last sync: 2024-Jun-24 18:15:26 UTC

Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative Source) | Regulatory Compliance - System and Communications Protection

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative Source)
Id 1cb067d5-c8b5-4113-a7ee-0a493633924b
Version 1.0.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this System and Communications Protection control
Additional metadata Name/Id: ACF1656 / Microsoft Managed Control 1656
Category: System and Communications Protection
Title: Secure Name / Address Resolution Service (Authoritative Source) - Additional Info in Response to External Queries
Ownership: Customer, Microsoft
Description: The information system: Provides additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
Requirements: The Azure DNS infrastructure provides internal name resolution for internal Microsoft assets and external name resolution services to external customers, including Federal Agencies. However, Azure does not support DNSSEC and a customer is required to either bring their own DNS servers into Azure or use a third-party DNS provider if DNSSEC is a requirement. Azure uses three types of DNS servers. Azure DNS servers act as non-authoritative sources for DNS requests only from clients hosted inside Azure. A client makes a DNS query to a system DNS server; the system DNS server in turn queries an authoritative source outside the system. System DNS servers do not support the DNSSEC protocol. This control requires system DNS servers, when requested by clients, to perform origin/integrity verification of the response provided by authoritative sources. The control assumes that the client makes a DNS query of a system DNS server and that the DNS server must then query an authoritative source outside the system. The risk that the external authoritative source has been compromised is mitigated by the origin/integrity verification. Azure internal DNS servers resolve DNS queries from Azure servers. Azure servers do not request origin/integrity verification of the DNS query; instead origin/integrity is assured via other means such as the communications channel using TLS. Azure DNS production servers act as authoritative sources for DNS requests from external clients for various Azure domains and do not respond to any DNS queries against zones for which they are not the authority. This control requires system DNS servers, when requested by clients, to perform origin/integrity verification of the response provided by authoritative sources. The control assumes that the client makes a DNS query of a system DNS server and that the DNS server must then query an authoritative source outside the system. The risk that the external authoritative source has been compromised is mitigated by the origin/integrity verification. Azure DNS servers perform two functions: 1. Resolving DNS queries from Azure servers. 2. Acting as authoritative sources for DNS requests from external clients for certain Microsoft.com subdomains. For case 1, queries are either for internal domains for which Azure DNS servers are authoritative, or for external domains used by Azure’s services. In either case, Azure servers do not request origin/integrity verification of the DNS query. For case 2, this case is not possible for Azure DNS servers.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance Not a Compliance control
Initiatives usage none
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC