I'm working with a hybrid hub and spoke architecture in Azure, where we have an on-premises connection via ExpressRoute. We've set up an Azure Firewall (AZFW) in the hub with DNS proxy enabled. Currently, our DNS resolution is managed by replicated Windows DNS servers in the spokes, while the hub uses Azure DNS. However, we've encountered an issue: the Azure Firewall cannot resolve any internal domains, which means any application or network rules that rely on internal fully qualified domain names (FQDNs) are failing.
I'm considering switching to a private DNS resolver, but I'm struggling to find documentation on how to effectively use this alongside the firewall's DNS proxy. After a lot of research, I believe the architecture should have all VNets configured to use custom DNS pointing to the private IP of the Azure Firewall, with the firewall's DNS proxy using this custom private IP on the inbound private resolver. Additionally, I think all conditional forwarders on the DNS servers should point to the inbound resolver IP. I'll set up resolver rules for internal domains to be forwarded to the DNS servers, and create VNet links from the hub to all private DNS zones needed for PaaS private endpoints.
Does this sound like the right approach? I'm surprised this isn't documented more clearly as a recommended setup.
2 Answers
If you're finding it complicated enough to ask for help here or on ChatGPT, you might want to think about simplifying your architecture a bit.
You're on the right track! It sounds like a solid plan. We have all our VNets set to use domain controllers for DNS and utilize conditional forwarders to a private DNS resolver in our hubs for Azure's private DNS zones, and it's been working great for us.
Are you using Azure Firewall? There’s a specific guideline about clients not set up to use the firewall's DNS proxy that could be helpful for you. You might want to check it out [here](https://learn.microsoft.com/en-us/azure/firewall/dns-details#clients-not-configured-to-use-the-firewall-dns-proxy).
Can you suggest how to simplify it while still meeting my requirements? I'm trying to follow best practices here.