Why DNS is attackers' favourite target
The DNS (Domain Name System) translates domain names into IP addresses. Every time a user visits a website, sends an email or opens an application, a DNS query is executed. This makes DNS a mandatory transit point for almost all network traffic — and an ideal target for attackers.
According to industry data, over 85% of malware uses DNS to communicate with command-and-control (C2) servers. Attacks such as DNS tunneling allow attackers to exfiltrate corporate data through seemingly legitimate DNS queries, bypassing firewalls and endpoint protection (EDR/XDR) systems.
What is DNS Security and how does it work
DNS Security encompasses the technologies and policies that protect enterprise DNS resolution. A comprehensive DNS protection solution operates on three layers:
- 1DNS filtering— blocking queries to malicious, phishing and malware domains. Unlike a basic DNS filter that relies on static lists, an enterprise solution uses real-time threat intelligence and behavioural analysis to identify even new and unknown domains.
- 2Authentication and integrity (DNSSEC)— cryptographic signing of DNS records ensures that responses have not been tampered with in transit. DNSSEC prevents cache poisoning and man-in-the-middle attacks on DNS resolution.
- 3Monitoring and logging— comprehensive recording of all DNS queries for forensic analysis, anomaly detection and regulatory compliance. DNS logging is essential for NIS2 compliance and the DORA Regulation.
Azure DNS Security Policy
Microsoft Azure offers Azure DNS Security Policy, a service that enforces security policies directly at the DNS resolution layer at virtual network (VNET) level. Integrated with Azure DNS Private Resolver, it enables you to:
- Block resolution to malicious domains— using Microsoft's real-time threat intelligence to prevent connections to phishing, malware and C2 sites.
- Apply policies per virtual network— each VNET can have different DNS rules with configurable priorities and custom domain lists alongside Microsoft's managed threat intelligence feed.
- Monitor DNS traffic in real time— detailed logging to Storage Accounts, Log Analytics or Event Hubs for anomaly detection and incident response.
- Choose the action for each rule— Allow, Block or Alert mode for each domain category, with configurable priorities to manage exceptions.
Secure DNS vs basic DNS filter: the differences
Many providers offer a “secure DNS” that is actually just a simple filter based on static blocklists. An enterprise DNS Security solution like Azure DNS Security Policy stands apart thanks to:
- Real-time threat intelligence— not just static lists, but continuous analysis powered by Microsoft's intelligence across billions of daily signals.
- Policies per virtual network— different rules for each VNET with custom domain lists, not a one-size-fits-all filter.
- Comprehensive audit logging — every query logged for NIS2 and DORA compliance, not just aggregate metrics.
- Zero Trust integration— DNS becomes a security policy enforcement point, integrated with your firewall and network security architecture.
DNS Security and regulatory compliance
For organisations subject to the NIS2 Directive or the DORA Regulation, DNS Security is not optional. Both regulations require adequate network protection measures, threat monitoring and audit logging capabilities. Azure DNS Security Policy fulfils all of these requirements.
A good first step to evaluate your exposure is the free NIST CSF 2.0 assessment, which includes specific questions on DNS protection and name resolution management.
Frequently asked questions
What is DNS Security and why does it matter for businesses?
DNS Security encompasses the technologies and policies that protect enterprise DNS resolution from attacks such as phishing, malware, DNS tunneling and cache poisoning. It matters because over 85% of malware uses DNS to communicate with command-and-control servers. Without DNS protection, even an advanced firewall can be bypassed.
What is Azure DNS Security Policy?
Azure DNS Security Policy is the Microsoft Azure service that enforces security policies directly at the DNS resolution layer at virtual network (VNET) level. It allows you to block, allow or alert on DNS queries towards malicious domains using a managed threat intelligence feed from Microsoft and custom domain lists. It integrates natively with Azure DNS Private Resolver and supports logging to Storage Accounts, Log Analytics and Event Hubs.
What is the difference between a secure DNS and a basic DNS filter?
A basic DNS filter (such as those offered by many providers) only blocks a static list of known domains. An enterprise DNS Security solution like Azure DNS Security Policy offers: real-time threat intelligence automatically updated by Microsoft, configurable Allow/Block/Alert modes for each rule, per-virtual-network policies with custom domain lists, and comprehensive logging to Log Analytics, Storage Accounts or Event Hubs for audit and compliance.
Is DNS Security required by NIS2?
The NIS2 Directive requires adequate security measures to protect networks and information systems. DNS protection falls among the recommended technical measures, as DNS is a critical attack vector. Proper DNS Security contributes to NIS2 compliance, particularly regarding risk management and threat monitoring obligations.
Can AtWorkStudio implement DNS Security for my organisation?
Yes. We configure and manage Azure DNS Security Policy for organisations of any size. The service includes an assessment of the existing DNS infrastructure, policy design, Azure DNS Private Resolver deployment, DNSSEC configuration and SOC monitoring integration. AtWorkStudio holds ISO/IEC 27001, 27017, 27018 and ISO 9001 certifications.
Sources
- NIST Cybersecurity Framework — National Institute of Standards and Technology