Hello @Ghulam Abbas ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know how a DNS request is routed through the Azure Firewall DNS Proxy along with its advantages/disadvantages.
By default, Azure Firewall uses Azure DNS when DNS Proxy is disabled.
The DNS server setting lets you configure your own DNS servers and with DNS Proxy enabled, the firewall directs the DNS traffic to the specified DNS servers for name resolution.
Refer: https://docs.microsoft.com/en-us/azure/firewall/dns-settings#configure-virtual-network-dns-servers
If you configure multiple DNS servers, the server used is chosen randomly from among the specified DNS servers. You can configure a maximum of 15 DNS servers in Custom DNS.
So, to summarize:
- If DNS Proxy is disabled and Custom DNS is disabled, then Azure Firewall uses Azure DNS.
- If DNS Proxy is enabled and Custom DNS is disabled, then Azure Firewall listens for DNS requests, and then sends DNS queries to the Azure DNS IP of 168.63.129.16.
- If DNS Proxy is enabled and Custom DNS is enabled, then Azure Firewall listens for DNS queries, and then sends the DNS query to the Custom DNS IP address. If you configure multiple DNS servers, the server used is chosen randomly from among the specified DNS servers.
- If DNS Proxy is disabled and Custom DNS is enabled, then Azure Firewall does not listen for DNS requests internally but will send DNS queries related to Rules containing FQDNs.
NOTE: If you enable FQDN filtering in network rules, and you don't configure client virtual machines to use the firewall as a DNS proxy, then DNS requests from these clients might travel to a DNS server at a different time or return a different response compared to that of the firewall. It’s recommended to configure client virtual machines to use the Azure Firewall as their DNS proxy. This puts Azure Firewall in the path of the client requests to avoid inconsistency.
Refer: https://zcusa.951200.xyz/en-us/azure/firewall/dns-settings?tabs=browser#dns-proxy
https://zcusa.951200.xyz/en-us/azure/firewall/dns-details
Should we change the DNS servers from Azure default provided to be our custom DNS servers (the DCs).
Yes, if you are using “Custom DNS Servers” on the VNET, it is recommended to add them to the Azure Firewall configuration as well.
Should we enable DNS proxy to forward the traffic to our custom DNS servers.
Yes, this will make sure that the Azure Firewall listens for DNS queries, and then sends the DNS query to the Custom DNS IP addresses.
If we do this both, our understanding is that we would need to update the DNS of each of our existing VNETs to be the private IP Address of the Azure Firewall?
Yes, your understanding is correct. To configure DNS proxy, you must configure your virtual network DNS servers setting to use the firewall private IP address. Then enable the DNS proxy in the Azure Firewall DNS settings.
Please find additional details below:
DNS PROXY - Feature:
- Enabling DNS PROXY, allows the Azure Firewall to be a DNS resolution point for Clients/VMs.
- The Azure Firewall will then perform a recursive look up to the configured DNS server of the Azure Firewall
- Default is the Azure Wire Server IP (168.63.129.16)
- One of the Custom DNS Servers
Configuration Suggestions:
- Azure Firewall will not use the VNET configured DNS servers by default.
- If you are using “Custom DNS Servers” on the VNET, it is recommended to add them to the Azure Firewall configuration as well.
- Use Azure Firewall DNS PROXY
- Configure "Custom DNS Servers" on the Azure Firewall, then point the "VNET DNS Servers" to the Azure Firewall PRIVATE IP
- Make sure all the custom defined DNS servers can resolve the same DNS records.
- Make sure Private Records are resolvable on each DNS Server
- Bad example is having PUBLIC DNS server and PRIVATE DNS servers in the list.
- The Azure Firewall will try to resolve Private DNS Name to the Public DNS servers and not get Results. Other times it will try against the Private Servers and work. This will give intermittent connectivity/results.
- For Private DNS Zones linked to the VNET, the Azure Wire Server IP address (168.63.129.16) needs to be used. (SEE PRIVATE DNS ZONE Requirements)
Additional references for you:
https://zcusa.951200.xyz/en-us/azure/firewall/firewall-known-issues
https://zcusa.951200.xyz/en-us/azure/firewall/sql-fqdn-filtering
Kindly let us know if the above helped or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.