How To Update Microsoft DNS AMA Extension For Azure VMs Easily - CHARBEL NEMNOM - MVP | MCT | CCSP

Domain Name System – DNS is one of the most fundamental services, and one of the backbone services of the Internet, allowing mapping between host names and IP addresses and vice versa. As it was created a long time ago, it is very commonly used and was not devised with security in mind. We’ve got a lot of attacks targeting the DNS and this is very well-known by attackers and malicious actors.

Microsoft Sentinel allows you to stream and filter events from your Windows Domain Name System (DNS) server logs using the new Azure Monitor Agent (AMA) DNS extension to the ASimDnsActivityLog normalized schema table.

In this article, we will show you how to update the Microsoft DNS AMA extension for Azure VMs and Azure Arc Servers.

Table of Contents

Introduction

DNS is very highly attacked, and we should put security measures in order to defend our organization against those attacks. Some of the well-known threats targeting DNS are: DDoS attacks targeting DNS servers, DDoS amplification, DNS hijacking, DNS tunneling, Poisoning, Spoofing, NXDOMAIN attack, Phantom domain attack, and the list goes on and on. I’m sure that you’re all very much aware of that.

So, this would be a very good reason to track those logs and look for events that will allow us to detect if any attacker penetrated our organization using the DNS server.

For Windows DNS, we have two separate available logs, one is the analytical logs, and the other is the audit logs that are available to be collected on the DNS server. The Windows DNS Events via AMA connector currently supports analytic event activities only.

The AMA is the future for Sentinel log ingestion based on agents, and the new Windows DNS connector (which is in public preview at the time of this writing) is based on the AMA agent, it’s more efficient, more supportable, and more reliable.

The Microsoft DNS solution is a VM extension provided on top of the AMA, and all the means of communication go through the AMA, meaning it can handle the security and the authorization of it. And can be configured through a single point of configuration handled by the data collection rules (DCRs), meaning that we can do it all through the Microsoft Sentinel portal, and define whatever configuration we want the AMA to follow and filter our DNS events.

Windows DNS Events via AMA (Configuration)

As a side note, the old Log Analytics agents (OMS/MMA) will reach the end of support by August 2024. The Azure Monitor agent (AMA) is the recommended replacement.

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.

2) Log Analytics workspace – To create a new workspace, follow the instructions here Create a Log Analytics workspace.

3) Enable Microsoft Sentinel at no additional cost on an Azure Monitor Log Analytics workspace for the first 31 days, follow the instructions here. Once Microsoft Sentinel is enabled on your Azure Monitor Log Analytics workspace, every GB of data ingested into the workspace can be retained at no charge for the first 90 days.

4) One or more DNS servers running Windows Server 2012 R2 with auditing hotfix and later deployed in Azure and/or non-Azure.

5) To collect DNS events from any system that isn’t an Azure virtual machine, you need to ensure that Azure Arc is installed. You need to install and enable Azure Arc before you enable the Azure Monitor Agent-based connector and update the Microsoft DNS AMA extension. Azure Arc support Windows servers installed on physical machines, on-premises virtual machines, or installed in other clouds.

6) Azure PowerShell installed locally on your machine or using the Cloud Shell.

7) Windows DNS Events via AMA connector enabled in Microsoft Sentinel.

Windows DNS AMA Extension

Once you have enabled the Windows DNS Events via the AMA connector on your DNS servers, the AMA agent will be automatically installed on your machines which might take up to 10 minutes.

When you define the data collection rules (DCRs), this will also install the DNS extension to run on your machine as shown in the figure below which will be the part that streams the events through the AMA agent.

After about 5 to 10 minutes, we get the log streaming in the Log Analytics workspace. If you want to see the events coming in, then you can go to the table that will be ASimDnsActivityLogs because this table is a native normalized, and then we can see all the events that were streaming to Log Analytics.

The following query will count the number of failed DNS queries for each source IP address and failure type query:

ASimDnsActivityLogs
| where EventProduct == "DNS Server"
| where EventVendor == "Microsoft"
| where EventType == "Query" and EventResult == "Failure"
| summarize count() by SrcIpAddr, EventResultDetails

Now, when Microsoft pushes a new DNS extension update, you need to make sure that the new version is also updated on your Azure and non-Azure machines. As I mentioned above, the Windows DNS connector is in public preview at the time of this writing, and you can expect new improvements and enhancements for the extension before it reaches GA.

