如何保护 DNS 区域和记录How to protect DNS zones and records

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

DNS 区域和记录是关键资源。DNS zones and records are critical resources. 删除 DNS 区域或单个 DNS 记录可能导致服务中断。Deleting a DNS zone or a single DNS record can result in a service outage. 重要的是保护 DNS 区域和记录,防止未经授权的或意外的更改。It's important that DNS zones and records are protected against unauthorized or accidental changes.

本文介绍如何通过 Azure DNS 来保护专用 DNS 区域和记录,使之避免受到此类更改。This article explains how Azure DNS enables you to protect your private DNS zones and records against such changes. 我们应用了 Azure 资源管理器提供的两个强大的安全功能:Azure 基于角色的访问控制 (Azure RBAC)资源锁We apply two powerful securities features provided by Azure Resource Manager: Azure role-based access control (Azure RBAC) and resource locks.

基于角色的访问控制Role-based access control

Azure 基于角色的访问控制 (Azure RBAC) 可用于对 Azure 用户、组和资源进行精细的访问管理。Azure role-based access control (Azure RBAC) enables fine-grained access management for Azure users, groups, and resources. 使用 RBAC,可以授予用户所需的访问权限级别。With RBAC, you can grant the level of access that users need. 如需了解 RBAC 如何帮助你管理访问权限的详细信息,请参阅什么是 Azure 基于角色的访问控制 (Azure RBAC)For more information about how RBAC helps you manage access, see What is Azure role-based access control (Azure RBAC).

“DNS 区域参与者”角色The DNS Zone Contributor role

“DNS 区域参与者”角色是用于管理专用 DNS 资源的内置角色。The DNS Zone Contributor role is a built-in role for managing private DNS resources. 此角色应用于用户或组,用于管理 DNS 资源。This role applied to a user or group enables them to manage DNS resources.

资源组 myResourceGroup 包含 Contoso Corporation 的五个区域。The resource group myResourceGroup contains five zones for Contoso Corporation. 授予 DNS 管理员对该资源组的 DNS 区域参与者权限,可以完全控制这些 DNS 区域。Granting the DNS administrator DNS Zone Contributor permissions to that resource group, enables full control over those DNS zones. 它可以避免授予不必要的权限。It avoids granting unnecessary permissions. DNS 管理员无法创建或停止虚拟机。The DNS administrator can't create or stop virtual machines.

分配 RBAC 权限最简单方法是通过 Azure 门户进行分配。The simplest way to assign RBAC permissions is via the Azure portal.

打开资源组的“访问控制(标识和访问管理)”,接着选择“添加”,然后选择“DNS 区域参与者”角色。 Open Access control (IAM) for the resource group, then select Add, then select the DNS Zone Contributor role. 选择所需用户或组来授予权限。Select the required users or groups to grant permissions.

使用 Azure 门户的资源组级别 RBAC

也可以使用 Azure PowerShell授予权限:Permissions can also be granted using Azure PowerShell:

# Grant 'DNS Zone Contributor' permissions to all zones in a resource group

$usr = "<user email address>"
$rol = "DNS Zone Contributor"
$rsg = "<resource group name>"

New-AzRoleAssignment -SignInName $usr -RoleDefinitionName $rol -ResourceGroupName $rsg

也可通过 Azure CLI 提供等效命令:The equivalent command is also available via the Azure CLI:

# Grant 'DNS Zone Contributor' permissions to all zones in a resource group

az role assignment create \
--assignee "<user email address>" \
--role "DNS Zone Contributor" \
--resource-group "<resource group name>"

区域级别 RBACZone level RBAC

Azure RBAC 规则可应用于订阅,资源组或单个资源。Azure RBAC rules can be applied to a subscription, a resource group or to an individual resource. 该资源可以是单个 DNS 区域,也可以是单个记录集。That resource can be an individual DNS zone, or an individual record set.

例如,资源组 myResourceGroup 包含区域 contoso.com 和子区域 customers.contoso.comFor example, the resource group myResourceGroup contains the zone contoso.com and a subzone customers.contoso.com. 针对每个客户帐户创建 CNAME 记录。CNAME records are created for each customer account. 为用于管理 CNAME 记录的管理员帐户分配在 customers.contoso.com 区域中创建记录的权限。The administrator account used to manage CNAME records is assigned permissions to create records in the customers.contoso.com zone. 此帐户只能管理 customers.contoso.comThe account can manage customers.contoso.com only.

