New DNS Features In Azure Firewall Are Now Generally Available

Custom DNS, DNS proxy, and FQDN filtering in network rules in Azure Firewall reach general availability.

Microsoft announced the general availability of new enhanced DNS features in Azure Firewall. Custom DNS, DNS proxy, and FQDN filtering in network rules in Azure Firewall are now generally available.

Microsft said that Azure Firewall is a cloud-native firewall as a service (FWaaS) offering.  It allows users to centrally govern and log all their traffic flows using a DevOps approach. Azure Firewall supports both application, NAT, and network-level filtering and is integrated with the Microsoft Threat Intelligence feed for filtering known malicious IP addresses and domains. 

Well, Azure Firewall, since its first launch in September 2018, has been hardcoded to use Azure DNS. Custom DNS, now generally available, allows users to configure Azure Firewall to use their own DNS server, while ensuring the firewall outbound dependencies are still resolved with Azure DNS. Users can configure a single DNS server or multiple servers, as per their need, in Azure Firewall and Firewall Policy DNS settings.

DNS proxy, which is now generally available, enables Azure Firewall to process and forward DNS queries from a Virtual Network(s) to your desired DNS server. This functionality is crucial and required to have reliable FQDN filtering in network rules.


Source: Microsoft

Microsoft explained that users can now use fully qualified domain names (FQDNs) in network rules based on DNS resolution in Azure Firewall and Firewall Policy. The FQDNs in your rule collections are translated to IP addresses based on your firewall DNS settings. So now you can filter outbound traffic using FQDNs with any TCP/UDP protocol (including NTP, SSH, RDP, and more).