Now if you onboarded non-Azure machines via Azure Arc servers, you have the possibility to update the extension directly from the Azure Arc | Servers portal as shown in the figure below. At the time of this writing, the current MicrosoftDnsAgent is version 1.3.0.

Server - Azure Arc Update Microsoft DNS Agent Extension — Server – Azure Arc Update Microsoft DNS Agent Extension

However, this is not the case when you onboard Azure machines to the Microsoft DNS via the AMA extension. We cannot update the extension via the VM Extensions blade as shown in the figure below.

Azure VM Extensions | Microsoft DNS Agent

Now in both options, Microsoft does not support automatic extension upgrades for DNS, but updating manually the extension is only possible for Azure Arc machines.

What about Azure machines? well, we have two options:

1) You can remove the Microsoft DNS extension and then reinstall it, this should do the trick.

2) Or you can use Azure PowerShell as described below, to update the Microsoft DNS extension for both, Azure VMs and Azure Arc Servers.

Update Microsoft DNS AMA Extension

To update the Microsoft DNS AMA extension, you need to connect to Azure with a user account that has permission for Microsoft.Compute/virtualMachines/extensions/write, or Microsoft.HybridCompute/machines/extensions/write (for Azure Arc machines).

You have a couple of options to run the script, you can either use Azure Cloud Shell, Visual Studio Code, or Windows Terminal. The Script works with PowerShell 5.1 or PowerShell 7.3.x (core) with the Az module.

Assuming you have all the required permissions in place, you can run the following command to update the Microsoft DNS AMA extension for both, Azure VMs and Azure Arc Servers.

.EXAMPLE

.\Update-MicrosoftDnsAgent.ps1 -SubscriptionId "SUB-ID" -ResourceGroup "RG-Name" `
-VMName "Virtual-Machine-Name" -Location "Region-Name" -Verbose

PowerShell Code

The complete script is detailed below to automate the entire process of updating the Microsoft DNS AMA extension:

<#
.SYNOPSIS
Update Microsoft Sentinel Azure Monitor Agent Extensions MicrosoftDnsAgent.

.DESCRIPTION
How to update Microsoft Sentinel Azure Monitor Agent Extensions MicrosoftDnsAgent for Azure VMs and Azure Arc Servers.

.NOTES
File Name : Update-MicrosoftDnsAgent.ps1
Author    : Microsoft MVP/MCT - Charbel Nemnom
Version   : 1.0
Date      : 20-February-2023
Updated   : 15-May-2023
Requires  : PowerShell 5.1 or PowerShell 7.3.x (Core)
Module    : Az Module

.LINK
To provide feedback or for further assistance please visit: https://charbelnemnom.com 

.EXAMPLE
.\Update-MicrosoftDnsAgent.ps1 -SubscriptionId "SUB-ID" -ResourceGroup "RG-Name" `
 -VMName "Virtual-Machine-Name" -Location "Region-Name" -Verbose
This example will connect to your Azure account using the subscription Id specified, and then update the Microsoft Dns AMA Agent extension.
#>

param (
    [Parameter(Position = 0, Mandatory = $true, HelpMessage = 'Enter Azure Subscription ID')]
    [string]$subscriptionId,
    [Parameter(Position = 1, Mandatory = $true, HelpMessage = 'Enter Resource Group Name where the VM is located')]
    [string]$resourceGroupName,
    [Parameter(Position = 2, Mandatory = $true, HelpMessage = 'Enter Virtual Machine Name')]
    [string]$vmName,    
    [Parameter(Position = 3, Mandatory = $true, HelpMessage = 'Enter Azure region name where the VM is deployed')]
    [string]$regionName    
)

#! Install Az Module If Needed
function Install-Module-If-Needed {
    param([string]$ModuleName) 
    if (Get-Module -ListAvailable -Name $ModuleName -Verbose:$false) {
        Write-Host "Module '$($ModuleName)' already exists, continue..." -ForegroundColor Green
    } 
    else {
        Write-Host "Module '$($ModuleName)' does not exist, installing..." -ForegroundColor Yellow
        Install-Module $ModuleName -Force  -AllowClobber -ErrorAction Stop
        Write-Host "Module '$($ModuleName)' installed." -ForegroundColor Green
    }
}

