Hello @Erik ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know how the DNS requests are routed through the Azure Firewall DNS Proxy if there are multiple DNS servers behind it.
By default, Azure Firewall uses Azure DNS when DNS Proxy is disabled.
The DNS server setting lets you configure your own DNS servers and with DNS Proxy enabled, the firewall directs the DNS traffic to the specified DNS servers for name resolution.
Refer : https://learn.microsoft.com/en-us/azure/firewall/dns-settings#configure-virtual-network-dns-servers
If you configure multiple DNS servers, the server used is chosen randomly from among the specified DNS servers. You can configure a maximum of 15 DNS servers in Custom DNS.
And if you want to enable FQDN (fully qualified domain name) filtering in network rules, enable DNS proxy and update the virtual machine configuration to use the firewall as a DNS proxy.
So, to summarize:
- If DNS Proxy is disabled and Custom DNS is disabled, then Azure Firewall uses Azure DNS.
- If DNS Proxy is enabled and Custom DNS is disabled, then Azure Firewall listens for DNS requests, and then sends DNS queries to the Azure DNS IP of 168.63.129.16.
- If DNS Proxy is enabled and Custom DNS is enabled, then Azure Firewall listens for DNS queries, and then sends the DNS query to the Custom DNS IP address. If you configure multiple DNS servers, the server used is chosen randomly from among the specified DNS servers.
- If DNS Proxy is disabled and Custom DNS is enabled, then Azure Firewall does not listen for DNS requests internally, but will send DNS queries related to Rules containing FQDNs.
NOTE : If you enable FQDN filtering in network rules, and you don't configure client virtual machines to use the firewall as a DNS proxy, then DNS requests from these clients might travel to a DNS server at a different time or return a different response compared to that of the firewall. DNS proxy puts Azure Firewall in the path of the client requests to avoid inconsistency.
Kindly let us know if the above helped or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.