Finding: DNSSEC Not Enabled on Azure DNS Zones
Description:
DNSSEC (Domain Name System Security Extensions) provides origin authentication and integrity for DNS data, helping prevent attacks like DNS spoofing and cache poisoning. By default, Azure DNS zones do not have DNSSEC enabled unless explicitly configured. This exposes DNS clients to potential risks if responses are intercepted or forged. Failing to implement DNSSEC undermines the trust and reliability of the DNS infrastructure supporting your services.
Remediation: Enable DNSSEC on Azure DNS Zones
Pre-Requisites
– You must be using Azure DNS for both the zone and the registrar. – Your zone must be hosted on Azure DNS, not a third-party service.
Step-by-Step Remediation
1. Log in to Azure Portal: Navigate to https://portal.azure.com and sign in with an account that has DNS Zone Contributor or higher permissions.
2. Navigate to DNS Zone: In the left-hand menu, go to ‘DNS zones’ and select the DNS zone you want to secure (e.g., example.com).
3. Enable DNSSEC: Under the Settings section, select ‘DNSSEC’ and click ‘Enable DNSSEC’. Azure will automatically generate Key Signing Keys (KSK) and Zone Signing Keys (ZSK).
4. Verify the Zone Type: Azure DNSSEC works only for public DNS zones. Private DNS zones are not currently supported.
5. Complete Registrar Configuration: If the domain was registered through Azure, DS record submission is automatic. If not, manually retrieve the DS record and update it at your registrar.
6. Save and Propagate: Ensure changes are saved. Allow up to 24 hours for DNSSEC validation to propagate.
Verification: DNSSEC Successfully Enabled
Option 1: Using Dig (Command Line)
Run the following command and look for RRSIG records and a valid AD (Authenticated Data) flag:
dig + dnssec example.com
Option 2: Using DNSViz Tool
Visit: https://dnsviz.net/ Enter your domain (e.g., example.com), click “Analyze”, and confirm the DNSSEC chain of trust is complete and error-free.
Option 3: Using Azure Portal
Return to the DNSSEC tab in your DNS zone. Confirm DNSSEC status shows as Enabled and KSK/ZSK status is Active.
Note
Azure currently does not support DNSSEC with external registrars or customer-managed keys. Always back up DNS configurations before making changes to production zones.