Tuesday, March 20, 2018

Exploring Azure DNS Analytics

You would be hard pressed to review a security benchmark that did not talk about controlling outbound connections.  Generally, one would tackle this problem by doing one of the following:

- Outbound firewall
- Web Proxy
- Services such as OpenDNS

In Azure, it can become somewhat onerous to deploy any of the solutions above.  It isn't that it isn't possible, it is that you generally want to shy away from creating/adding more gear to support this type of activity.  Further, OpenDNS can become kind of a pain when you have to specify IP addresses to enforce rules.

That is why I was super excited when Azure announced DNS analytics solution in OMS.  While lacking any pro-active capabilities, I can now use this solution in OMS to help me understand what DNS queries are being made in my environment.  I also get the power of Azure Security as it analyzes my DNS requests for communication with any malicious domains.

You can read more about the solution here.

After having this solution turned on for a few days now, I've noticed the following:

- I hate how IE defaults to MSN as homepage, even for servers
- My servers are all configured to hit windows update directly, I should probably change that :S
- There are lots of Azure addresses that get hit as part of normal operation.  Opinsights, automation, etc, and they all use different domain names.
- My servers are all dynamically registering properly, with no failures

I'm skipping a lot of screenshots here because the documentation was pretty indepth.  Here is what gets stored in Log Analytics for the DNS solution.

 

 In short, I think this is a great service, and a must-have when you set up OMS to help monitor your Azure environment.