DNS Proxy

What is DNS Proxy?

A feature of Azure Firewall that allows us to perform name resolution using Azure Provided DNS or Custom DNS server
When “DNS proxy” feature is enabled, Firewall listens for DNS query (UDP, port 53) and resolve it using Azure Provided DNS or Custom DNS server
This functionality is crucial and required to have reliable FQDN filtering in network rules
It is highly recommended you enable the DNS proxy to ensure name resolution is consistent with your protected virtual machines and firewall

Got to target policy > Settings: DNS > DNS Proxy: select “Enabled”
If enabled, the Azure Firewalls associated with the policy will listen on port 53 and will forward DNS requests to the DNS specified server (Azure provided or custom)

Azure Firewall - enable DNS proxy using Azure Portal

If we have hub-spoke topology, we need to set VNet DNS Server to Firewall private IP for both Hub VNet and Spoke VNet.

Azure Firewall DNS Proxy - Firewall private IP as VNet DNS server

Scenario:

We need to attach Private DNS Zones to Hub VNet to ensure that name resolution will work for private endpoints and private IP of Application Gateway:

Linking a private DNS to Hub VNet

Azure Firewall DNS Proxy - linking private DNS zone to Hub VNet

In order to resolve name resolution using Azure provided DNS, the DNS query must be originated from within the VNet
When DNS proxy is enabled, Azure Firewall will listen to any DNS query including query coming from on-premises (mentioned that on-premises is connected using ExpressRoute or VPN)
If on-premises have DNS server, then “conditional forwarding” must be set in on-premises DNS server to forward unknown queries to Firewall private IP:
- *.hover-system.com
- *.privatelink.blob.core.windows.net
- *.privatelink.vaultcore.azure.net
- *.privatelink.azurecr.io