Azure Firewall in force tunnel configuration dropping port 53 traffic?

%3CLINGO-SUB%20id%3D%22lingo-sub-1651047%22%20slang%3D%22en-US%22%3EAzure%20Firewall%20in%20force%20tunnel%20configuration%20dropping%20port%2053%20traffic%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1651047%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20All%3C%2FP%3E%3CP%3EI%20have%20a%20hub%20and%20spoke%20architecture%20where%20an%20azure%20firewall%20is%20in%20the%20hub%20and%20is%20our%20chosen%20NVA%20for%20traffic%20management.%26nbsp%3B%20With%20appropriate%20routing%20tables%20in%20place%20all%20traffic%20passes%20through%20the%20Azure%20firewall%20to%20our%20on%20prem%20datacenter%20and%20back.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20at%20the%20moment%20we%20are%20using%20on%20prem%20datacenter%20DNS%20servers%20for%20name%20resolution.%26nbsp%3B%20When%20these%20requests%20go%20through%20the%20firewall%20I%20see%20ALLOW%20statements%20on%20the%20firewall%20logs%2C%20but%20the%20traffic%20gets%20dropped.%26nbsp%3B%20I%20cannot%20do%20name%20resolution%20using%20an%20on%20prem%20DNS%20server.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can't%20even%20psping%20a%20DNS%20server%20(eg%20psping%20-t%2010.x.x.x%3A53%20the%20packets%20say%20ALLOW%20from%20the%20VM%20doing%20the%20PSPING%20to%20the%20address%20on%20prem%20through%20the%20firewall%20logs%2C%20but%20I%20get%20NO%20response.%26nbsp%3B%20I%20can%20psping%20the%20same%20DNS%20server%20on%20another%20port%20(3389)%20for%20example%2C%20and%20see%20ALLOW%20statements%20in%20the%20Azure%20firewall.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20no%20route%20tables%20in%20place%2C%20just%20the%20VPN%20connection%20on%20prem%2C%20I%20am%20able%20to%20PSPING%20the%20DNS%20servers%20on%20port%2053%20and%20able%20to%20get%20name%20resolution%20working.%26nbsp%3B%20It's%20only%20when%20I%20have%20the%20Azure%20firewall%20as%20the%20NEXT%20hop%20for%20any%20traffic%20that%20the%20port%2053%20traffic%20gets%20dropped.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20I%20configure%20the%20Azure%20firewall%20to%20be%20DNS%20proxy%2C%20which%20is%20in%20PREVIEW%2C%20and%20use%20only%20the%20Azure%20DNS%20resolver%20(not%20my%20on%20prem%20DNS)%20I'm%20able%20to%20resolve%20internet%20addresses%2C%20but%20not%20on%20prem%20DNS%20names.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20only%20rule%20I%20have%20in%20place%20on%20the%20Azure%20firewall%20is%20a%20network%20rule%2C%20that%20allows%20sources%20to%20all%20destinations%20on%20all%20ports.%26nbsp%3B%20I%20have%20also%20configured%20an%20all%20sources%20to%20all%20destinations%20rule%20on%20port%2053%20traffic%2C%20and%20still%20get%20no%20PSPING%20or%20NSLOOKUP%20response%20from%20clients%20going%20through%20the%20firewall.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe've%20destroyed%20and%20recreated%20this%20firewall%20twice%20now%2C%20same%20results.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20tell%20me%20I'm%20missing%20something%20simple%2C%20and%20the%20problem%20is%20with%20my%20configuration%20and%20NOT%20azure%20firewall.%26nbsp%3B%20I%20can%20find%20NO%20documentation%20that%20the%20azure%20firewall%20will%20drop%20traffic%20on%20port%2053%20if%20it%20sees%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hello All

I have a hub and spoke architecture where an azure firewall is in the hub and is our chosen NVA for traffic management.  With appropriate routing tables in place all traffic passes through the Azure firewall to our on prem datacenter and back.  

However, at the moment we are using on prem datacenter DNS servers for name resolution.  When these requests go through the firewall I see ALLOW statements on the firewall logs, but the traffic gets dropped.  I cannot do name resolution using an on prem DNS server.  

I can't even psping a DNS server (eg psping -t 10.x.x.x:53 the packets say ALLOW from the VM doing the PSPING to the address on prem through the firewall logs, but I get NO response.  I can psping the same DNS server on another port (3389) for example, and see ALLOW statements in the Azure firewall.

 

With no route tables in place, just the VPN connection on prem, I am able to PSPING the DNS servers on port 53 and able to get name resolution working.  It's only when I have the Azure firewall as the NEXT hop for any traffic that the port 53 traffic gets dropped.

 

if I configure the Azure firewall to be DNS proxy, which is in PREVIEW, and use only the Azure DNS resolver (not my on prem DNS) I'm able to resolve internet addresses, but not on prem DNS names. 

 

The only rule I have in place on the Azure firewall is a network rule, that allows sources to all destinations on all ports.  I have also configured an all sources to all destinations rule on port 53 traffic, and still get no PSPING or NSLOOKUP response from clients going through the firewall.

 

We've destroyed and recreated this firewall twice now, same results.

 

Please tell me I'm missing something simple, and the problem is with my configuration and NOT azure firewall.  I can find NO documentation that the azure firewall will drop traffic on port 53 if it sees it.

0 Replies