Azure firewall proxy

Erik 1 Reputation point
2022-09-16T06:23:56.007+00:00

Hello,

If you have set up several DNS servers behind an Azure Firewall DNS Proxy. For example your own DNS server and Azure DNS. How does the DNS request that goes through the DNS Proxy know where to go? Does the request choose a random DNS server behind the DNS Proxy or can you controll this?

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
668 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
656 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 49,486 Reputation points Microsoft Employee
    2022-09-16T11:32:00.223+00:00

    Hello @Erik ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know how the DNS requests are routed through the Azure Firewall DNS Proxy if there are multiple DNS servers behind it.

    By default, Azure Firewall uses Azure DNS when DNS Proxy is disabled.
    The DNS server setting lets you configure your own DNS servers and with DNS Proxy enabled, the firewall directs the DNS traffic to the specified DNS servers for name resolution.
    Refer : https://video2.skills-academy.com/en-us/azure/firewall/dns-settings#configure-virtual-network-dns-servers

    If you configure multiple DNS servers, the server used is chosen randomly from among the specified DNS servers. You can configure a maximum of 15 DNS servers in Custom DNS.

    And if you want to enable FQDN (fully qualified domain name) filtering in network rules, enable DNS proxy and update the virtual machine configuration to use the firewall as a DNS proxy.

    So, to summarize:

    • If DNS Proxy is disabled and Custom DNS is disabled, then Azure Firewall uses Azure DNS.
    • If DNS Proxy is enabled and Custom DNS is disabled, then Azure Firewall listens for DNS requests, and then sends DNS queries to the Azure DNS IP of 168.63.129.16.
    • If DNS Proxy is enabled and Custom DNS is enabled, then Azure Firewall listens for DNS queries, and then sends the DNS query to the Custom DNS IP address. If you configure multiple DNS servers, the server used is chosen randomly from among the specified DNS servers.
    • If DNS Proxy is disabled and Custom DNS is enabled, then Azure Firewall does not listen for DNS requests internally, but will send DNS queries related to Rules containing FQDNs.

    NOTE : If you enable FQDN filtering in network rules, and you don't configure client virtual machines to use the firewall as a DNS proxy, then DNS requests from these clients might travel to a DNS server at a different time or return a different response compared to that of the firewall. DNS proxy puts Azure Firewall in the path of the client requests to avoid inconsistency.

    Kindly let us know if the above helped or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.