You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/dns-settings.md
+37-11Lines changed: 37 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: firewall
5
5
author: duau
6
6
ms.service: azure-firewall
7
7
ms.topic: how-to
8
-
ms.date: 09/30/2024
8
+
ms.date: 05/15/2025
9
9
ms.author: duau
10
10
ms.custom: devx-track-azurepowershell
11
11
---
@@ -66,7 +66,7 @@ If you want to enable FQDN (fully qualified domain name) filtering in network ru
66
66
67
67
:::image type="content" source="media/dns-settings/dns-proxy-2.png" alt-text="D N S proxy configuration using a custom DNS server.":::
68
68
69
-
If you enable FQDN filtering in network rules, and you don't configure client virtual machines to use the firewall as a DNS proxy, then DNS requests from these clients might travel to a DNS server at a different time or return a different response compared to that of the firewall. It’s recommended to configure client virtual machines to use the Azure Firewall as their DNS proxy. This puts Azure Firewall in the path of the client requests to avoid inconsistency.
69
+
If you enable FQDN filtering in network rules but don't configure client virtual machines to use the Azure Firewall as their DNS proxy, DNS requests from these clients might be resolved at different times or return different results than those seen by the Azure Firewall. To ensure consistent DNS resolution and FQDN filtering, configure client virtual machines to use Azure Firewall as their DNS proxy. This setup ensures that all DNS requests pass through the firewall, preventing inconsistencies.
70
70
71
71
When Azure Firewall is a DNS proxy, two caching function types are possible:
72
72
@@ -80,7 +80,7 @@ The DNS proxy stores all resolved IP addresses from FQDNs in network rules. As a
80
80
81
81
Policy DNS settings applied to a standalone firewall override the standalone firewall’s DNS settings. A child policy inherits all parent policy DNS settings, but it can override the parent policy.
82
82
83
-
For example, to use FQDNs in network rule, DNS proxy should be enabled. But if a parent policy does **not** have DNS proxy enabled, the child policy won't support FQDNs in network rules unless you locally override this setting.
83
+
For example, to use FQDNs in network rule, DNS proxy should be enabled. But if a parent policy does **not** have DNS proxy enabled, the child policy doesn't support FQDNs in network rules unless you locally override this setting.
84
84
85
85
### DNS proxy configuration
86
86
@@ -90,7 +90,7 @@ DNS proxy configuration requires three steps:
90
90
3. Configure the Azure Firewall private IP address as a custom DNS address in your virtual network DNS server settings to direct DNS traffic to the Azure Firewall.
91
91
92
92
> [!NOTE]
93
-
> If you choose to use a custom DNS server, select any IP address within the virtual network, excluding those in the Azure Firewall subnet.
93
+
> If you use a custom DNS server, select an IP address from your virtual network that isn't part of the Azure Firewall subnet.
94
94
95
95
#### [Portal](#tab/browser)
96
96
@@ -179,13 +179,39 @@ DNS proxy performs five-second health check loops for as long as the upstream se
179
179
180
180
## Azure Firewall with Azure Private DNS Zones
181
181
182
-
When you use an Azure Private DNS zone with Azure Firewall, make sure you don’t create domain mappings that override the default domain names of the storage accounts and other endpoints created by Microsoft. If you override the default domain names, it breaks Azure Firewall management traffic access to Azure storage accounts and other endpoints. This breaks firewall updates, logging, and/or monitoring.
183
-
184
-
For example, firewall management traffic requires access to the storage account with the domain name blob.core.windows.net and the firewall relies on Azure DNS for FQDN to IP address resolutions.
185
-
186
-
Don’t create a Private DNS Zone with the domain name `*.blob.core.windows.net` and associate it with the Azure Firewall virtual network. If you override the default domain names, all the DNS queries are directed to the private DNS zone, and this breaks firewall operations. Instead, create a unique domain name such as `*.<unique-domain-name>.blob.core.windows.net` for the private DNS zone.
187
-
188
-
Alternatively, you can enable a private link for a storage account and integrate it with a private DNS zone, see [Inspect private endpoint traffic with Azure Firewall](../private-link/tutorial-inspect-traffic-azure-firewall.md).
182
+
Azure Firewall supports integration with Azure Private DNS zones, allowing it to resolve private domain names. When you associate a Private DNS zone with the virtual network where Azure Firewall is deployed, the firewall can resolve names defined in that zone.
183
+
184
+
> [!IMPORTANT]
185
+
> Avoid creating DNS records in Private DNS zones that override Microsoft-owned default domains. Overriding these domains can prevent Azure Firewall from resolving critical endpoints, which can disrupt management traffic and cause features such as logging, monitoring, and updates to fail.
186
+
187
+
The following is a *nonexhaustive* list of Microsoft-owned domains that should **not** be overridden, as Azure Firewall management traffic might require access to them:
188
+
189
+
-`azclient.ms`
190
+
-`azure.com`
191
+
-`cloudapp.net`
192
+
-`core.windows.net`
193
+
-`login.microsoftonline.com`
194
+
-`microsoft.com`
195
+
-`msidentity.com`
196
+
-`trafficmanager.net`
197
+
-`vault.azure.net`
198
+
-`windows.net`
199
+
-`management.azure.com`
200
+
-`table.core.windows.net`
201
+
-`store.core.windows.net`
202
+
-`azure-api.net`
203
+
-`microsoftmetrics.com`
204
+
-`time.windows.com`
205
+
-`servicebus.windows.net`
206
+
-`blob.storage.azure.net`
207
+
-`blob.core.windows.net`
208
+
-`arm-msedge.net`
209
+
-`cloudapp.azure.com`
210
+
-`monitoring.core.windows.net`
211
+
212
+
For example, Azure Firewall management traffic requires access to storage accounts using the domain `blob.core.windows.net`. If you create a Private DNS zone for `*.blob.core.windows.net` and associate it with the firewall's virtual network, you override the default DNS resolution and disrupt essential firewall operations. To avoid this issue, don't override the default domain. Instead, create a Private DNS zone for a unique subdomain, such as `*.<unique-domain-name>.blob.core.windows.net`.
213
+
214
+
Alternatively, to prevent Private DNS zones from affecting Azure Firewall, deploy the services that require Private DNS zones in a separate virtual network. This way, Private DNS zones are only associated with the service virtual network and don't affect DNS resolution for Azure Firewall.
0 commit comments