可以通过 Azure 门户授予区域级别的 RBAC 权限。Zone-level RBAC permissions can be granted via the Azure portal. 打开区域的“访问控制(标识和访问管理)”,选择“添加”,接着选择“DNS 区域参与者”角色,然后选择所需用户或组来授予权限。 Open Access control (IAM) for the zone, select Add, then select the DNS Zone Contributor role and select the required users or groups to grant permissions.

使用 Azure 门户的 DNS 区域级别 RBAC

也可以使用 Azure PowerShell授予权限:Permissions can also be granted using Azure PowerShell:

# Grant 'DNS Zone Contributor' permissions to a specific zone

$usr = "<user email address>"
$rol = "DNS Zone Contributor"
$rsg = "<resource group name>"
$zon = "<zone name>"
$typ = "Microsoft.Network/DNSZones"

New-AzRoleAssignment -SignInName $usr -RoleDefinitionName $rol -ResourceGroupName $rsg -ResourceName $zon -ResourceType $typ

也可通过 Azure CLI 提供等效命令:The equivalent command is also available via the Azure CLI:

# Grant 'DNS Zone Contributor' permissions to a specific zone

az role assignment create \
--assignee <user email address> \
--role "DNS Zone Contributor" \
--scope "/subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Network/DnsZones/<zone name>/"

记录集级别 RBACRecord set level RBAC

在记录集级别应用权限。Permissions are applied at the record set level. 用户有权对其所需的条目进行控制,但无法进行任何其他更改。The user is granted control to entries they need and are unable to make any other changes.

记录集级别的 RBAC 权限可在 Azure 门户中使用记录集页面中的“访问控制(标识和访问管理)”按钮进行配置: Record-set level RBAC permissions can be configured via the Azure portal, using the Access Control (IAM) button in the record set page:

使用 Azure 门户的记录集级别 RBAC

也可以使用 Azure PowerShell授予记录集级别 RBAC 权限:Record-set level RBAC permissions can also be granted using Azure PowerShell:

# Grant permissions to a specific record set

$usr = "<user email address>"
$rol = "DNS Zone Contributor"
$sco = "/subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Network/dnszones/<zone name>/<record type>/<record name>"

New-AzRoleAssignment -SignInName $usr -RoleDefinitionName $rol -Scope $sco

也可通过 Azure CLI 提供等效命令:The equivalent command is also available via the Azure CLI:

# Grant permissions to a specific record set

az role assignment create \
--assignee "<user email address>" \
--role "DNS Zone Contributor" \
--scope "/subscriptions/<subscription id>/resourceGroups/<resource group name>/providers/Microsoft.Network/dnszones/<zone name>/<record type>/<record name>"

自定义角色Custom roles

内置“DNS 区域参与者”角色可以完全控制 DNS 资源。The built-in DNS Zone Contributor role enables full control over a DNS resource. 可以构建自己的自定义 Azure 角色,进行更细致的控制。It's possible to build your own custom Azure roles to provide finer-grained control.

对用于管理 CNAME 的帐户仅授予管理 CNAME 记录的权限。The account that is used to manage CNAMEs is granted permission to manage CNAME records only. 此帐户无法修改其他类型的记录。The account is unable to modify records of other types. 此帐户无法执行区域级别操作,例如区域删除。The account is unable to do zone-level operations such as zone delete.

以下示例显示了仅用于管理 CNAME 记录的自定义角色定义:The following example shows a custom role definition for managing CNAME records only:

{
    "Name": "DNS CNAME Contributor",
    "Id": "",
    "IsCustom": true,
    "Description": "Can manage DNS CNAME records only.",
    "Actions": [
        "Microsoft.Network/dnsZones/CNAME/*",
        "Microsoft.Network/dnsZones/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Insights/alertRules/*",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Support/*"
    ],
    "NotActions": [
    ],
    "AssignableScopes": [
        "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e"
    ]
}

操作属性定义以下特定于 DNS 的权限:The Actions property defines the following DNS-specific permissions:

  • Microsoft.Network/dnsZones/CNAME/* 授予对 CNAME 记录的完全控制权Microsoft.Network/dnsZones/CNAME/* grants full control over CNAME records
  • Microsoft.Network/dnsZones/read 授予读取 DNS 区域的权限,但不能修改它们,可查看创建 CNAME 的区域。Microsoft.Network/dnsZones/read grants permission to read DNS zones, but not to modify them, enabling you to see the zone in which the CNAME is being created.

