Introduction:
The Domain Name System (DNS) plays a crucial role in the infrastructure functioning of organisations. It acts as a phone book that translates domain names into their respective IP addresses so that machines can communicate with each other. Depending on their specific requirements, organisations can choose between their corporate DNS or Azure DNS for name resolution in a hybrid infrastructure environment.
Recently, Azure Firewall has introduced advanced features such as custom DNS and DNS proxy capabilities. Customers highly requested these features, and they offer several benefits. Custom DNS allows organisations to use and integrate their DNS servers with Azure Firewall, enabling a consistent name resolution experience across their entire infrastructure. On the other hand, the DNS proxy capability helps secure the resolution of DNS queries by intercepting DNS traffic and redirecting it to a designated DNS server.
This blog will explore these features in detail and discuss how they can help organisations improve their network security and management.
Background of Azure Firewall:
Azure Firewall is a cloud-based network security service that offers advanced threat protection for your cloud workloads running on Azure. It is a stateful firewall with built-in high availability and unlimited scalability. Azure Firewall inspects both east-west and north-south traffic.
Azure Firewall is available in three SKUs: Basic, Standard, and Premium. We need a standard SKU Azure firewall to utilise custom DNS with DNS proxy features.
To learn more about Azure Firewall, Please refer to the blogs below:
My blog – Azure Firewall
Custom DNS Server settings:
We can configure a custom DNS server and enable DNS proxy for Azure Firewall. You have two options: configure these settings during the firewall deployment or later from the DNS settings page. We can use Azure DNS or your own DNS servers for name resolution with Azure Firewall.
By default, Azure Firewall uses Azure DNS to resolve domain names. However, if you prefer to use your own DNS servers, you can configure Azure Firewall to use them instead. To do this, you can use the DNS server setting to configure a single server or multiple servers for Azure Firewall name resolution.
If you configure multiple DNS servers, Azure Firewall will randomly select a server for name resolution. This can help distribute the load across your DNS servers and improve performance. Remember, though, that you can only add a maximum of 15 DNS servers in the Custom DNS configuration.
Configure custom DNS servers:
When deploying the firewall, it is possible to configure various settings to your liking. However, you need to modify or enable additional settings after deployment. In that case, there are a few options available to you. The Portal, Azure CLI, or PowerShell tools can adjust the settings.
When the Azure firewall policy is used to manage the Azure Firewall, firewall policies manage the DNS settings. This setup enables a more streamlined and efficient firewall management, ensuring optimal performance and security.
When DNS settings are applied to a standalone firewall through policy, these settings will override the firewall’s existing DNS settings. A child policy will inherit all DNS settings from its parent policy but can also override these settings.
Follow the below steps to change the custom DNS in Azure firewall via the portal:
- Select the appropriate Azure firewall policies for the desired Azure Firewall.
- Under the Settings, select DNS. Click Enabled.
- Under DNS Servers, choose Custom and type the existing DNS servers.
- Select Apply.
Once the settings are applied, the firewall directs DNS traffic to the specified DNS servers for name resolution. This setting is relevant when organisations rely on the enterprise DNS servers for name resolution.
DNS Proxy settings:
Azure Firewall offers the functionality of acting as a DNS proxy, which allows it to establish a middle ground between DNS requests from client virtual machines and a DNS server. The firewall behaves as a standard DNS client, making it an intermediary for DNS requests. It caches records when multiple A records exist in the response, storing all of them in the cache. When a response contains only one record, the firewall caches only one; clients cannot determine whether to expect one or multiple A records in responses beforehand.
Additionally, when an FQDN TTL (time-to-live) is about to expire, records are cached and expired according to their TTLs. The firewall does not employ pre-fetching, meaning it does not perform a lookup before TTL expiration to refresh the record. This setup allows the firewall to act as a DNS proxy efficiently. It guarantees the speedy and accurate resolution of all DNS requests.
How does it work?
Once enabled, Azure Firewalls associated will listen on port 53 and forward DNS requests to the specified DNS server settings.
To configure the DNS proxy, you must configure your virtual network DNS server settings to use the firewall’s private IP address. Then, enable the DNS proxy in the Azure Firewall DNS settings.
When Azure Firewall is a DNS proxy, two caching function types are possible:
- Positive cache: DNS resolution is successful, and the firewall caches responses based on TTL for up to an hour.
- Negative cache: DNS resolution may result in no response or resolution. Based on the TTL, the firewall caches these responses for up to 30 minutes.
The DNS proxy stores resolved IP addresses from FQDNs in network rules. For best practice, use FQDNs that resolve to one IP address.
Follow the below steps to change the DNS proxy in the Azure firewall via the portal:
- Select the appropriate Azure firewall policies for the desired Azure Firewall.
- Under the Settings, select DNS.
- Under DNS Proxy, select Enabled.
- Select Apply.
Failover and Health checks:
DNS servers can sometimes become unhealthy or unavailable, disrupting network operations. DNS proxy tools have a failover mechanism that automatically detects an unhealthy DNS server and switches to another available server. This mechanism ensures that network traffic flows smoothly as long as at least one DNS server remains available. If all DNS servers are down, network downtime will occur until fixed.
The DNS proxy constantly checks the health of upstream servers by performing five-second health check loops. Suppose an upstream server is reported as unhealthy. In that case, the DNS proxy performs a recursive DNS query to the root name server. Once an upstream server is considered healthy, the firewall stops health checks until another error occurs. If a healthy proxy returns an error, the firewall selects another DNS server from the list to ensure uninterrupted service.
We are here at the end of the blog, and I hope this blog provided more insights into the DNS settings in the Azure Firewall services.
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.