Azure Firewall in force tunnel configuration dropping port 53 traffic?

%3CLINGO-SUB%20id%3D%22lingo-sub-1651047%22%20slang%3D%22en-US%22%3EAzure%20Firewall%20in%20force%20tunnel%20configuration%20dropping%20port%2053%20traffic%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1651047%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20All%3C%2FP%3E%3CP%3EI%20have%20a%20hub%20and%20spoke%20architecture%20where%20an%20azure%20firewall%20is%20in%20the%20hub%20and%20is%20our%20chosen%20NVA%20for%20traffic%20management.%26nbsp%3B%20With%20appropriate%20routing%20tables%20in%20place%20all%20traffic%20passes%20through%20the%20Azure%20firewall%20to%20our%20on%20prem%20datacenter%20and%20back.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20at%20the%20moment%20we%20are%20using%20on%20prem%20datacenter%20DNS%20servers%20for%20name%20resolution.%26nbsp%3B%20When%20these%20requests%20go%20through%20the%20firewall%20I%20see%20ALLOW%20statements%20on%20the%20firewall%20logs%2C%20but%20the%20traffic%20gets%20dropped.%26nbsp%3B%20I%20cannot%20do%20name%20resolution%20using%20an%20on%20prem%20DNS%20server.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can't%20even%20psping%20a%20DNS%20server%20(eg%20psping%20-t%2010.x.x.x%3A53%20the%20packets%20say%20ALLOW%20from%20the%20VM%20doing%20the%20PSPING%20to%20the%20address%20on%20prem%20through%20the%20firewall%20logs%2C%20but%20I%20get%20NO%20response.%26nbsp%3B%20I%20can%20psping%20the%20same%20DNS%20server%20on%20another%20port%20(3389)%20for%20example%2C%20and%20see%20ALLOW%20statements%20in%20the%20Azure%20firewall.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20no%20route%20tables%20in%20place%2C%20just%20the%20VPN%20connection%20on%20prem%2C%20I%20am%20able%20to%20PSPING%20the%20DNS%20servers%20on%20port%2053%20and%20able%20to%20get%20name%20resolution%20working.%26nbsp%3B%20It's%20only%20when%20I%20have%20the%20Azure%20firewall%20as%20the%20NEXT%20hop%20for%20any%20traffic%20that%20the%20port%2053%20traffic%20gets%20dropped.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20I%20configure%20the%20Azure%20firewall%20to%20be%20DNS%20proxy%2C%20which%20is%20in%20PREVIEW%2C%20and%20use%20only%20the%20Azure%20DNS%20resolver%20(not%20my%20on%20prem%20DNS)%20I'm%20able%20to%20resolve%20internet%20addresses%2C%20but%20not%20on%20prem%20DNS%20names.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20only%20rule%20I%20have%20in%20place%20on%20the%20Azure%20firewall%20is%20a%20network%20rule%2C%20that%20allows%20sources%20to%20all%20destinations%20on%20all%20ports.%26nbsp%3B%20I%20have%20also%20configured%20an%20all%20sources%20to%20all%20destinations%20rule%20on%20port%2053%20traffic%2C%20and%20still%20get%20no%20PSPING%20or%20NSLOOKUP%20response%20from%20clients%20going%20through%20the%20firewall.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe've%20destroyed%20and%20recreated%20this%20firewall%20twice%20now%2C%20same%20results.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20tell%20me%20I'm%20missing%20something%20simple%2C%20and%20the%20problem%20is%20with%20my%20configuration%20and%20NOT%20azure%20firewall.%26nbsp%3B%20I%20can%20find%20NO%20documentation%20that%20the%20azure%20firewall%20will%20drop%20traffic%20on%20port%2053%20if%20it%20sees%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2096281%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Firewall%20in%20force%20tunnel%20configuration%20dropping%20port%2053%20traffic%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2096281%22%20slang%3D%22en-US%22%3EHave%20you%20found%20any%20solutions%20to%20this%3F%20I%20am%20running%20into%20the%20exact%20same%20issue.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%3C%2FLINGO-BODY%3E
Contributor

Hello All

I have a hub and spoke architecture where an azure firewall is in the hub and is our chosen NVA for traffic management.  With appropriate routing tables in place all traffic passes through the Azure firewall to our on prem datacenter and back.  

However, at the moment we are using on prem datacenter DNS servers for name resolution.  When these requests go through the firewall I see ALLOW statements on the firewall logs, but the traffic gets dropped.  I cannot do name resolution using an on prem DNS server.  

I can't even psping a DNS server (eg psping -t 10.x.x.x:53 the packets say ALLOW from the VM doing the PSPING to the address on prem through the firewall logs, but I get NO response.  I can psping the same DNS server on another port (3389) for example, and see ALLOW statements in the Azure firewall.

 

With no route tables in place, just the VPN connection on prem, I am able to PSPING the DNS servers on port 53 and able to get name resolution working.  It's only when I have the Azure firewall as the NEXT hop for any traffic that the port 53 traffic gets dropped.

 

if I configure the Azure firewall to be DNS proxy, which is in PREVIEW, and use only the Azure DNS resolver (not my on prem DNS) I'm able to resolve internet addresses, but not on prem DNS names. 

 

The only rule I have in place on the Azure firewall is a network rule, that allows sources to all destinations on all ports.  I have also configured an all sources to all destinations rule on port 53 traffic, and still get no PSPING or NSLOOKUP response from clients going through the firewall.

 

We've destroyed and recreated this firewall twice now, same results.

 

Please tell me I'm missing something simple, and the problem is with my configuration and NOT azure firewall.  I can find NO documentation that the azure firewall will drop traffic on port 53 if it sees it.

3 Replies
Have you found any solutions to this? I am running into the exact same issue.

Thanks

@xmnj40 

So what ended up being the issue in my environment is that the setting for "Propagate Gateway Routes was set to NO for the UDR on my GatewaySubnet and on my AzureFirewallSubnet.  My AzureFirewallSubnet (the private side) default route was 0.0.0.0/0 to Virtual Network Gateway.  The UDR used on the subnets on my peered VNETs would route all traffic 0.0.0.0/0 to AzureFirewall-privateIP. 

 

We use one primary VNET as the hub or transit vnet.  Everything was peered to this.  In short ensure that there is a UDR on the gateway subnet, and that the route propagation is turned on that UDR, and the route propagation is turned on the AzureFirewallSubnet.   It took Microsoft 4 months to close this ticket on my azure subscription with essentially "unsupported configuration" after reviewing with the product group at least 4 times.  Their only statement of "supported configuration" is found here.

 

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview#border-gateway-protocol 

 

"Connectivity with VPN connections is achieved using custom routes  with a next hop type of Virtual network gatewayRoute propagation should not be disabled on the GatewaySubnet. The gateway will not function with this setting disabled."

 

Routes tell interfaces where to send packets.  Packets need an IP address, route tables deal with IP addresses.  When I attempt to reach 10.1.1.1 with a browser, it sends that traffic on port 80 to 10.1.1.1 when I use MSTSC it sends that traffic on 3389.  It doesn't change the route based on the port??? AND this configuration works when there's no Azure Firewall between the source and the destination.  Only when there is an Azure Firewall between the source and destination will the traffic disappear (and report in the logs that it has been accepted and forwarded), if that traffic is travelling over port 53.

@John Wildes 

Thank you very much for this!

Been banging my head against the wall with this, and support has not been helpful...