You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/dns-details.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: firewall
5
5
author: vhorne
6
6
ms.service: firewall
7
7
ms.topic: conceptual
8
-
ms.date: 05/26/2021
8
+
ms.date: 06/11/2024
9
9
ms.author: victorh
10
10
---
11
11
@@ -17,11 +17,11 @@ The following information describes some implementation details for Azure Firewa
17
17
18
18
## FQDNs with multiple A records
19
19
20
-
Azure Firewall acts as a standard DNS client. If multiple A records are in the response, the firewall stores all the records in cache. If there’s one record per response, the firewall stores only single record. There's no way for a client to know ahead of time if it should expect one or multiple A records in responses.
20
+
Azure Firewall acts as a standard DNS client. If multiple A records are in the response, the firewall stores all the records in cache and offers them to the client in the response. If there’s one record per response, the firewall stores only a single record. There's no way for a client to know ahead of time if it should expect one or multiple A records in responses.
21
21
22
22
## FQDN Time to Live (TTL)
23
23
24
-
When a FQDN TTL (time-to-live) is about to expire, records are cached and expired according to their TTLs. Pre-fetching isn't used, so the firewall doesn't do a lookup prior to TTL expiration to refresh the record.
24
+
When a FQDN TTL (time-to-live) is about to expire, records are cached and expired according to their TTLs. Pre-fetching isn't used, so the firewall doesn't do a lookup before TTL expiration to refresh the record.
25
25
26
26
## Clients not configured to use the firewall DNS proxy
27
27
@@ -31,7 +31,7 @@ For example, assume a client workload is in US East, and uses a primary DNS serv
31
31
32
32
This is a common scenario, and why clients should use the firewall’s DNS proxy functionality. Clients should use the firewall as their resolver if you use FQDNs in Network rules. You can ensure IP address resolution consistency by clients and the firewall itself.
33
33
34
-
In this example, if an FQDN is configured in Network rules, the firewall resolves the FQDN to IP1 (IP address 1) and updates the network rules to allow access to IP1. If and when the client resolves the same FQDN to IP2 because of a difference in DNS response, its connection attempt won't match the rules on the firewall and will be denied.
34
+
In this example, if an FQDN is configured in Network rules, the firewall resolves the FQDN to IP1 (IP address 1) and updates the network rules to allow access to IP1. If and when the client resolves the same FQDN to IP2 because of a difference in DNS response, its connection attempt won't match the rules on the firewall and is denied.
35
35
36
36
For HTTP/S FQDNs in Application rules, the firewall parses out the FQDN from the host or SNI header, resolves it, and then connects to that IP address. The destination IP address the client was trying to connect to is ignored.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments