This document describes the integration process of the ThreatSTOP DNS Defense with a BIND 9 DNS server running on Microsoft Azure.

ThreatSTOP Account Setup

Setting up a ThreatSTOP account for Azure is simple. The first thing you will need is a ThreatSTOP account, which you can sign-up for here. After providing your information and logging into your account you can navigate to the API Keys page to find your API token.

Click on “Click to show” row and copy key to the clipboard, you will need it during the Azure side of the account creation process.

Step 1: Virtual machine selection

  • Search for ThreatSTOP.
  • Click on ThreatSTOP DNS Firewall in the search results.
  • Click Create.

Step 2: VM Configuration

There are five blades of information to provide prior to deployment. Fill out each blade in turn, click on OK at the end of each blade to save the new settings.

Basics blade

  • DNS Firewall VM name – choose a server name. Because TS recommends deploying two DNS firewalls (for redundancy), a suitable name is something like “TSDNSFirewall1” for your first deployment, or “TSDNSFirewall2” for your second deployment.
  • Admin username – this is the root username for the DNS firewall, e.g. “tsadmin” or “dnsadmin”, etc.
  • Authentication Type - select Password or SSH public key
  • Password – make this a complex password. You will use SSH to remote into your DNS firewall using this password.
  • SSH public key - copy and paste an OpenSSH public key, which can be generated using ssh-keygen on Linux/OS X or PuttyGen on Windows
  • Location – the Azure location must match the location of the Virtual Network (vnet) you wish to protect.

Network and Storage Settings

  • Virtual Machine Size – select a virtual machine size. Your ThreatSTOP advisor can help you select an appropriate VM size based on your predicted workload. Cost varies by machine size. Note: Azure A2 is our default deployment VM, A3 is also acceptable.

  • Virtual network – select the Azure virtual network on which you wish to add DNS firewall protection. If you create a new virtual network, you will also have to provide the address space in CIDR format, for example For more information see: Azure vnet documentation (

  • Subnet - select or create the subnet where your DNS Firewall will reside. Best practices dictate that your DNS Firewall should be in a separate subnet (e.g. a DMZ) from the machines you wish to protect. You should select an existing subnet for the DNS Firewall. If you are using an existing virtual network and would like to create a new subnet for your DNS Firewall, you should create the subnet first through the Azure portal prior to installing this marketplace solution template.
  • Public IP address - name of the subnet that will provide the public IP address for your DNS firewall.
  • DNS Prefix - enter a custom prefix for the FQDN of the public ip address for the DNS firewall. It should be lowercase letters and numbers only, dashes allowed.
  • Storage Account – select or create the storage account and storage type to hold the virtual machine. Because the DNS Firewall is not storing critical data, premium storage is not needed in most situations. For more information see: Azure storage documentation (

Firewall Configuration

  • License key – enter your ThreatSTOP license key. This is the API key you copied to the clipboard in ThreatSTOP Account Setup.


  • review your deployment selections and click OK if no changes are needed.


  • Review the Terms and Conditions, then click the Create button to start the deployment process. This process will take around 10 minutes to complete.

This will close the setup windows and an icon similar to the following will appear on your Azure Dashboard. Once this changes your Resource Group will be available, and you’ll be able to login to your new DNS firewall.

Deploying a Second ThreatSTOP DNS Firewall

To deploy a second ThreatSTOP DNS Firewall (for redundancy), follow the same steps above, ensuring that you:

  • Enter a different name for your firewall, e.g. “TSDNSFirewall2”
  • Select the same Resource Group as the first DNS Firewall
  • Select the same Virtual Network
  • Select the same Subnet
  • Use the same license key and ThreatSTOP account credentials. ThreatSTOP DNS Firewall is licensed in pairs, so the same license key will work for up to two servers.

Note that your DNS Firewalls will be deployed into an Azure Availability Set named “TSAvailabilitySet”.

Connecting to Your DNS Firewall via SSH

After your resource group has been successfully deployed, you will be able to login to your DNS Firewall using SSH. To find the IP address to login:

  • Open the resource group by clicking on its icon in the Azure Dashboard.
  • Click on the icon for your Virtual Network. This will open the Virtual network blade. The connected devices will list the IP address for your DNS Firewall device. This can be used with your favorite SSH program to access the server. The username and password provided in 6.a.iv will allow login to the server.

Configuring your clients for ThreatSTOP protection

The client machines must be configured to use your new ThreatSTOP DNS Firewalls for DNS resolution. The easiest way to make this configuration is by changing the DNS settings for your virtual network:

  • In the Azure portal, click on the resource group containing the client subnet.
  • Click on the virtual network containing the client subnet.
  • Click on DNS servers.
  • Click on Custom DNS.
  • Enter the internal IP address of your primary DNS firewall. For new virtual networks, for example, this address is Please verify the IP address in your installation.
  • If you have deployed a second DNS Firewall, enter its internal IP address as the Secondary DNS server.
  • Click the Save button. You may need to restart or reload the network configuration on your client machines in order to use the new DNS settings. In Ubuntu, the command to reload the network configuration without having to restart your virtual machine is:
sudo ifdown eth0 && sudo ifup eth0

