โญ Repository โ ๐ Compliance Engine โ ๐ CloudAware โ ๐ Azure โ ๐ Virtual Network
๐ก๏ธ Azure Network Security Group allows public access to DNS port๐ข
- Contextual name: ๐ก๏ธ Security Group allows allows public access to DNS port๐ข
- ID:
/ce/ca/azure/virtual-network/security-group-allows-unrestricted-dns-traffic - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicโ
- ๐ง prod.logic.yaml๐ข
Descriptionโ
Descriptionโ
Verify that Azure Network Security Groups are not associated with Network Security Group rules that allow unrestricted inbound access to DNS services on port 53. NSG rules should be configured to restrict inbound DNS traffic to specific, trusted IP address ranges such as internal subnets or authorized DNS resolvers. This reduces the risk of exposure to threats including DNS amplification, tunneling, and command-and-control communication.
Rationaleโ
Unrestricted DNS access from the public internet can lead to a range of security issues. Malicious actors may exploit open DNS services to launch amplification attacks or tunnel data covertly. Restricting DNS traffic to known and trusted sources ensures that only authorized systems can initiate DNS queries or responses, thereby minimizing the attack surface and enhancing the security posture of the environment.
Impactโ
Enforcing restrictions on DNS traffic may require reconfiguration of applications or services that rely on open access to external DNS servers. Failure to account for legitimate dependencies could result in service disruptions. As part of remediation, it is critical to validate DNS resolution paths and ensure all required DNS servers are explicitly permitted.
... see more
Remediationโ
Remediationโ
Modify or Remove Insecure NSG Ruleโ
Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:
If the rule is not required: Remove the rule entirely.
If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.
Azure CLIโ
Delete the rule:
az network nsg rule delete \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}}Restrict the rule:
az network nsg rule update \
--resource-group {{resource-group-name}} \
--nsg-name {{nsg-name}} \
--name {{rule-name}} \
--source-address-prefixes {{trusted-cidr}}Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g.,
--source-address-prefixes "1.2.3.4/32 5.6.7.8/32").... see more
policy.yamlโ
Linked Framework Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| ๐ผ Cloudaware Framework โ ๐ผ Public and Anonymous Access | 80 | no data |