Skip to main content

πŸ“ Azure VM Scale Set Instance allows public access to DNS port 🟒

  • Contextual name: πŸ“ Instance allows public access to DNS port 🟒
  • ID: /ce/ca/azure/vm-scale-set/instance-allows-unrestricted-dns-traffic
  • Located in: πŸ“ Azure VM Scale Set

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Logic​

Description​

Open File

Description​

Verify that Azure VM Scale Set Instances are not associated with Network Security Group rules that allow unrestricted inbound access to DNS services on port 53. NSG rules should be configured to restrict inbound DNS traffic to specific, trusted IP address ranges such as internal subnets or authorized DNS resolvers. This reduces the risk of exposure to threats including DNS amplification, tunneling, and command-and-control communication.

Rationale​

Unrestricted DNS access from the public internet can lead to a range of security issues. Malicious actors may exploit open DNS services to launch amplification attacks or tunnel data covertly. Restricting DNS traffic to known and trusted sources ensures that only authorized systems can initiate DNS queries or responses, thereby minimizing the attack surface and enhancing the security posture of the environment.

Impact​

Enforcing restrictions on DNS traffic may require reconfiguration of applications or services that rely on open access to external DNS servers. Failure to account for legitimate dependencies could result in service disruptions. As part of remediation, it is critical to validate DNS resolution paths and ensure all required DNS servers are explicitly permitted.

... see more

Remediation​

Open File

Remediation​

Modify or Remove Insecure NSG Rule​

Review the security rules associated with the relevant Network Security Group (NSG) and determine whether they are required. Take appropriate action based on necessity and scope:

  • If the rule is not required: Remove the rule entirely.

  • If the rule is required but overly permissive: Update the rule to narrowly scope access, restricting the source IP range to only what is strictly necessary.

Azure CLI​

  1. Delete the rule:

    az network nsg rule delete \
      --resource-group {{resource-group-name}} \
      --nsg-name {{nsg-name}} \
      --name {{rule-name}}

  2. Restrict the rule:

    az network nsg rule update \
        --resource-group {{resource-group-name}} \
        --nsg-name {{nsg-name}} \
        --name {{rule-name}} \
        --source-address-prefixes {{trusted-cidr}}

    Replace placeholders with the appropriate values. Use space-separated values for multiple source prefixes or destination ports (e.g., --source-address-prefixes "1.2.3.4/32 5.6.7.8/32").

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access69