#! Install Az Accounts Module If Needed
Install-Module-If-Needed Az.Accounts

#! Check Azure Connection
Try { 
    Write-Verbose "Connecting to Azure Cloud..." 
    Connect-AzAccount -ErrorAction Stop -WarningAction SilentlyContinue | Out-Null
}
Catch { 
    Write-Warning "Cannot connect to Azure Cloud. Please check your credentials. Exiting!"
    Break 
}

# Set the Azure context to to the subscribtion where the Azure VM/Arc Server is located
Write-Verbose "Set the Azure context to the subscribtion where the Azure VM/Arc Server is located..."
Set-AzContext -SubscriptionId $subscriptionId | Out-Null

# Get the current DNS extension version installed for the VM
Write-Verbose "Check the current extension version installed for the VM: $($vmName)"
$dnsVersion = Get-AzVMExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name "MicrosoftDnsAgent"
Write-Verbose "The VM $($vmName) is currently running DNS extension version: $($dnsVersion.TypeHandlerVersion)"

# Update the DNS AMA extension for Azure VMs / Azure Arc
Write-Verbose "Update the DNS AMA extension for the VM: $($vmName)"
Set-AzVMExtension  -Name "MicrosoftDnsAgent" -Publisher "Microsoft.Sentinel.AzureMonitorAgentExtensions" `
 -ExtensionType "MicrosoftDnsAgent" -TypeHandlerVersion 1.3 -ResourceGroupName $resourceGroupName -VMName $vmName -Location $regionName

# Verify the DNS extension version installed for the VM
Write-Verbose "Verify the DNS extension version installed for the VM: $($vmName)"
$dnsVersion = Get-AzVMExtension -ResourceGroupName $resourceGroupName -VMName $vmName -Name "MicrosoftDnsAgent"
Write-Verbose "The VM $($vmName) is currently running DNS extension version: $($dnsVersion.TypeHandlerVersion)"

Here is an example of the output once you run this script:

Switching to the Azure portal, VM Extensions blade, we can confirm that the Microsoft DNS AMA Agent is running the latest version 1.2.0.

Update DNS Extension Using The REST API

Another way that you can use to update the Microsoft DNS AMA Extension is by using the Virtual Machine Extensions – Update – REST API.

Open the following URL, then sign in with your Azure account.

Fill in all the details below where you see [change-to-] based on your environment, then copy the JSON in the Body section and hit Run:

"name": "MicrosoftDnsAgent",
"id": "/subscriptions/change-to-sub/resourceGroups/change-to-customers-rg/providers/Microsoft.Compute/virtualMachines/change-to-customers-vm/extensions/MicrosoftDnsAgent",
    "type": "Microsoft.Compute/virtualMachines/extensions",
    "location": "westeurope", //should be changed to your location 
    "properties": {
        "autoUpgradeMinorVersion": true,
        "publisher": "Microsoft.Sentinel.AzureMonitorAgentExtensions",
        "type": "MicrosoftDnsAgent",
        "typeHandlerVersion": "1.3"
    }
}

Virtual Machine Extensions - DNS Update — Virtual Machine Extensions – DNS Update

That’s it there you have it!

Summary

In this article, we showed you how to update the Microsoft Domain Name System (DNS) Azure Monitor Agent (AMA) extension for Azure VMs and Azure Arc Servers.

The AMA and its DNS extension are installed on your Windows Server in Azure or hybrid/multi-cloud, to upload data from your DNS analytical logs to your Microsoft Sentinel workspace.

The Windows DNS log connector allows you to easily filter and stream all analytics logs from your Windows DNS servers to your Microsoft Sentinel workspace using the Azure Monitoring agent (AMA).

By enabling the Windows DNS Event Data Connector on your AMA-connected Domain Controllers/DNS Servers, all of the Domain DNS flows into the ASimDnsActivityLogs table in Log Analytics and you can use that table to power Sentinel Workbooks, Notebooks, Watchlists, and Analytic Rules. You can start by collecting your DNS root DC’s 256 & 257 events first, and then add additional DNS/App servers as ingest budgets permit.

This is one of the many features in Microsoft Sentinel that can be utilized to provide immense value to threat detection out-of-the-box.

The power of Microsoft Sentinel comes from the ability to detect, investigate, respond to, and remediate threats.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-