Ensure Time To Live (TTL) of the DNS record is not more than 60 minutes for Azure Private DNS Cname Record

MEDIUM

Description

Azure Private DNS Cname Record has time-to-live (TTL) set to more than 1 hour. This may expose the DNS records to vulnerabilities such as cache poisoning.

Remediation

In Azure Console -

Open the Azure Portal and go to Private DNS Zones.
Select the zone you wish to edit.
Under Overview, select the resource record set (CNAME) you wish to edit.
Set TTL to 1 hour (3600 seconds).
Save.

In Terraform -

In the azurerm_private_dns_cname_record resource, set ttl to and hour or less (3600).

References:
https://learn.microsoft.com/en-us/azure/dns/private-dns-getstarted-portal
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_cname_record#ttl

Policy Details

Rule Reference ID: AC_AZURE_0112

CSP: Azure

Remediation Available: Yes

Domain: Security Best Practices

Resource: azurerm_private_dns_cname_record

Resource Category: Virtual Network

Resource Type: DNS

Frameworks

GDPR
NIST-800-171
NIST-800-53
NIST-CSF
HIPAA

Detections

Analytics