Skip to content

feat(scanner): add AZ-NET-015 public DNS zone enumeration rule#106

Open
aav-wh wants to merge 1 commit into
openshield-org:devfrom
aav-wh:feat/az-net-015
Open

feat(scanner): add AZ-NET-015 public DNS zone enumeration rule#106
aav-wh wants to merge 1 commit into
openshield-org:devfrom
aav-wh:feat/az-net-015

Conversation

@aav-wh
Copy link
Copy Markdown
Contributor

@aav-wh aav-wh commented Jun 1, 2026

What does this PR do?

Adds AZ-NET-015 scanner rule to detect Azure DNS zones configured as Public, which expose DNS records to internet enumeration.

Type of change

  • New scan rule
  • Remediation playbook
  • Compliance mapping

Rule details

  • Rule ID: AZ-NET-015
  • Severity: MEDIUM
  • Category: Network
  • Frameworks mapped: CIS 9.2 / NIST PR.AC-5 / ISO A.13.1.1 / SOC 2 CC6.6

Testing

  • Returns correct JSON output
  • All seven CI checks pass
  • No hardcoded credentials or secrets

Related issue

Closes #105

Checklist

  • My code follows the rule template in CONTRIBUTING.md
  • I added or updated the matching CLI playbook
  • I added or updated all four compliance framework mappings
  • I have not committed any real Azure credentials
  • My branch name follows the convention: feat/description

@aav-wh
feat(scanner): add AZ-NET-015 public DNS zone enumeration rule
7213f97 
- Add scanner/rules/az_net_015.py to detect public DNS zones
- Add get_dns_zones() to azure_client.py using DnsManagementClient
- Add playbooks/cli/fix_az_net_015.sh remediation script
- Add azure-mgmt-dns==8.0.0 to requirements.txt
- Update all 4 compliance framework JSONs with AZ-NET-015 mappings
m-khan-97
m-khan-97 requested changes Jun 6, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@m-khan-97 m-khan-97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution. I am reviewing the open network-rule PRs as a batch so we avoid duplicate or noisy rules.

Please update/rebase this branch against the latest dev first, because the PR is currently conflicting.

For the rule logic: public DNS zones are not automatically a misconfiguration. Many legitimate public-facing services require public DNS. Before this can merge, the detection needs to be narrowed so it avoids noisy false positives. Good directions would be to flag public DNS records that expose private RFC1918 IPs, internal-looking hostnames such as admin, vpn, db, internal, dev, or zones/records missing an explicit metadata exception for intentionally public services.

Also please re-check the CIS mapping. The current mapping to CIS 9.2 / NSG rules does not obviously match public DNS zone exposure.

Once the branch is conflict-free and the rule is more precise, this can be re-reviewed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@m-khan-97 m-khan-97 m-khan-97 requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@aav-wh aav-wh

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aav-wh @m-khan-97