Using Azure Private Resolver with Firewall DNS proxy

Question

Hi,

I am currently looking at implementing Azure DNS private resolver (inbound and outbound endpoint subnets) within a hub-and-spoke network with the ultimate goal of resolving DNS to/from an on premise site located down a VPN connection and the spokes of the Azure network.

An additional step is that I would also like to use Azure firewall (located in the central hub as well) as a DNS proxy. For the outbound resolver I can see this working in the following flow using the following as reference: https://learn.microsoft.com/en-us/azure/dns/private-resolver-endpoints-rulesets

Outbound DNS request:

Spoke network with custom DNS address set as the Firewall private IP --> Azure firewall DNS proxy/server address set to the Outbound resolver/endpoint IP address --> Ruleset to on premise.

Basically replacing "custom DNS server" in the below diagram with the outbound resolver address.

No issue with this, however in reverse (resolving from on premise via the Firewall to the spokes):

Inbound DNS request:

Site DNS forwarding ruleset to inbound resolver private subnet --> ??

As far as I can understand the documentation suggests after the request goes to the inbound resolver it then queries Azure DNS, but what would the recommended step be if using the Firewall to proxy:

• Configure the on premise forwarder to the local address of the firewall directly bypassing the inbound resolver.
• Use the inbound resolver and configure Azure DNS to forward.

There is an additional issue in that as per the documentation here: https://learn.microsoft.com/en-us/azure/firewall/dns-settings "if you configure multiple DNS servers the server used is chosen randomly" I cannot see how this would work in an inbound/outbound scenario even if multiple policies were configured on the firewall.

Any thoughts would be appreciated, thanks!