其余操作从 DNS 区域参与者内置角色中复制。The remaining Actions are copied from the DNS Zone Contributor built-in role.

备注

使用 Azure 自定义角色防止删除记录集的同时仍允许它们更新,这不是一种有效的控制方式。Using an Azure custom role to prevent deleting record sets while still allowing them to be updated is not an effective control. 此方法仅可防止记录集被删除,但不会阻止它们被修改。It prevents record sets from being deleted, but it does not prevent them from being modified. 允许的修改包括添加和删除记录集中的记录,还包括删除所有记录,只留下空记录集。Permitted modifications include adding and removing records from the record set, including removing all records to leave an empty record set. 这与从 DNS 解析视点中删除记录集具有相同的效果。This has the same effect as deleting the record set from a DNS resolution viewpoint.

当前无法通过 Azure 门户定义自定义角色定义。Custom role definitions can't currently be defined via the Azure portal. 可以使用 Azure PowerShell 创建基于此角色定义的自定义角色:A custom role based on this role definition can be created using Azure PowerShell:

# Create new role definition based on input file
New-AzRoleDefinition -InputFile <file path>

也可以通过 Azure CLI 创建:It can also be created via the Azure CLI:

# Create new role definition based on input file
az role create -inputfile <file path>

如本文前面部分所述,该角色可由与内置角色相同的方式进行分配。The role can then be assigned in the same way as built-in roles, as described earlier in this article.

如需了解如何创建、管理和分配自定义角色的详细信息,请参阅 Azure RBAC 中的自定义角色For more information on how to create, manage, and assign custom roles, see Custom Roles in Azure RBAC.

资源锁Resource locks

Azure 资源管理器支持另一种类型的安全控制:资源锁定功能。Azure Resource Manager supports another type of security control, the ability to lock resources. 资源锁应用于资源,对所有用户和角色都有效。Resource locks are applied to the resource, and are effective across all users and roles. 更多信息请参阅 使用 Azure Resource Manager 锁定资源For more information, see Lock resources with Azure Resource Manager.

有两种类型的资源锁: CanNotDelete 和 ReadOnly 。There are two types of resource lock: CanNotDelete and ReadOnly. 这些锁类型可以应用到专用 DNS 区域或单个记录集。These lock types can be applied either to a Private DNS zone, or to an individual record set. 以下各节描述了几种常见情况以及如何使用资源锁支持它们。The following sections describe several common scenarios, and how to support them using resource locks.

防止所有更改Protecting against all changes

若要防止进行更改,请在该区域应用 ReadOnly 锁。To prevent changes being made, apply a ReadOnly lock to the zone. 该锁会阻止创建新的记录集,并防止修改或删除现有记录集。This lock prevents new record sets from being created, and existing record sets from being modified or deleted.

可通过 Azure 门户创建区域级别的资源锁。Zone level resource locks can be created via the Azure portal. 从 DNS 区域页上,选择“锁定” ,然后选择“+添加” :From the DNS zone page, select Locks, then select +Add:

使用 Azure 门户的区域级别资源锁

也可通过 Azure PowerShell 创建区域级别的资源锁:Zone-level resource locks can also be created via Azure PowerShell:

# Lock a DNS zone

$lvl = "<lock level>"
$lnm = "<lock name>"
$rsc = "<zone name>"
$rty = "Microsoft.Network/DNSZones"
$rsg = "<resource group name>"

New-AzResourceLock -LockLevel $lvl -LockName $lnm -ResourceName $rsc -ResourceType $rty -ResourceGroupName $rsg

也可通过 Azure CLI 提供等效命令:The equivalent command is also available via the Azure CLI:

# Lock a DNS zone

az lock create \
--lock-type "<lock level>" \
--name "<lock name>" \
--resource-name "<zone name>" \
--namespace "Microsoft.Network" \
--resource-type "DnsZones" \
--resource-group "<resource group name>"

保护单个记录Protecting individual records

要防止对现有 DNS 记录集的修改,可将 ReadOnly 锁应用到记录集。To prevent an existing DNS record set against modification, apply a ReadOnly lock to the record set.

