Hey everyone! I'm looking into the best practices for TTL values for DNS records when using Azure Firewall as a DNS Proxy. The default TTL is set to one hour, which feels a bit long for failover situations. I'm curious about the implications of lowering the TTL for certain records. Also, is there an efficient way to monitor potential increases in costs due to this change? What are your experiences and practices in this area? Thanks for your help!
2 Answers
Using Azure Firewall as a DNS proxy won’t increase your costs beyond the standard Azure Firewall pricing. Just so you know, there can be charges if you're using private DNS zones, but they’re usually quite affordable. We've transitioned from Azure Private DNS resolver to Azure Firewall with DNS proxy and it works well!
I've seen teams reduce their TTL significantly for services that require quick failover. The main downside is increased frequency in DNS queries on your resolver, which can add some cost but not drastically. Most setups I’ve encountered typically set critical records to a few minutes instead of the default hour for a good balance between fast failover and resource usage. It’s worthwhile to monitor your query volume for a week post-change to see how it impacts performance and costs. How often do you anticipate these records will need to be updated?
Thanks for the insight! I don't expect frequent shifts in records, only during failovers, and updates will be manual for now. I'm curious—how do you suggest I monitor the query volume? I usually work with KQL queries, but I'm unsure what to focus on in this case.
That’s good to know! I’m not using private DNS zones, but I’ll keep an eye on any costs just in case.