Azure Networking DNS PaaS

Mastering Azure DNS Solutions - Part 5 - Azure Firewall DNS Proxy

Using Azure Firewall as a DNS Proxy

While Azure-provided DNS offers a simple and effective default for many workloads, some environments require more advanced DNS setups — including custom zones, internal domain resolution, or integration with on-premises DNS infrastructures.

This is where Customer-managed DNS servers come into play in Azure.
They give you full control over DNS behavior across your Azure VNets and hybrid connections — without giving up on flexibility or security.

In this post, we’ll cover:

  • What customer-managed DNS means in Azure
  • How DNS flow works in hybrid setups (with a visual Mermaid diagram)
  • How to configure it through the Azure Portal and using Bicep
  • Best practices and integration with Azure DNS Private Resolver

What Are Customer-managed DNS Servers?

Customer-managed DNS means you override the Azure default DNS service and specify your own DNS servers for name resolution inside a VNet.
These servers can be:

  • Azure-based (e.g., VMs running Windows DNS or Linux BIND)
  • On-premises DNS servers (connected via VPN or ExpressRoute)

Your VMs and resources will use the IP addresses you specify instead of Azure’s default 168.63.129.16.

When Should You Use Customer-managed DNS?

Scenario Benefit
Integrate with on-premises AD or DNS zones Extend Active Directory seamlessly
Advanced forwarding or filtering Apply custom DNS policies, inspection, or split-horizon DNS
Internal-only zones not hosted in Azure Resolve legacy or third-party private DNS zones
DNS logging and auditing Capture all internal DNS queries centrally

Visualizing DNS Flow with Customer-managed DNS

Here’s a diagram that shows how DNS queries move in a hybrid environment using custom DNS servers:

flowchart TB subgraph OnPremises ["On-Premises Network"] OnPremDNS["On-Premises DNS Server (10.0.0.5)"] ClientOnPrem["On-Prem Client (10.0.0.10)"] end subgraph AzureVNet ["Azure Virtual Network (myVNet)"] AzureVM1["Azure VM (10.1.0.4)"] AzureDNSVM["Custom DNS Server in Azure (10.1.0.5)"] end AzureVM1 -- "DNS Query" --> AzureDNSVM AzureDNSVM -- "Forward query (unresolved)" --> OnPremDNS OnPremDNS -- "Response" --> AzureDNSVM AzureDNSVM -- "Response" --> AzureVM1

What This Shows

  • Azure VMs forward DNS queries to a custom DNS server hosted in Azure.
  • The Azure DNS server forwards any queries it can’t resolve to the on-premises DNS server over a secure VPN or ExpressRoute connection.
  • Full DNS control stays within the customer-managed architecture.

Configuring Customer-managed DNS Using the Azure Portal

Step 1: Set Custom DNS Servers on the VNet

  1. Open the Azure Portal.
  2. Go to Virtual Networks and select your target VNet (e.g., myVNet).
  3. Under Settings, select DNS Servers.
  4. Choose Custom.
  5. Enter the IP addresses of your DNS servers (e.g., 10.1.0.5 for an Azure VM, or on-premises IPs reachable via VPN/ExpressRoute).
  6. Save the configuration.

Step 2: Restart VMs (if needed)

  • Existing VMs might need to be restarted to pick up the new DNS settings.

🔹 Tip: You can override DNS settings per subnet too, but by default, VMs inherit the VNet-level settings.

Configuring Customer-managed DNS Using Bicep

Here’s a Bicep template to configure a custom DNS server IP for a VNet:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

@description('Name of the Virtual Network')
param vnetName string = 'myVNet'

@description('List of custom DNS server IP addresses')
param dnsServers array = [
  '10.1.0.5'  // Example: Azure DNS VM
]

resource vnet 'Microsoft.Network/virtualNetworks@2023-02-01' = {
  name: vnetName
  location: resourceGroup().location
  properties: {
    addressSpace: {
      addressPrefixes: [
        '10.1.0.0/16'
      ]
    }
    dhcpOptions: {
      dnsServers: dnsServers
    }
    subnets: [
      {
        name: 'subnet1'
        properties: {
          addressPrefix: '10.1.0.0/24'
        }
      }
    ]
  }
}
ℹ️
Notice: The dhcpOptions.dnsServers block is how you apply custom DNS settings at the VNet level.

Best Practices for Customer-managed DNS in Azure

  • Design for high availability: Deploy at least two DNS servers in Azure or ensure reachability to two on-prem servers.
  • Monitor DNS servers: Use Azure Monitor, logs, or Syslog to track availability and performance.
  • Combine with Azure DNS Private Resolver (optional):
    • Inbound Endpoints: Accept queries from on-prem to resolve Azure Private DNS zones.
    • Outbound Endpoints: Forward queries from Azure VMs to external DNS servers without manual DNS servers.
  • Secure your DNS servers: Apply NSGs, patch regularly, and monitor for unusual behavior.
  • Plan for growth: DNS query volume can increase quickly with service scaling.

Conclusion

Customer-managed DNS in Azure gives you the flexibility and control needed for complex, hybrid, and secure environments.
When paired thoughtfully with services like Azure DNS Private Resolver, it offers a seamless, scalable DNS architecture without the operational overhead of maintaining your own large DNS fleets.

As your environments grow more sophisticated, DNS should grow with it — and in Azure, you have the tools to make that happen.

Learn More