Effect of enabling DNS proxy in Azure Firewall.

Jessie 85 Reputation points
2024-02-29T05:59:06.71+00:00

My environment has an Azure firewall configured as a shared resource.

connection to smpt.office365.com in the above firewall was configured using application firewall rule to port 587, but we are unable to send emails.

The plan is to re-configure the connection to smtp.office365.com as a network rule (using the same port number).

However, this requires enabling DNS proxy on the target firewall.

We have other network rules already existing in the firewall and I am concerned that there may be complications when we enable DNS on the firewall.

Questions:

  1. Is my assumption correct that enabling DNS proxy might result in network problems with already existing network firewall rules?
  2. Is there a document that explains the effect of enabling DNS proxy?
Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
624 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
594 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,252 questions
0 comments
Accepted answer
  1. KapilAnanth-MSFT 39,206 Reputation points Microsoft Employee
    2024-02-29T07:00:29.8466667+00:00

    @Jessie ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to configure DNS Proxy with Azure Firewall. I could not find any explicit documentations that explain the effect of DNS Proxy.

    However, to answer your queries,

    1.Is my assumption correct that enabling DNS proxy might result in network problems with already existing network firewall rules?

    • It may lead to issues if the existing DNS server used by the Virtual Machines/Virtual Network does not match with the DNS server used by the Firewall.
    • However, if the VMs and the Azure Firewall were using the same DNS Server in your current environment - then there should not be any issues.
    • Technically, in the latter, the DNS queries are being served by the same DNS server and thus should not result in any issues.

    In the case that the DNS server used by the VNET and Azure Firewall is currently not the same,

    • You must make sure that the DNS Server used by the Azure Firewall is correctly resolving the FQDNs which you use
    • The point to note here is that this is a responsibility of the DNS Server used rather than the Azure Firewall

    I would suggest you take a downtime window, make the changes and observe the behavior for a single or a subset of VMs.

    • You can do this by either
      • Changing the DNS server of a NIC (for single VM)
      • Changing the DNS server of a single VNET (for a subset of VMs)
    • Should there be clients complaining about DNS queries, you can try to troubleshoot by
      nslookup <FQDN> <AzFwPrivateIP>
      nslookup <FQDN> <DNSServerIPusedbyFw>
      nslookup <FQDN> <DNSServerIPusedbyVmBeforeProxy>
    • And if you find AzFW is not properly resolving the DNS, you can fall back to the existing DNS Server IP and later troubleshoot which DNS server from above is the culprit.

    Hope this provides some clarity.

    Cheers,

    Kapil

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest