Azure DNS Proxy with DNS inbound private resolver

prasantc 976 Reputation points
2023-07-14T05:25:27.4966667+00:00

In context with https://learn.microsoft.com/en-us/answers/questions/1325352/azure-virtual-wan

Today, one of the user tried to remove DNS inbound resolver in Firewall DNS proxy and add the new local DNS server hosted in Az.

It resolved most of the DNS but failed to resolve private endpoint from onrepm to ASE app services roll back.

There are mixed article about DNS proxy recommended use for Azure VWAN and secured hub and there are some article that shows DNS proxy does not function across secured hub due to firewall.

https://github.com/MicrosoftDocs/azure-docs/issues/93019

Does the below statement apply if I use custom DNS or private inbound IP in the DNS proxy? -

Azure Firewall DNS proxy feature does not work when deployed within an Azure secured hub in a Virtual WAN (vWAN) configuration.

The Azure Firewall DNS proxy feature allows Azure Firewall to act as a DNS proxy, intercepting DNS queries and resolving them on behalf of the requesting clients. However, the DNS proxy feature is not supported when Azure Firewall is deployed within an Azure secured hub.

When using Azure secured hubs in a vWAN, DNS resolution for resources within the hub typically relies on other mechanisms, such as Azure Private DNS or custom DNS configurations specific to the environment. Azure Firewall within the secured hub operates at the network level, providing network security and protection rather than DNS proxy functionality.

It's recommended to explore alternative DNS resolution options within an Azure secured hub, depending on your specific requirements and architectural design. Consider leveraging Azure Private DNS zones or custom DNS configurations to meet your DNS resolution needs in the secured hub environment.

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
775 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator
    2023-07-14T13:05:32.9+00:00

    Hello @prasantc ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you have a setup of multi-continental region deployment where two virtual WAN with secured hubs are in two regions (each subcontinent) connecting to another single virtual WAN with secured virtual hub. Internal traffic is secured by Firewall and Internet traffic secured by NVA. You also have an Azure DNS Private Resolver setup to query Azure DNS private zones from an on-premises environment and vice versa. The Firewall DNS proxy was configured with the private resolver inbound endpoint IP but were facing DNS resolution issues. So, one of your users tried to remove DNS inbound resolver in Firewall DNS proxy and added the new local DNS server hosted in Azure and it resolved most of the DNS issue but failed to resolve private endpoint from on-premises to ASE app services.

    You would like to know - does Azure Firewall DNS proxy feature NOT work when deployed within an Azure secured hub in a Virtual WAN (vWAN) configuration, if you use custom DNS or private inbound IP in the DNS proxy.

    Could you please confirm if my understanding is correct?

    Assuming I understood your issue correctly, sharing a few pointers below:

    1. If you use custom DNS in the DNS proxy, Azure Firewall DNS proxy feature should work when deployed within an Azure secured hub in a Virtual WAN (vWAN) configuration.

    Azure Firewall Manager can provide security management for two network architecture types:

    • secured virtual hub.
    • hub virtual network.

    Refer: https://learn.microsoft.com/en-us/azure/firewall-manager/vhubs-and-vnets

    https://learn.microsoft.com/en-us/azure/firewall-manager/private-link-inspection-secure-virtual-hub

    DNS proxy configuration requires three steps:

    • Enable the DNS proxy in Azure Firewall DNS settings.
    • Optionally, configure your custom DNS server or use the provided default.
    • Configure the Azure Firewall private IP address as a custom DNS address in your virtual network DNS server settings. This setting ensures DNS traffic is directed to Azure Firewall.

    Refer: https://learn.microsoft.com/en-us/azure/firewall/dns-settings#dns-proxy-configuration

    Could you please make sure that the above steps are completed correctly?

    1. If you use private inbound IP in the DNS proxy, Azure Firewall DNS proxy feature may not work when deployed within an Azure secured hub in a Virtual WAN (vWAN) configuration.

    I checked with the Azure Firewall Product Group team and below is their response:

    The integration with Azure Private DNS resolver was not verified with Azure Firewall. We can help with collecting packet captures on customer's Azure Firewall and validate it further, if needed.

    So, if you need help with the configuration of using private inbound IP in the DNS proxy, then we would need to open a support request, so that the support team can engage the backend team for packet captures and log collection. Hence, if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.