Azure 防火墙 DNS 设置Azure Firewall DNS settings

可以为 Azure 防火墙配置自定义 DNS 服务器并启用 DNS 代理。You can configure a custom DNS server and enable DNS proxy for Azure Firewall. 可以在部署防火墙时配置这些设置,或者以后从“DNS 设置”页进行配置。Configure these settings when you deploy the firewall, or configure them later from the DNS settings page.

DNS 服务器DNS servers

DNS 服务器维护域名并将它解析为 IP 地址。A DNS server maintains and resolves domain names to IP addresses. 默认情况下,Azure 防火墙将 Azure DNS 用于名称解析。By default, Azure Firewall uses Azure DNS for name resolution. 通过“DNS 服务器”设置,你可以配置自己的 DNS 服务器来用于 Azure 防火墙名称解析。The DNS server setting lets you configure your own DNS servers for Azure Firewall name resolution. 你可以配置一台服务器或多台服务器。You can configure a single server or multiple servers.

备注

对于使用 Azure 防火墙管理器管理的 Azure 防火墙实例,DNS 设置是在关联的 Azure 防火墙策略中配置的。For instances of Azure Firewall that are managed by using Azure Firewall Manager, the DNS settings are configured in the associated Azure Firewall policy.

配置自定义 DNS 服务器 - Azure 门户Configure custom DNS servers - Azure portal

  1. 在 Azure 防火墙的“设置”下,选择“DNS 设置” 。Under Azure Firewall Settings, select DNS Settings.
  2. 在“DNS 服务器”下,可以键入或添加之前在虚拟网络中指定的现有 DNS 服务器。Under DNS servers, you can type or add existing DNS servers that have been previously specified in your virtual network.
  3. 选择“保存”。Select Save.

防火墙现在将 DNS 流量定向到指定的 DNS 服务器以进行名称解析。The firewall now directs DNS traffic to the specified DNS servers for name resolution.

屏幕截图显示了 DNS 服务器的设置。

配置自定义 DNS 服务器 - Azure CLIConfigure custom DNS servers - Azure CLI

以下示例使用 Azure CLI 更新具有自定义 DNS 服务器的 Azure 防火墙。The following example updates Azure Firewall with custom DNS servers by using the Azure CLI.

az network firewall update \
    --name fwName \ 
    --resource-group fwRG \
    --dns-servers 10.1.0.4 10.1.0.5

重要

az network firewall 命令要求安装 Azure CLI 扩展 azure-firewallThe command az network firewall requires the Azure CLI extension azure-firewall to be installed. 可以使用 az extension add --name azure-firewall 命令来安装它。You can install it by using the command az extension add --name azure-firewall.

配置自定义 DNS 服务器 - Azure PowerShellConfigure custom DNS servers - Azure PowerShell

以下示例使用 Azure PowerShell 更新具有自定义 DNS 服务器的 Azure 防火墙。The following example updates Azure Firewall with custom DNS servers by using Azure PowerShell.

$dnsServers = @("10.1.0.4", "10.1.0.5")
$azFw = Get-AzFirewall -Name "fwName" -ResourceGroupName "fwRG"
$azFw.DNSServer = $dnsServers

$azFw | Set-AzFirewall

DNS 代理DNS proxy

可以对 Azure 防火墙进行配置来充当 DNS 代理。You can configure Azure Firewall to act as a DNS proxy. DNS 代理是从客户端虚拟机到 DNS 服务器的 DNS 请求的中介。A DNS proxy is an intermediary for DNS requests from client virtual machines to a DNS server. 如果你配置了自定义 DNS 服务器,则应启用 DNS 代理以避免 DNS 解析不匹配,并在网络规则中启用 FQDN(完全限定的域名)筛选。If you configure a custom DNS server, then enable DNS proxy to avoid a DNS resolution mismatch, and enable FQDN (fully qualified domain name) filtering in the network rules.

如果未启用 DNS 代理,则来自客户端的 DNS 请求可能会在不同的时间传到 DNS 服务器,或者返回与防火墙不同的响应。If you don't enable DNS proxy, then DNS requests from the client might travel to a DNS server at a different time or return a different response compared to that of the firewall. DNS 代理将 Azure 防火墙放置在客户端请求的路径中以避免不一致。DNS proxy puts Azure Firewall in the path of the client requests to avoid inconsistency.

当 Azure 防火墙是 DNS 代理时,可以使用两种缓存函数类型:When Azure Firewall is a DNS proxy, two caching function types are possible:

  • 积极缓存:DNS 解析成功。Positive cache: DNS resolution is successful. 防火墙使用数据包或对象的 TTL(生存时间)。The firewall uses the TTL (time to live) of the packet or object.

  • 消极缓存:DNS 解析不返回响应,或者不进行解析。Negative cache: DNS resolution results in no response or no resolution. 防火墙将此信息缓存一小时。The firewall caches this information for one hour.

DNS 代理将存储网络规则中的 FQDN 的所有已解析的 IP 地址。The DNS proxy stores all resolved IP addresses from FQDNs in network rules. 最佳做法是使用可解析为一个 IP 地址的 FQDN。As a best practice, use FQDNs that resolve to one IP address.

DNS 代理配置DNS proxy configuration

配置 DNS 代理需要三个步骤:DNS proxy configuration requires three steps:

  1. 在 Azure 防火墙 DNS 设置中启用 DNS 代理。Enable the DNS proxy in Azure Firewall DNS settings.
  2. (可选)配置自定义 DNS 服务器或使用提供的默认设置。Optionally, configure your custom DNS server or use the provided default.
  3. 在虚拟网络 DNS 服务器设置中将 Azure 防火墙的专用 IP 地址配置为自定义 DNS 地址。Configure the Azure Firewall private IP address as a custom DNS address in your virtual network DNS server settings. 此设置可确保 DNS 流量定向到 Azure 防火墙。This setting ensures DNS traffic is directed to Azure Firewall.

配置 DNS 代理 - Azure 门户Configure DNS proxy - Azure portal

若要配置 DNS 代理,必须将你的虚拟网络 DNS 服务器设置配置为使用防火墙专用 IP 地址。To configure DNS proxy, you must configure your virtual network DNS servers setting to use the firewall private IP address. 然后在 Azure 防火墙的“DNS 设置”中启用 DNS 代理。Then enable the DNS proxy in the Azure Firewall DNS settings.

配置虚拟网络 DNS 服务器Configure virtual network DNS servers
  1. 选择 DNS 流量将通过 Azure 防火墙实例路由的虚拟网络。Select the virtual network where the DNS traffic will be routed through the Azure Firewall instance.
  2. 在“设置”下,选择“DNS 服务器”。 Under Settings, select DNS servers.
  3. 在“DNS 服务器”下,选择“自定义”。Under DNS servers, select Custom.
  4. 输入防火墙的专用 IP 地址。Enter the firewall's private IP address.
  5. 选择“保存” 。Select Save.
  6. 重启已连接到虚拟网络的 VM,以便为其分配新的 DNS 服务器设置。Restart the VMs that are connected to the virtual network so they're assigned the new DNS server settings. VM 在重启之前,将继续使用其当前 DNS 设置。VMs continue to use their current DNS settings until they're restarted.
启用 DNS 代理Enable DNS proxy
  1. 选择你的 Azure 防火墙实例。Select your Azure Firewall instance.
  2. 在“设置”下,选择“DNS 设置” 。Under Settings, select DNS settings.
  3. 默认情况下,“DNS 代理”已禁用。By default, DNS Proxy is disabled. 启用此设置后,防火墙会在端口 53 上进行侦听,并将 DNS 请求转发到配置的 DNS 服务器。When this setting is enabled, the firewall listens on port 53 and forwards DNS requests to the configured DNS servers.
  4. 查看“DNS 服务器”配置以确保设置适用于你的环境。Review the DNS servers configuration to make sure that the settings are appropriate for your environment.
  5. 选择“保存”。Select Save.

屏幕截图显示了 DNS 代理的设置。

配置 DNS 代理 - Azure CLIConfigure DNS proxy - Azure CLI

你可以使用 Azure CLI 在 Azure 防火墙中配置 DNS 代理设置。You can use the Azure CLI to configure DNS proxy settings in Azure Firewall. 你还可以使用它来更新虚拟网络,以使用 Azure 防火墙作为 DNS 服务器。You can also use it to update virtual networks to use Azure Firewall as the DNS server.

配置虚拟网络 DNS 服务器Configure virtual network DNS servers

下面的示例将虚拟网络配置为使用 Azure 防火墙作为 DNS 服务器。The following example configures the virtual network to use Azure Firewall as the DNS server.

az network vnet update \
    --name VNetName \ 
    --resource-group VNetRG \
    --dns-servers <firewall-private-IP>
启用 DNS 代理Enable DNS proxy

以下示例在 Azure 防火墙中启用 DNS 代理功能。The following example enables the DNS proxy feature in Azure Firewall.

az network firewall update \
    --name fwName \ 
    --resource-group fwRG \
    --enable-dns-proxy true

配置 DNS 代理 - Azure PowerShellConfigure DNS proxy - Azure PowerShell

你可以使用 Azure PowerShell 在 Azure 防火墙中配置 DNS 代理设置。You can use Azure PowerShell to configure DNS proxy settings in Azure Firewall. 你还可以使用它来更新虚拟网络,以使用 Azure 防火墙作为 DNS 服务器。You can also use it to update virtual networks to use Azure Firewall as the DNS server.

配置虚拟网络 DNS 服务器Configure virtual network DNS servers

下面的示例将虚拟网络配置为使用 Azure 防火墙作为 DNS 服务器。The following example configures the virtual network to use Azure Firewall as a DNS server.

$dnsServers = @("<firewall-private-IP>")
$VNet = Get-AzVirtualNetwork -Name "VNetName" -ResourceGroupName "VNetRG"
$VNet.DhcpOptions.DnsServers = $dnsServers

$VNet | Set-AzVirtualNetwork
启用 DNS 代理Enable DNS proxy

以下示例在 Azure 防火墙中启用 DNS 代理功能。The following example enables the DNS proxy feature in Azure Firewall.

$azFw = Get-AzFirewall -Name "fwName" -ResourceGroupName "fwRG"
$azFw.DNSEnableProxy = $true

$azFw | Set-AzFirewall

后续步骤Next steps

网络规则中的 FQDN 筛选FQDN filtering in network rules