Using Azure Firewall's DNS Proxy with an internal DNS Server

Question

Question

If using Azure Firewall's DNS Proxy with internal DNS severs behind this same firewall, what happens to requests for external DNS records (i.e. does this cause an infinite loop where the DNS server requests records from a public DNS server, but this request gets caught by the FW and sent back to the internal DNS server)?

Context

We have a secure hub/vwan in Azure where all inter-vnet traffic goes via the firewall, as does all ingress and egress traffic for our network.

We're looking to enable DNS Proxy on the firewall to allow us to use FQDNs in our rules.

We've specified custom DNS servers on our FW too (which seems acceptable per this screenshot from MS Docs. In the screenshot they're using an internal IP and MS's special 168.63.129.16 IP. For ours, we have the internal IPs of our 2 domain controllers, and those are setup with conditional forwards to 168.63.129.16 for those domains on which we have private endpoints with private dns zones.

My worry is that with DNS Proxy enabled, since traffic from our DCs to the internet goes via this firewall, will it intercept their queries for public DNS and cause an infinite loop, resulting in any requests for external DNS info to fail (once any previously cached entries expire)?

Similarly, would requests to 168.63.129.16 (via the conditional forwarder) also be seen as going to the internet & thus intercepted?

The screenshot in the docs implies we can add 168.63.129.16 as a DNS server on the firewall... but would that be treated as a round-robin with the other DNS servers (i.e. so requests for internal zones would sometimes fail as 168.63.129.16 doesn't know of our internal zones beyond the Azure private dns zones, but sometimes return an expected response when hitting our internal DNS servers), or is there some order of preference where 168.63.129.16 is only contacted if our internal DNS servers don't have a record?

If this infinite loop is a possibility, what's the correct fix? Do we just route outbound traffic from our DCs as next hop 0.0.0.0/0 (which then impacts all traffic, not just port 53), or is there a better solution?

Answer 1

Firewall proxy works with 2 pieces of config: 1) it's enabled on fw; 2) client is configured to use it, i.e. on client it has to point to fw address as their DNS server.

You DCs (they are also DNS at same time) have their own forwarders for internet/public domain names. DCs forward external queries directly to external DNS servers, meaning such queries are not going thru fw.

Answer 2

Use Azure Firewall as a DNS Proxy to a custom DNS forwader virtual machine deployed in the hub virtual network or directly to the default Azure-provided DNS. A DNS proxy is an intermediary for DNS requests from client virtual machines to a DNS server. If you configure a custom DNS server, then enable DNS proxy to avoid a DNS resolution mismatch, and enable FQDN (fully qualified domain name) filtering in the network rules. This functionality is required to have reliable FQDN filtering in network rules. If you don't enable DNS proxy, then DNS requests from the client might travel to a DNS server at a different time or return a different response compared to that of the firewall. DNS proxy puts Azure Firewall in the path of the client requests to avoid inconsistency. You can enable DNS proxy in Azure Firewall and Firewall Policy settings. For more information, see Azure Firewall DNS Proxy. To learn more about DNS proxy logs, see the Azure Firewall log and metrics documentation.

So it just forwards the dns queries to your internal dns server.