I had a requirement to use the Azure firewall proxy to capture and log DNS traffic comping Azure private link services. My plan was to setup conditional forwarder for all private DNS resources from on prem to Azure firewall using firewall proxy to DNS hosted in Azure.
After reviewing the AD with DNS on prem I found that all private DNS zones are resolved using forward lookup zone for each services instead of conditional forwarder and the DNS server hosted in Azure was setup with AD roles and all DNS zones are replicated across and all server with AD / DNS roles.
Now I see a challenge to meet the ask of using DNS proxy -
One way to achieve is by 1) removing DNS server name from firewall proxy and using conditional forwarder to Azure firewall which will send all Azure services request directly to wired DNS while this seem like easier implementation for the current environment but I will still have to keep the conditional forwarder to resolve private.services.xx along with the conditional forwarder to ensure name resolution does not break. Not sure if is worth using firewall proxy with this method or don't even use the firewall proxy.
2> Another option is create new DNS application partition to replicate only those partition with azure hosted DNS and use forwarder in Azure hosted DNS and use firewall proxy forwarding request to Azure hosted DNS. Now this is a recommended solution but it will require cleanup of all the existing forwad lookup zone and some service interruption.
3> completely remove Azure hosted DNS out of the picture and deploy DNS resolve with inbound resolver for cloud resources and outbound resolver with rule-set for onprem.
Which approach would be better in a environment that is using Azure forward lookup zone full ADDS zone replication between on prem and azure for privatelink name instead of public name of the resource.