Many of our customers use Azure DNS for name resolution when it comes to infrastructure they have in Azure. The setup with Azure DNS works like a charm and provides name resolution to Azure Infrastructure without doing any complex setup. One challenge you may have is that Azure DNS do not log DNS queries from your VM’s, which means you have no visibility into what endpoints their azure infrastructure is trying to connect to or the DNS name resolution queries being used.
In this blog, we will see how Azure Firewall can help our customers overcome this challenge and provide visibility not only to Azure DNS logging but also to control the traffic flows both east-west and to the internet for their Azure resources.
Azure Firewall recently added Custom DNS and DNS proxy capabilities which was a big ask from all of our customers and, these are the features which we will explore in this blog and how it can help you.
Azure DNS provides name resolution and basic authoritative DNS capabilities of public DNS names. The Azure DNS IP address is 184.108.40.206. Azure DNS provides DNS name resolution for your Azure infrastructure if you do not have your own DNS server hosted. For example, when you setup a new VM in Azure, it can resolve the public names out of the box using Azure provided name resolution (Azure DNS).
Azure Firewall Custom DNS
By Default, Azure Firewall uses Azure DNS to ensure the service can reliably resolve internet based name resolution. Custom DNS allows you to configure Azure Firewall to use your own corporate DNS server or Azure DNS to resolve the DNS queries.
You may configure a single DNS server or multiple servers in Azure Firewall and Firewall Policy DNS settings. We will go through the setup in more detail later on in this blog.
Azure Firewall DNS Proxy
This feature enables Azure Firewall to act as a DNS forwarder for your Infrastructure. When DNS proxy is enabled, your clients can point to Azure Firewall to resolve the DNS queries and act as DNS servers for your infrastructure.
DNS Proxy logs all the queries coming from your infrastructure in Azure Firewall logs, and we will go through the logs in detail later on in this blog.
We hope the above gives you a good understanding of the components involved in the challenge we are trying to resolve. Let’s look at the solution now and see how Azure firewall Custom DNS and DNS proxy will help with getting visibility into Azure DNS logging.
The problem we are trying to solve in this blog is even when UDR’s force all traffic to Firewall, DNS traffic goes straight to DNS which means you cannot log the DNS traffic or control the traffic flow going from your infrastructure to Azure DNS. With this architecture, you can centrally log all DNS traffic going to Azure DNS using Azure Firewall.
In this architecture/deployment we will use a hub and spoke model is recommended, where the firewall is in its own Virtual Network. For the purpose of the blog we will assume a simple architecture where both Workload VM and Azure Firewall is in the same Virtual network but deployed in two different subnets as represented in the below Diagram.
Azure Firewall Deployment
You can deploy azure firewall either from Azure Portal, ARM, REST or CLI. Here is the article which you can follow to setup the above configuration step by step using azure portal.
You will see an output like the one below and can see all the DNS queries your workload VM is making to Azure provided DNS.
As you can see that now your organization has visibility into all the DNS requests which your Azure Infrastructure is making to Azure Provided DNS and how you can utilize Azure Firewall to control traffic flows. You can also use this template in Github to deploy Azure Firewall as a DNS Proxy in a Hub and Spoke topology along with Private Endpoints We hope you find this blog useful.
Thanks to Paolo Salvatori for providing the template for the ARM deployment .