Add a Network Security Group to your client Subnet

Best practices include adding an Azure Network Security Group (NSG) to your client subnet so that DNS queries can only be made to the DNS Firewalls. You should only add a new NSG if your DNS Firewalls reside in a separate DMZ subnet and NOT in the same subnet as your protected clients. To add the Network Security Group to your client subnet:

  • In your Azure portal open the Resource Group for your DNS Firewall, click on on the Add + button.
  • Type “network” and select Network Security Group (NSG) when it appears as an option.
  • Use the Resource Manager as your deployment model and click on Create.
  • Enter a name for your NSG, e.g. “TSDNSClientNSG” and select the Resource Group containing your protected virtual network.
  • Once deployment of the NSG is completed, select the new NSG.
  • Click Outbound Security Rules

Add the two following Outbound rules:

  • Rule #1
    • name: AllowToOwnDNS
    • Priority: 120
    • Destination IP address range: [enter the CIDR of your DNS Firewall DMZ, e.g., or just the CIDR of your two firewalls, e.g.]. Note: This will be the same IP address or CIDR range as you use to login to the DNS Firewalls.
    • Destination Port Range: 53
    • Source: Any
    • Protocol: Any
    • Source Port Range: *
    • Action: Allow
  • Rule #2
    • name: BlockAllDNSQueries
    • Priority: 130
    • Destination: Any
    • Destination Port Range: 53
    • Source: Any
    • Protocol: Any
    • Source Port Range: *
    • Action: Deny

You may also want to click the Default rules button to add the Azure default outbound rules for Internet traffic. Rules are checked in the order of priority. Once a rule applies, no more rules are tested for matching.

You should also create inbound rules in the NSG to allow whatever inbound access you need to your client subnet. Typically, you would allow RDP and/or SSH traffic from a jumpbox or other network, plus any other ports needed for your network. By default, the DNS Firewall allows SSH access from the entire Internet. You may wish to restrict access by customizing your NSG following installation. The process to do this is explained in Securing the SSH Login Method. Assign the newly created NSG to your client subnet by selecting the subnet in the Azure portal, clicking on the Network security group button, selecting the newly created “TSDNSClientNSG” and clicking the Save button. No reboot is required at this time.

Securing the SSH Login Method

After initial setup has been completed it’s recommended to modify the SSH Login method to only be available from computers inside your network. To do this create an inbound security rule in the NSG with the following rules:

Rule 1

  • Name: AllowAccessToSSH
  • Priority: 100
  • Source: CIDR block
  • Source IP Address range: [enter the CIDR of your management device, e.g., this will need to be a fixed address to allow the data from the management system to pass through to the DNS firewall]
  • Protocol: TCP
  • Source Port Range: 22
  • Destination: [enter the CIDR of the firewall device, eg.]
  • Destination Port Range: 22
  • Action: Allow

Rule 2

  • Name: RestrictAccessToSSH
  • Priority: 130
  • Source: Any
  • Protocol: Any
  • Source Port Range: *
  • Destination: CIDR block
  • Destination Port Range: [enter the CIDR of the firewall device, eg.]
  • Action: Deny

Using the ThreatSTOP DNS Firewall to protect networks outside Azure

By default, the ThreatSTOP DNS Firewalls are configured to restrict DNS queries to your Azure virtual network. You may modify the configuration of your DNS Firewalls to allow queries from networks external to Azure.

  • Modify the TSDNSNetworkSecurityGroup – this NSG is assigned to your DNS Firewall subnet and restricts inbound DNS traffic (port 53) to just the ThreatSTOP Masters at and These rules should not be modified. You may add additional rules to allow inbound DNS queries on port 53 from the networks of your choice.
  • The DNS Firewalls use BIND and are configured with an ACL limiting recursive queries to the Azure virtual network. You must also modify the BIND configuration file by adding your external networks to the ACL for recursive queries:
    • SSH into your DNS firewall
    • After logging in enter the following command:
        sudo vi /etc/bind/named.conf.options
    • Modify the following line to include your external network in CIDR format, separated by a semicolon:
        acl "trusted" { localnets;; };
    • Then restart the service by issuing the command:
        sudo service bind9 restart
  • You will then need to adjust your network to use the Azure DNS Firewall as it’s DNS service, using the Virtual Net’s external IP address.

Changing your ThreatSTOP DNS Policy

  • Change the policy associated with the device using the ThreatSTOP Portal (edit the device configuration)

  • Reconfigure BIND

Your BIND configuration needs to be told to use the new policy name. ThreatSTOP provides a script to assist with the reconfiguration. This script is called and has been placed in /usr/local/bin on the DNS firewall. To execute it, include the name of the new policy (as listed on the Policies tab in the ThreatSTOP Portal) as an argument, appending “.rpz.threatstop.local” to the policy name we selected. Be sure to use sudo when executing the command on the DNS firewall:

tsadmin@fwVM:~$ sudo  [Zone name retrieved from device settings] 
Detected existing policy [Previous RPZ Zone name].
Replace this with policy  [Zone name retrieved from device settings]  (Y/N) ? Y