DNS flow trace logs in Azure Firewall are now generally available

Background

Azure Firewall helps secure your network by filtering traffic and enforcing policies for your workloads and applications. DNS Proxy, a key capability in Azure Firewall, enables the firewall to act as a DNS forwarder for DNS traffic.

Today, we’re introducing the general availability of DNS flow trace logs — a new logging capability that provides end-to-end visibility into DNS traffic and name resolution across your environment, such as viewing critical metadata including query types, response codes, queried domains, upstream DNS servers, and the source and destination IPs of each request.

Why DNS flow trace logs?

Existing Azure Firewall DNS Proxy logs provide visibility for DNS queries as they initially pass through Azure Firewall. While helpful, customers have asked for deeper insights to troubleshoot, audit, and analyze DNS behavior more comprehensively.

DNS flow trace logs address this by offering richer, end-to-end logging, including DNS query paths, cache usage, forwarding decisions, and resolution outcomes. With these logs, you can:

• Troubleshoot faster with detailed query and response information throughout the full resolution flow
• Validate caching behavior by determining whether Azure Firewall’s DNS cache was used
• Gain deeper insights into query types, response codes, forwarding logic, and errors

Figure 1: End-to-end DNS query path from client virtual machine, through the Azure Firewall, to the Custom DNS server.

Example scenarios

• Custom DNS configurations – Verify traffic forwarding paths and ensure custom DNS servers are functioning and responding as expected

• Connectivity issues – Debug DNS resolution issues that prevent apps from connecting to critical services.

Getting started in Azure Portal

1. Navigate to your Azure Firewall resource in the Azure Portal.
2. Select Diagnostic settings under Monitoring.
3. Choose an existing diagnostic setting or create a new one.
4. Under Log, select DNS flow trace logs.
5. Stream logs to Log Analytics, Storage, or Event Hub as needed.
6. Save the settings.

Figure 2: Example DNS flow trace logs in Azure Firewall logging

✨ Next steps

DNS flow trace logs give you greater visibility and control over DNS traffic in Azure Firewall, helping you secure, troubleshoot, and optimize your network with confidence.

🚀 Try DNS flow trace logs today, now generally available – and share your feedback with the team

Learn more about how to configure and monitor these logs in the Azure Firewall monitoring data reference documentation.