@Jessie ,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to configure DNS Proxy with Azure Firewall. I could not find any explicit documentations that explain the effect of DNS Proxy.
However, to answer your queries,
1.Is my assumption correct that enabling DNS proxy might result in network problems with already existing network firewall rules?
- It may lead to issues if the existing DNS server used by the Virtual Machines/Virtual Network does not match with the DNS server used by the Firewall.
- However, if the VMs and the Azure Firewall were using the same DNS Server in your current environment - then there should not be any issues.
- Technically, in the latter, the DNS queries are being served by the same DNS server and thus should not result in any issues.
- See : Azure Firewall DNS settings.
In the case that the DNS server used by the VNET and Azure Firewall is currently not the same,
- You must make sure that the DNS Server used by the Azure Firewall is correctly resolving the FQDNs which you use
- The point to note here is that this is a responsibility of the DNS Server used rather than the Azure Firewall
I would suggest you take a downtime window, make the changes and observe the behavior for a single or a subset of VMs.
- You can do this by either
- Changing the DNS server of a NIC (for single VM)
- Changing the DNS server of a single VNET (for a subset of VMs)
- Should there be clients complaining about DNS queries, you can try to troubleshoot by
nslookup <FQDN> <AzFwPrivateIP>
nslookup <FQDN> <DNSServerIPusedbyFw>
nslookup <FQDN> <DNSServerIPusedbyVmBeforeProxy> - And if you find AzFW is not properly resolving the DNS, you can fall back to the existing DNS Server IP and later troubleshoot which DNS server from above is the culprit.
Hope this provides some clarity.
Cheers,
Kapil