Skip to content

Commit 86b1eb0

Browse files
varunkalyanavarunkalyana
authored
Added a new section on Private DNS Zones
1 parent 4f3fc23 commit 86b1eb0

File tree

1 file changed

+11
-1
lines changed

1 file changed

+11
-1
lines changed

articles/firewall/dns-settings.md

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ services: firewall
55
author: vhorne
66
ms.service: azure-firewall
77
ms.topic: how-to
8-
ms.date: 06/21/2024
8+
ms.date: 09/30/2024
99
ms.author: victorh
1010
ms.custom: devx-track-azurepowershell
1111
---
@@ -181,6 +181,16 @@ If all DNS servers are unavailable, there's no fallback to another DNS server.
181181

182182
DNS proxy performs five-second health check loops for as long as the upstream servers report as unhealthy. The health checks are a recursive DNS query to the root name server. Once an upstream server is considered healthy, the firewall stops health checks until the next error. When a healthy proxy returns an error, the firewall selects another DNS server in the list.
183183

184+
## Azure Firewall with Azure Private DNS Zones
185+
186+
When you use an Azure Private DNS zone with Azure Firewall, make sure you don’t create domain mappings that override the default domain names of the storage accounts and other endpoints created by Microsoft. If you override the default domain names, it breaks Azure Firewall management traffic access to Azure storage accounts and other endpoints. This breaks firewall updates, logging, and/or monitoring.
187+
188+
For example, firewall management traffic requires access to the storage account with the domain name blob.core.windows.net and the firewall relies on Azure DNS for FQDN to IP address resolutions.
189+
190+
Don’t create a Private DNS Zone with the domain name `*.blob.core.windows.net` and associate it with the Azure Firewall virtual network. If you override the default domain names, all the DNS queries are directed to the private DNS zone, and this breaks firewall operations. Instead, create a unique domain name such as `*.<unique-domain-name>.blob.core.windows.net` for the private DNS zone.
191+
192+
Alternatively, you can enable a private link for a storage account and integrate it with a private DNS zone, see [Inspect private endpoint traffic with Azure Firewall](../private-link/tutorial-inspect-traffic-azure-firewall.md).
193+
184194
## Next steps
185195

186196
- [Azure Firewall DNS Proxy details](dns-details.md)

0 commit comments

Comments
 (0)