What is Azure Firewall DNS proxy?

Azure Firewall DNS proxy is an intermediary service within Azure Firewall that intercepts and handles DNS requests originating from client virtual machines (VMs) before forwarding them to a specified DNS server.

Understanding DNS Proxy Functionality

When configured, Azure Firewall acts as a DNS proxy by receiving DNS queries from VMs residing behind the firewall. Instead of the VMs directly contacting a DNS server, they send their queries to the firewall's IP address. The firewall then forwards these requests to the configured DNS server (either a custom DNS server or the default Azure DNS). Once the DNS server provides a response, the firewall relays that response back to the originating VM.

Benefits of Using Azure Firewall DNS Proxy

Using Azure Firewall as a DNS proxy offers several advantages:

• DNS Security: By centralizing DNS resolution through the firewall, you can apply security policies and filtering to DNS traffic, protecting your network from malicious domains and DNS-based attacks.
• Name Resolution Consistency: Ensures consistent name resolution across your virtual network, especially useful when mixing public and private DNS zones.
• Logging and Auditing: The firewall logs all DNS requests, providing visibility into DNS traffic patterns for auditing and troubleshooting purposes.
• Fqdn Filtering in Network Rules: DNS proxy is required to enable Fully Qualified Domain Name (FQDN) filtering in network rules. Without DNS proxy, the firewall cannot resolve FQDNs to IP addresses for rule enforcement.

How it Works

1. A virtual machine behind the Azure Firewall initiates a DNS query.
2. The VM sends the query to the Azure Firewall's IP address (configured as the DNS server for the VM).
3. The Azure Firewall, acting as a DNS proxy, intercepts the request.
4. The Firewall forwards the DNS query to the configured DNS server (e.g., Azure DNS or a custom DNS server).
5. The DNS server resolves the query and sends the response back to the Azure Firewall.
6. The Azure Firewall relays the DNS response back to the originating virtual machine.

Configuration Considerations

• Enable DNS Proxy: You must explicitly enable the DNS proxy feature within the Azure Firewall settings.
• Configure DNS Server: Specify the DNS server (or servers) that the firewall will use to resolve DNS queries. This can be Azure DNS or a custom DNS server reachable from the firewall.
• Virtual Network Configuration: Ensure that the virtual machines are configured to use the Azure Firewall's IP address as their DNS server. This typically involves modifying the virtual network's DNS server settings or configuring each VM's DNS settings individually.
• Firewall Rules: Configure appropriate firewall rules to allow DNS traffic (port 53) between the virtual machines, the Azure Firewall, and the configured DNS server.

By acting as a DNS proxy, Azure Firewall enhances security, provides consistent name resolution, and enables FQDN filtering capabilities, making it a valuable component for securing your Azure network.