备注

将 CanNotDelete 锁应用到记录集不能达到有效控制。Applying a CanNotDelete lock to a record set is not an effective control. 它仅可防止记录集被删除,但不会阻止其被修改。It prevents the record set from being deleted, but it does not prevent it from being modified. 允许的修改包括添加和删除记录集中的记录,还包括删除所有记录,只留下空记录集。Permitted modifications include adding and removing records from the record set, including removing all records to leave an empty record set. 这与从 DNS 解析视点中删除记录集具有相同的效果。This has the same effect as deleting the record set from a DNS resolution viewpoint.

记录集级别资源锁定当前只能使用 Azure PowerShell 进行配置。Record set level resource locks can currently only be configured using Azure PowerShell. 它们在 Azure 门户或 Azure CLI 中不受支持。They aren't supported in the Azure portal or Azure CLI.

# Lock a DNS record set

$lvl = "<lock level>"
$lnm = "<lock name>"
$rsc = "<zone name>/<record set name>"
$rty = "Microsoft.Network/DNSZones/<record type>"
$rsg = "<resource group name>"

New-AzResourceLock -LockLevel $lvl -LockName $lnm -ResourceName $rsc -ResourceType $rty -ResourceGroupName $rsg

防止区域删除Protecting against zone deletion

在 Azure DNS 中删除区域时,会删除区域中的所有记录集。When a zone is deleted in Azure DNS, all record sets in the zone are deleted. 无法撤消此操作。This operation can't be undone. 意外删除关键区域有可能产生巨大的业务影响。Accidentally deleting a critical zone has the potential to have a significant business impact. 防止区域意外删除很重要。It's important to protect against accidental zone deletion.

在该区域应用 CanNotDelete 锁即可防止区域被删除。Applying a CanNotDelete lock to a zone prevents the zone from being deleted. 锁由子资源继承。Locks are inherited by child resources. 锁会阻止区域中的任何记录集被删除。A lock prevents any record sets in the zone from being deleted. 如以上说明所述,由于记录仍可从现有记录集中删除,因此它不起作用。As described in the note above, it's ineffective since records can still be removed from the existing record sets.

替代方法是将 CanNotDelete 锁应用于该区域的记录集,例如 SOA 记录集。As an alternative, apply a CanNotDelete lock to a record set in the zone, such as the SOA record set. 如果不一并删除记录集,则不会删除该区域。The zone isn't deleted without also deleting the record sets. 该锁虽然阻止区域删除,但允许随意修改区域内的记录集。This lock protects against zone deletion, while still allowing record sets within the zone to be modified freely. 如果尝试删除区域,Azure 资源管理器会检测到该删除操作。If an attempt is made to delete the zone, Azure Resource Manager detects this removal. 该删除操作还会删除 SOA 记录集,而由于 SOA 已锁定,因此 Azure 资源管理器会阻止调用。The removal would also delete the SOA record set, Azure Resource Manager blocks the call because the SOA is locked. 而不会删除任何记录集。No record sets are deleted.

以下 PowerShell 命令针对给定区域的 SOA 记录创建 CanNotDelete 锁:The following PowerShell command creates a CanNotDelete lock against the SOA record of the given zone:

# Protect against zone delete with CanNotDelete lock on the record set

$lvl = "CanNotDelete"
$lnm = "<lock name>"
$rsc = "<zone name>/@"
$rty = "Microsoft.Network/DNSZones/SOA"
$rsg = "<resource group name>"

New-AzResourceLock -LockLevel $lvl -LockName $lnm -ResourceName $rsc -ResourceType $rty -ResourceGroupName $rsg

防止意外删除区域的另一选项是使用自定义角色。Another option to prevent accidental zone deletion is by using a custom role. 该角色确保用于管理区域的帐户不具有区域删除权限。This role ensures the accounts used to manage your zones don't have zone delete permissions.

确实需要删除区域时,可以强制执行两步删除:When you do need to delete a zone, you can enforce a two-step delete:

  • 首先,授予区域删除权限First, grant zone delete permissions
  • 其次,授予删除区域的权限。Second, grant permissions to delete the zone.

自定义角色适用于这些帐户所访问的所有区域。The custom role works for all zones accessed by those accounts. 具有区域删除权限的帐户(如订阅所有者)仍然可能会意外删除区域。Accounts with zone delete permissions, such as the subscription owner, can still accidentally delete a zone.

可以同时使用资源锁和自定义角色这两种方法,作为 DNS 区域保护的深度防御方法。It's possible to use both approaches - resource locks and custom roles - at the same time, as a defense-in-depth approach to DNS zone protection.

后续步骤Next steps