Azure Firewall DNS Proxy Failing to Resolve SCM Records in Private DNS Zones

Sagar Baghel 10 Reputation points
2024-12-19T16:24:15.6466667+00:00

I have a hub-and-spoke architecture in Azure where I'm using Azure Firewall in the hub as a DNS proxy. I have multiple private DNS zones configured in the hub and have established VNet links to my spoke networks. I've also added A records for my function apps.

When I perform an nslookup from a spoke VM for a function app (e.g., nslookup test-app.privatelink.azurewebsites.net), the DNS traffic is forwarded to the firewall's private IP, and I can successfully resolve the IP address. However, when I try to resolve the SCM record for the same function app (e.g., nslookup test-app.scm.privatelink.azurewebsites.net), I get a "non-existent domain" error.

I've observed the following:

  • Azure Firewall logs show a similar error for the SCM record lookup.
  • nslookup <SCM_FQDN> <AzureFirewallPrivateIP> fails.
  • nslookup <SCM_FQDN> <DNSServerUsedByFirewall> (using Azure's default DNS servers) succeeds.

What could be causing this issue with resolving SCM records through the Azure Firewall DNS proxy? Am I missing a configuration step or is there a limitation with Azure Firewall's DNS proxying capabilities?

Thanks in advance.

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
708 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
703 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,577 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
526 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Ganesh Patapati 2,665 Reputation points Microsoft Vendor
    2024-12-20T19:00:38.9666667+00:00

    Hello @Sagar Baghel

    Greetings!

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    • Firstly, if you have created two records pointing to the private endpoint IP First is for your app, the second is for the SCM of your app.

    Refer: https://zcusa.951200.xyz/en-us/azure/app-service/overview-private-endpoint#dns

    User's image- Secondly use of Azure Private DNS resolver with Azure Firewall DNS proxy is not validated by PG and support request will be required here.

    Hope this clarifies!

    If above is unclear and/or you are unsure about something add a comment below.

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    Regards,

    Ganesh


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.