However, in real-world, this could be one alert only (e.g. Communication with suspicious random domain name for example), or triggering multiple alerts based on the suspicious activities that were performed on the DNS layer.

You can select any of the security alerts to view more details about this suspicious activity and Take Action >> as needed.

Azure Defender for Azure DNS in Azure Security Center 1

If you’ve already integrated Azure Security Center with Azure Monitor, you will also receive a notification based on the specified action group. In my example, I am using email notifications. You can find more details on how to integrate Azure Security Center with Azure Monitor here.

Azure Defender for Azure DNS in Azure Security Center 2

And if you’ve connected Azure Security Center to Azure Sentinel which I highly recommend as described in this article, then you can see the same alerts with all relevant data needed for investigation and response as shown in the figure below:

Azure Defender for Azure DNS in Azure Security Center 3

And if you are leveraging the Workflow automation feature in Azure Security Center with LogicApp to post a message on Microsoft Teams for example, then you will receive an alert in your team channel, similar to the one below:

Azure Defender for Azure DNS in Azure Security Center 4

That’s it there you have it!

How Azure Defender for Azure DNS works

Azure Defender for Azure DNS protects your Azure resources connected to the Azure DNS resolvers against malicious DNS activities. Advanced Threat Protection (ATP) in Azure Security Center continuously analyzing your Azure DNS queries and detecting suspicious activities, such as DNS queries to malicious domains (C&C servers, crypto-mining, phishing), data exfiltration using DNS tunneling, and suspicious DNS query patterns (DNS cache-poisoning, blackhole DNS, and much more).

Advanced Threat Protection for Azure DNS is agentless, you do not need to install any agent or software on the protected resources.


This article showed you how to use advanced threat protection for Azure DNS in Azure Security Center.

Advanced Threat Protection (ATP) for Azure DNS provides additional security intelligence for the management layer that detects unusual and potentially harmful communication and exfiltration attempts via DNS. At the time of this writing, Advanced Threat Protection (ATP) for Azure DNS provides you the following detection capabilities:

  • Communication with a suspicious random domain name (similar to what I have demonstrated in this article).
  • Communication with the suspicious algorithmically generated domain.
  • Anonymity network activity using a web proxy.
  • Possible data transfer via DNS tunnel.
  • Anonymity network activity.
  • Communication with possible phishing domain.
  • Digital currency mining activity.
  • Possible data download via DNS tunnel.
  • Network intrusion detection signature activation.
  • Possible data exfiltration via DNS tunnel.
  • Anomalous network protocol usage.
  • Attempted communication with suspicious sinkhole domain.

Additional resources I highly encourage you to check:

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect, Swiss Certified ICT Security Expert, Certified Cloud Security Professional (CCSP), Certified Information Security Manager (CISM), Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT). He has over 20 years of broad IT experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems with extensive practical knowledge of complex systems build, network design, business continuity, and cloud security.

Related Posts


This Holiday Season, Win with Altaro

Azure Defender for ARM in Azure Security Center


Let me know what you think, or ask a question...

error: Alert: The content of this website is copyrighted from being plagiarized! You can copy from the \'Code Blocks\' in \'Black\' by selecting the Code. Thank You!