Azure API calls indicating Private DNS zone virtual network linking
Description
AlphaSOC detected linking of an Azure Private DNS zone to a virtual network via
Microsoft.Network/privateDnsZones/virtualNetworkLinks/write. Private DNS zones
enable DNS resolution for private endpoints and internal resources within Azure
virtual networks.
While this is often legitimate infrastructure configuration, adversaries may link DNS zones to enable data exfiltration via DNS tunneling or to manipulate DNS resolution within the network. Malicious DNS zone linking could also be used to disrupt DNS resolution for legitimate services.
Impact
Unauthorized Private DNS zone linking can enable DNS-based attacks within Azure networks. Attackers may use this to redirect DNS queries, enable DNS tunneling for data exfiltration, or disrupt name resolution for legitimate services. Improper DNS configuration can affect connectivity to private endpoints and internal resources.
Severity
| Severity | Condition |
|---|---|
Low | Private DNS zone linking detected |
Medium | Anomalous Private DNS zone linking |
Investigation and Remediation
Review Azure Activity logs for
Microsoft.Network/privateDnsZones/virtualNetworkLinks/write events. Identify
which DNS zone was linked to which virtual network and verify if this aligns
with authorized infrastructure changes. Check the DNS zone records for
suspicious entries.
If unauthorized, remove the virtual network link and investigate the compromised identity. Review DNS query logs for signs of DNS tunneling or resolution manipulation. Audit other DNS zones and network configurations for additional unauthorized changes.