Share via

Why can't I see DNS responses in Azure Firewall Log?

Rueff, Adm_Glenn 0 Reputation points
2024-12-09T23:50:59.5533333+00:00

This is mostly a logging/KQL question, I think... I have an Azure firewall (Premium SKU) with a rule that allows DNS requests on the standard port and it works fine. I can use dig @<dns-ip> ... and get the response I would expect to see. However, when I search the AZFWNetworkRule table, I only see DNS requests, no responses, even though clearly the response is getting back to the client.

The KQL query I'm using to search the table is:


AZFWNetworkRule
| where TimeGenerated > ago(2h)
| where DestinationIp in ("<dns-ip-1>", "<dns-ip-2>") or SourceIp in ("<dns-ip-1>", "<dns-ip-2>")
| project TimeGenerated, SourceIp, DestinationIp, DestinationPort, RuleCollection, Action

However, the only results I see from this query are requests heading to the DNS server. There aren't any responses going back to the client. Am I formulating my query incorrectly? Shouldn't there also be a record for the response from the server?

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
707 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
702 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 48,081 Reputation points Microsoft Employee
    2024-12-10T04:14:39.4066667+00:00

    @Rueff, Adm_Glenn ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I believe this is the expected logs.

    Azure Firewall a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

    See : Azure Firewall FAQ

    • This means, a Network Rule allows a "flow"
    • i.e., DNS queries happening are of a single flow and only the outgoing "flow" detail would be logged, not the individual packets.
    • Each new "connection" that matches one of your configured network rules results in a log for the accepted/denied connection, not the individual packets going to and fro inside a connection.

    This is the case with any connection in Azure Firewall, not only DNS.

    Also see,

    If you are using DNS over TCP and would like to dig deep with the logs, you can consider using Flow trace logs

    Contains flow information, flags, and the time period when the flows were recorded. You can see full flow information such as SYN, SYN-ACK, FIN, FIN-ACK, RST, INVALID (flows).

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.