Azure Firewall DNS Proxy & DNS Private Resolver

Hi Joni Nieminen

Greetings,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

1. When the Azure Firewall's DNS Proxy is enabled, it may be causing a loop where DNS queries are sent back and forth between the Firewall and the Private Resolver without reaching the on-premises DNS servers.
2. The error message indicates that the Azure Firewall is trying to resolve the DNS query but is timing out, likely because it is not able to reach the on-premises DNS server.
3. Ensure that the UDRs are correctly configured to allow traffic from the Azure Firewall to the on-premises DNS servers. The UDR should not inadvertently route traffic back to the Private Resolver

As you mentioned, removing the DNS Proxy allows resolution to work. This indicates that the issue lies within the DNS Proxy configuration. Temporarily disable it to confirm that the forwarding ruleset is functioning correctly.

NOTE: A DNS server maintains and resolves domain names to IP addresses. By default, Azure Firewall uses Azure DNS for name resolution. The DNS server setting lets you configure your own DNS servers for Azure Firewall name resolution. You can configure a single server or multiple servers. If you configure multiple DNS servers, the server used is chosen randomly. You can configure a maximum of 15 DNS servers in Custom DNS.

In forwarding we need to give own DNS, not inbound IP address.

Refer: https://learn.microsoft.com/en-us/azure/firewall/dns-details?source=recommendations

If you have any further queries, do let us know.

Hope this clarifies.

Thanks,

Ganesh

Hey Ganesh and thank you for the explanation.

I believe my issue lies in the UDR configuration and here's how it's currently setup although name resolution doesn't work.

Spoke subnet UDR:

• 0.0.0.0/0 -> Azure Firewall
• 172.16.0.0/12 (onprem) -> Azure Firewall
  • This is to override the Virtual Network Gateway propagated system route so the spoke won't bypass Azure Firewall while traversing to onprem
• 10.0.3.0/24 -> Azure Firewall
  • This is the traffic to the shared virtual network hosting the Private Resolver, although it should be unnecessary as it's covered in the 0.0.0.0/0 route already

gatewaySubnet UDR:

• 10.0.3.0/24 -> Azure Firewall
  • Allowing the return traffic to Azure Firewall to avoid asynchronous routing for Private Resolver
• 10.0.4.0/24 -> Azure Firewall
  • Allowing the return traffic to Azure Firewall to avoid asynchronous routing for spoke vnet

PrivateResolverInboundSubnet UDR:

• 0.0.0.0/0 -> Azure Firewall
• 172.16.0.0/12 (onprem) -> Azure Firewall
  • This is to override the Virtual Network Gateway propagated system route so the private resolver inbound subnet won't bypass Azure Firewall while traversing to onprem

PrivateResolverOutboundSubnet UDR:

• 0.0.0.0/0 -> Azure Firewall
• 172.16.0.0/12 (onprem) -> Azure Firewall
  • This is to override the Virtual Network Gateway propagated system route so the private resolver outbound subnet won't bypass Azure Firewall while traversing to onprem

DNS Settings:

• Hub virtual network
  • Default (Azure-provided)
• Shared services virtual network (Private Resolver)
  • Default (Azure-provided)
• Spoke virtual network
  • Azure Firewall (10.0.0.4)

DNS Forwarding Ruleset:

• Rule contains company.local. -> onpremises DNS servers on port 53
• Rule is linked to the hub virtual network

The same forwarding ruleset works fine when the DNS proxy/firewall/UDR's are taken out of the picture.

Hello Joni Nieminen,

• Add Route for DNS settings 0.0.0.0/0 and Next Hop as Internet and Test.

Meanwhile whitelist the below

• 53 UDP/TCP inbound for inbound endpoints.
• 53 UDP/TCP outbound and inbound for outbound endpoints.

Hope this clarifies

Thanks

Ganesh

If you need further assistance with any of these workarounds or have specific questions about implementation, feel free to ask!

I found the root cause to be missing gateway route propagation on the VPN gateway, this was set to No/Disabled in the Bicep code which deploys the GatewaySubnet Route Table.
Once I set the disableBgpRoutePropagation to false the connection started working as expected including the name resolution.

resource RouteTableResource 'Microsoft.Network/routeTables@2020-03-01' = [for i in range(0, length(RouteTables)): {
  name: RouteTables[i].name
  location: resourceGroup().location
  properties: {
    disableBgpRoutePropagation: true
    routes: RouteTables[i].routes
  }
}]