Azure Firewall DNS settings
You can configure a custom DNS server and enable DNS proxy for Azure Firewall. Configure these settings when you deploy the firewall, or configure them later from the DNS settings page. By default, Azure Firewall uses Azure DNS and DNS Proxy is disabled.
DNS servers
A DNS server maintains and resolves domain names to IP addresses. By default, Azure Firewall uses Azure DNS for name resolution. The DNS server setting lets you configure your own DNS servers for Azure Firewall name resolution. You can configure a single server or multiple servers. If you configure multiple DNS servers, the server used is chosen randomly. You can configure a maximum of 15 DNS servers in Custom DNS.
Note
For instances of Azure Firewall that are managed by using Azure Firewall Manager, the DNS settings are configured in the associated Azure Firewall policy.
Configure custom DNS servers
- Under Azure Firewall Settings, select DNS Settings.
- Under DNS servers, you can type or add existing DNS servers that were previously specified in your virtual network.
- Select Apply.
The firewall now directs DNS traffic to the specified DNS servers for name resolution.
DNS proxy
You can configure Azure Firewall to act as a DNS proxy. A DNS proxy is an intermediary for DNS requests from client virtual machines to a DNS server.
If you want to enable FQDN (fully qualified domain name) filtering in network rules, enable DNS proxy and update the virtual machine configuration to use the firewall as a DNS proxy.
If you enable FQDN filtering in network rules, and you don't configure client virtual machines to use the firewall as a DNS proxy, then DNS requests from these clients might travel to a DNS server at a different time or return a different response compared to that of the firewall. It's recommended to configure client virtual machines to use the Azure Firewall as their DNS proxy. This puts Azure Firewall in the path of the client requests to avoid inconsistency.
When Azure Firewall is a DNS proxy, two caching function types are possible:
Positive cache: DNS resolution is successful. The firewall caches these responses according to the TTL (time to live) in the response up to a maximum of 1 hour.
Negative cache: DNS resolution results in no response or no resolution. The firewall caches these responses according to the TTL in the response, up to a max of 30 minutes.
The DNS proxy stores all resolved IP addresses from FQDNs in network rules. As a best practice, use FQDNs that resolve to one IP address.
Policy inheritance
Policy DNS settings applied to a standalone firewall override the standalone firewall's DNS settings. A child policy inherits all parent policy DNS settings, but it can override the parent policy.
For example, to use FQDNs in network rule, DNS proxy should be enabled. But if a parent policy does not have DNS proxy enabled, the child policy won't support FQDNs in network rules unless you locally override this setting.
DNS proxy configuration
DNS proxy configuration requires three steps:
- Enable the DNS proxy in Azure Firewall DNS settings.
- Optionally, configure your custom DNS server or use the provided default.
- Configure the Azure Firewall private IP address as a custom DNS address in your virtual network DNS server settings to direct DNS traffic to the Azure Firewall.
Note
If you choose to use a custom DNS server, select any IP address within the virtual network, excluding those in the Azure Firewall subnet.
To configure DNS proxy, you must configure your virtual network DNS servers setting to use the firewall private IP address. Then enable the DNS proxy in the Azure Firewall DNS settings.
Configure virtual network DNS servers
- Select the virtual network where the DNS traffic is routed through the Azure Firewall instance.
- Under Settings, select DNS servers.
- Under DNS servers, select Custom.
- Enter the firewall's private IP address.
- Select Save.
- Restart the VMs that are connected to the virtual network so they're assigned the new DNS server settings. VMs continue to use their current DNS settings until they're restarted.
Enable DNS proxy
- Select your Azure Firewall instance.
- Under Settings, select DNS settings.
- By default, DNS Proxy is disabled. When this setting is enabled, the firewall listens on port 53 and forwards DNS requests to the configured DNS servers.
- Review the DNS servers configuration to make sure that the settings are appropriate for your environment.
- Select Save.
High availability failover
DNS proxy has a failover mechanism that stops using a detected unhealthy server and uses another DNS server that is available.
If all DNS servers are unavailable, there's no fallback to another DNS server.
Health checks
DNS proxy performs five-second health check loops for as long as the upstream servers report as unhealthy. The health checks are a recursive DNS query to the root name server. Once an upstream server is considered healthy, the firewall stops health checks until the next error. When a healthy proxy returns an error, the firewall selects another DNS server in the list.
Azure Firewall with Azure Private DNS Zones
When you use an Azure Private DNS zone with Azure Firewall, make sure you don't create domain mappings that override the default domain names of the storage accounts and other endpoints created by Microsoft. If you override the default domain names, it breaks Azure Firewall management traffic access to Azure storage accounts and other endpoints. This breaks firewall updates, logging, and/or monitoring.
For example, firewall management traffic requires access to the storage account with the domain name blob.core.chinacloudapi.cn and the firewall relies on Azure DNS for FQDN to IP address resolutions.
Don't create a Private DNS Zone with the domain name *.blob.core.chinacloudapi.cn
and associate it with the Azure Firewall virtual network. If you override the default domain names, all the DNS queries are directed to the private DNS zone, and this breaks firewall operations. Instead, create a unique domain name such as *.<unique-domain-name>.blob.core.chinacloudapi.cn
for the private DNS zone.
Alternatively, you can enable a private link for a storage account and integrate it with a private DNS zone, see Inspect private endpoint traffic with Azure Firewall.