Azure Documentation

Azure Firewall DNS Settings

This document provides a comprehensive guide to configuring DNS settings for Azure Firewall. Proper DNS resolution is crucial for network security and efficient traffic management within your Azure environment.

Note: Azure Firewall supports both Azure DNS Private Resolver and custom DNS servers for DNS resolution. Choose the option that best suits your network architecture and requirements.

Overview of DNS in Azure Firewall

Azure Firewall acts as a network security service that protects your Azure Virtual Network resources. When traffic passes through Azure Firewall, it needs to resolve hostnames to IP addresses. This process is managed by the DNS settings configured on the firewall.

Configuring DNS Settings

Using Azure DNS Private Resolver

Azure DNS Private Resolver integrates seamlessly with Azure Firewall, providing a scalable and highly available DNS resolution service for your private DNS zones.

  1. Navigate to your Azure Firewall instance in the Azure portal.
  2. Under Settings, select DNS.
  3. Choose Use Azure DNS Resolver.
  4. Select the appropriate Azure DNS Private Resolver from the dropdown list.
  5. Click Save.

Using Custom DNS Servers

You can also configure Azure Firewall to use your own custom DNS servers, which might be on-premises servers or other cloud-based DNS solutions.

  1. Navigate to your Azure Firewall instance in the Azure portal.
  2. Under Settings, select DNS.
  3. Choose Use custom DNS servers.
  4. Enter the IP addresses of your custom DNS servers in the provided fields. You can add multiple DNS servers for redundancy.
  5. Click Save.

DNS Proxy Settings

Azure Firewall can act as a DNS proxy, forwarding DNS requests from your network to the configured DNS servers. This allows you to centralize DNS management and apply security policies.

  • Enable DNS proxy: When enabled, Azure Firewall intercepts DNS requests from virtual machines and forwards them to the specified DNS servers.
  • DNS proxy port: The default port for DNS is 53. You can specify a different port if required.

Configuration Steps for DNS Proxy:

  1. Navigate to your Azure Firewall instance.
  2. Under Settings, select DNS.
  3. Configure the DNS proxy settings as needed.
  4. Click Save.

Caution: Ensure that your Network Security Groups (NSGs) and User Defined Routes (UDRs) are configured to allow DNS traffic (UDP/TCP port 53) to and from the Azure Firewall and your DNS servers.

DNS Resolution Behavior

When DNS proxy is enabled, Azure Firewall forwards DNS queries from protected network traffic to the configured DNS servers. The firewall can also be configured to forward DNS proxy traffic to Azure DNS Resolver, enabling DNS resolution for private DNS zones associated with your virtual networks.

DNS Settings in Azure Firewall Policy

Azure Firewall Policy provides a centralized way to manage firewall rules, network rules, and application rules. DNS settings can also be configured within the policy object.

For more advanced configurations, consider using Azure Firewall Policy with DNAT rules and FQDN tags.

Example Azure CLI Command to Update DNS Settings:


az network firewall update \
    --resource-group MyResourceGroup \
    --name MyFirewall \
    --dns-servers "8.8.8.8" "8.8.4.4" \
    --dns-proxy-enabled true

Troubleshooting DNS Issues

If you encounter DNS resolution problems, consider the following:

  • Verify that the DNS server IP addresses are correct and reachable from the Azure Firewall.
  • Check NSG rules to ensure DNS traffic is allowed.
  • Confirm that UDRs are correctly routing DNS traffic through the firewall.
  • If using Azure DNS Private Resolver, ensure the resolver is deployed in the correct virtual network and that private DNS zones are linked.
  • Examine firewall logs for any blocked DNS requests.