updated the dns policy inheritance issue

varunkalyana · web-flow · commit e72dd2130190 · 2025-04-13T11:51:14.000-07:00
diff --git a/articles/firewall/firewall-known-issues.md b/articles/firewall/firewall-known-issues.md
@@ -5,7 +5,7 @@ services: firewall
 author: varunkalyana
 ms.service: azure-firewall
 ms.topic: concept-article
-ms.date: 04/11/2025
+ms.date: 04/13/2025
 ms.author: varunkalyana
 ---
 
@@ -33,6 +33,7 @@ Azure Firewall Standard has the following known issues:
 |DNAT support for private IP addresses limited to Standard and Premium versions|Support for DNAT on Azure Firewall private IP address is intended for enterprises, so is limited to the Standard and Premium Firewall versions.| None|
 |Network filtering rules for non-TCP/UDP protocols (for example ICMP) don't work for Internet bound traffic|Network filtering rules for non-TCP/UDP protocols don't work with SNAT to your public IP address. Non-TCP/UDP protocols are supported between spoke subnets and VNets.|Azure Firewall uses the Standard Load Balancer, [which doesn't support SNAT for IP protocols today](../load-balancer/outbound-rules.md#limitations). We're exploring options to support this scenario in a future release.|
 |When an Azure Firewall is deallocated and then allocated again, sometimes it may be assigned a new private IP address that differs from the previous one.| In such scenarios, the existing User Defined Routes (UDRs) configured with the old private IP address will need to be reconfigured to reflect the new private IP address.|A fix for this issue to retain the previously assigned private IP address is in our roadmap.|
+| Azure Firewall DNS proxy server configurations in the parent policy is not inherited by child policies.|Changes made to the Azure Firewall parent policy will result in DNS resolution failures for Fully Qualified Domain Name (FQDN) based rules within the child policies that are linked to the parent policy.| To avoid this issue, configure the DNS proxy settings directly on the child policies instead of relying on inheritance from the parent policy.|
 |Missing PowerShell and CLI support for ICMP|Azure PowerShell and CLI don't support ICMP as a valid protocol in network rules.|It's still possible to use ICMP as a protocol via the portal and the REST API. We're working to add ICMP in PowerShell and CLI soon.|
 |FQDN tags require a protocol: port to be set|Application rules with FQDN tags require port: protocol definition.|You can use **https** as the port: protocol value. We're working to make this field optional when FQDN tags are used.|
 |Moving a firewall to a different resource group or subscription isn't supported|Moving a firewall to a different resource group or subscription isn't supported.|Supporting this functionality is on our road map. To move a firewall to a different resource group or subscription, you must delete the current instance and recreate it in the new resource group or subscription.|
