Azure Firewall DNS

Ghulam Abbas 211 Reputation points
2024-07-04T10:32:11.74+00:00

Hi, in our existing Azure Firewall configuration, under DNS, we have the DNS servers enabled with the default Azure provided DNS and the DNS proxy disabled. For all our other resources in Azure, we have 2 Azure domain controllers and these are also the DNS servers and all our resources in Azure are configured with these 2 DNS servers. We are looking to understand if we should change our Azure Firewall configuration as below:

A) Should we change the DNS servers from Azure default provided to be our custom DNS servers (the DCs).

B) Should we enable DNS proxy to forward the traffic to our custom DNS servers.

If we do this for both our understanding is that we would need to update the DNS of each of our existing VNETs to be the private IP Address of the Azure Firewall? We are looking for some advice/ best practices and advantages/disadvantages based on our scenario.

User's image

Many thanks

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
696 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
685 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,532 questions
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
95 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 49,601 Reputation points Microsoft Employee
    2024-07-04T11:29:19.6533333+00:00

    Hello @Ghulam Abbas ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know how a DNS request is routed through the Azure Firewall DNS Proxy along with its advantages/disadvantages.

    By default, Azure Firewall uses Azure DNS when DNS Proxy is disabled.

    The DNS server setting lets you configure your own DNS servers and with DNS Proxy enabled, the firewall directs the DNS traffic to the specified DNS servers for name resolution.

    Refer: https://docs.microsoft.com/en-us/azure/firewall/dns-settings#configure-virtual-network-dns-servers

    If you configure multiple DNS servers, the server used is chosen randomly from among the specified DNS servers. You can configure a maximum of 15 DNS servers in Custom DNS.

    So, to summarize:

    • If DNS Proxy is disabled and Custom DNS is disabled, then Azure Firewall uses Azure DNS.
    • If DNS Proxy is enabled and Custom DNS is disabled, then Azure Firewall listens for DNS requests, and then sends DNS queries to the Azure DNS IP of 168.63.129.16.
    • If DNS Proxy is enabled and Custom DNS is enabled, then Azure Firewall listens for DNS queries, and then sends the DNS query to the Custom DNS IP address. If you configure multiple DNS servers, the server used is chosen randomly from among the specified DNS servers.
    • If DNS Proxy is disabled and Custom DNS is enabled, then Azure Firewall does not listen for DNS requests internally but will send DNS queries related to Rules containing FQDNs.

    NOTE: If you enable FQDN filtering in network rules, and you don't configure client virtual machines to use the firewall as a DNS proxy, then DNS requests from these clients might travel to a DNS server at a different time or return a different response compared to that of the firewall. It’s recommended to configure client virtual machines to use the Azure Firewall as their DNS proxy. This puts Azure Firewall in the path of the client requests to avoid inconsistency.

    Refer: https://learn.microsoft.com/en-us/azure/firewall/dns-settings?tabs=browser#dns-proxy

    https://learn.microsoft.com/en-us/azure/firewall/dns-details

    Should we change the DNS servers from Azure default provided to be our custom DNS servers (the DCs).

    Yes, if you are using “Custom DNS Servers” on the VNET, it is recommended to add them to the Azure Firewall configuration as well.

    Should we enable DNS proxy to forward the traffic to our custom DNS servers.

    Yes, this will make sure that the Azure Firewall listens for DNS queries, and then sends the DNS query to the Custom DNS IP addresses.

    If we do this both, our understanding is that we would need to update the DNS of each of our existing VNETs to be the private IP Address of the Azure Firewall?

    Yes, your understanding is correct. To configure DNS proxy, you must configure your virtual network DNS servers setting to use the firewall private IP address. Then enable the DNS proxy in the Azure Firewall DNS settings.

    Please find additional details below:

    DNS PROXY - Feature:

    • Enabling DNS PROXY, allows the Azure Firewall to be a DNS resolution point for Clients/VMs.
    • The Azure Firewall will then perform a recursive look up to the configured DNS server of the Azure Firewall
      • Default is the Azure Wire Server IP (168.63.129.16)
      • One of the Custom DNS Servers

    Configuration Suggestions:

    • Azure Firewall will not use the VNET configured DNS servers by default.
    • If you are using “Custom DNS Servers” on the VNET, it is recommended to add them to the Azure Firewall configuration as well.
      • Use Azure Firewall DNS PROXY
      • Configure "Custom DNS Servers" on the Azure Firewall, then point the "VNET DNS Servers" to the Azure Firewall PRIVATE IP
    • Make sure all the custom defined DNS servers can resolve the same DNS records.
      • Make sure Private Records are resolvable on each DNS Server
      • Bad example is having PUBLIC DNS server and PRIVATE DNS servers in the list.
        • The Azure Firewall will try to resolve Private DNS Name to the Public DNS servers and not get Results. Other times it will try against the Private Servers and work. This will give intermittent connectivity/results.
    • For Private DNS Zones linked to the VNET, the Azure Wire Server IP address (168.63.129.16) needs to be used. (SEE PRIVATE DNS ZONE Requirements)

    Additional references for you:

    https://learn.microsoft.com/en-us/azure/firewall/firewall-known-issues

    https://learn.microsoft.com/en-us/azure/firewall/sql-fqdn-filtering

    https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/migrate/prepare/ready-azure-landing-zone?wt.mc_id=knwlserapi_inproduct_azportal#azure-firewall-dns-proxy

    Kindly let us know if the above helped or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Deepanshukatara-6769 10,765 Reputation points
    2024-07-04T10:57:14.54+00:00

    Hi Ghulam , Welcome to MS Q&A

    A) Yes You can configure a custom DNS server which is basically your two DNS server and after that The firewall now directs DNS traffic to the specified DNS servers for name resolution.

    B) Yes You can configure Azure Firewall to act as a DNS proxy. A DNS proxy is an intermediary for DNS requests from client virtual machines to a DNS server.

    Updating DNS Settings in VNETs

    • DNS Configuration: If you enable DNS proxy, you will need to update the DNS settings of each of your existing VNETs to use the private IP address of the Azure Firewall. This ensures that all DNS traffic is routed through the firewall.

    Advantages

    • Centralized DNS Management: Using custom DNS servers and DNS proxy allows for centralized DNS management and resolution.
    • Enhanced Security: All DNS traffic is inspected by the Azure Firewall, providing an additional layer of security.
    • Hybrid DNS Resolution: Facilitates resolution of both on-premises and Azure-hosted resources.

    Disadvantages

    • Complexity: Configuring and managing custom DNS servers and DNS proxy can add complexity to your network setup.
    • Performance: Depending on the load, using Azure Firewall as a DNS proxy might introduce some latency.

    References

    1 person found this answer helpful.
    0 comments No comments

  2. Ghulam Abbas 211 Reputation points
    2024-07-05T10:44:42.65+00:00

    Thanks both, this makes perfect sense. Appreciated

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.