Securing Azure Private DNS with Azure Firewall and NSGs - Marcin Gastol
15803
post-template-default,single,single-post,postid-15803,single-format-standard,bridge-core-3.0.7,bridge,qode-page-transition-enabled,ajax_fade,page_not_loaded,,qode-title-hidden,qode-child-theme-ver-1.0.0,qode-theme-ver-29.4,qode-theme-bridge,qode_header_in_grid,wpb-js-composer js-comp-ver-6.10.0,vc_responsive

12 Aug Securing Azure Private DNS with Azure Firewall and NSGs

Posted at 15:00h in Azure, Uncategorized by
0 Likes

Intro

Domain Name System (DNS) traffic often receives less attention than application traffic, yet it is one of the most critical services in an Azure environment. Private endpoints, hub-and-spoke topologies, and hybrid networking increasingly rely on Azure Private DNS for internal name resolution. While DNS enables applications to function seamlessly, unrestricted DNS traffic can create blind spots, facilitate data exfiltration paths, and bypass expected security controls.

Organizations commonly deploy Azure Private DNS zones and assume the environment is protected by default. In practice, many workloads can still send queries directly to arbitrary resolvers or communicate outside approved paths unless additional controls are implemented.

In this article, we examine how Azure Firewall and Network Security Groups (NSGs) can be used together to secure Azure Private DNS traffic and how PowerShell can automate deployment across enterprise-scale environments.

Azure recommends using Private DNS Zones, Azure Private Resolver, and controlled DNS forwarding scenarios for private endpoint architectures and hybrid networking patterns.

Why Secure Private DNS Traffic?

DNS is often treated as “always allowed” traffic. That assumption creates several challenges:

  • Workloads can query external DNS services directly
  • Malware can use DNS for command-and-control communication
  • Unauthorized DNS servers can emerge in virtual networks
  • DNS requests become difficult to audit
  • DNS traffic may bypass centralized inspection

A more secure approach uses:

  • Centralized DNS resolution
  • Azure Firewall DNS Proxy
  • NSGs restricting DNS paths
  • Diagnostic logging and monitoring
  • Infrastructure-as-Code deployment

Deploying Azure Firewall DNS Policies at Scale with PowerShell

Enterprise environments rarely configure these settings manually.

PowerShell enables repeatable deployment across subscriptions and environments.

Enable DNS Proxy on Azure Firewall

PowerShell
$FirewallPolicy = Get-AzFirewallPolicy `
    -Name "CorpFirewallPolicy" `
    -ResourceGroupName "Network-RG"

$dnsSettings = New-AzFirewallPolicyDnsSetting `
    -EnableProxy $true `
    -Server @("10.0.0.10","10.0.0.11")

$FirewallPolicy.DnsSettings = $dnsSettings

Set-AzFirewallPolicy `
    -InputObject $FirewallPolicy

Create Firewall Rules for DNS Traffic

PowerShell
$rule = New-AzFirewallPolicyNetworkRule `
    -Name "Allow-DNS" `
    -Protocol UDP,TCP `
    -SourceAddress "*" `
    -DestinationAddress "10.0.0.4" `
    -DestinationPort 53

$collection = New-AzFirewallPolicyRuleCollectionGroup `
    -Name "DNS-Rules" `
    -Priority 100 `
    -RuleCollection $rule `
    -FirewallPolicyObject $FirewallPolicy `
    -ResourceGroupName "Network-RG"

Create NSGs to Restrict DNS Access

PowerShell
$nsg = New-AzNetworkSecurityGroup `
    -ResourceGroupName "Network-RG" `
    -Location "EastUS" `
    -Name "DNS-Security-NSG"

Add-AzNetworkSecurityRuleConfig `
    -Name "Allow-DNSToFirewall" `
    -NetworkSecurityGroup $nsg `
    -Direction Outbound `
    -Priority 100 `
    -Access Allow `
    -Protocol * `
    -SourceAddressPrefix * `
    -SourcePortRange * `
    -DestinationAddressPrefix "10.0.0.4" `
    -DestinationPortRange 53

Add-AzNetworkSecurityRuleConfig `
    -Name "Block-ExternalDNS" `
    -NetworkSecurityGroup $nsg `
    -Direction Outbound `
    -Priority 110 `
    -Access Deny `
    -Protocol * `
    -SourceAddressPrefix * `
    -SourcePortRange * `
    -DestinationAddressPrefix Internet `
    -DestinationPortRange 53

Set-AzNetworkSecurityGroup `
    -NetworkSecurityGroup $nsg

Wrapping it all up

Securing Azure Private DNS requires more than creating private zones.

Combining Azure Firewall and NSGs enables:

✔ Centralized DNS inspection
✔ Reduced attack surface
✔ Controlled DNS resolution paths
✔ Better auditing and monitoring
✔ Repeatable deployment through PowerShell

As Azure environments grow, DNS becomes a foundational security control rather than a simple networking service. Applying centralized filtering and automation helps transform DNS from a hidden dependency into a manageable and observable security layer.

Azure guidance emphasizes DNS proxy, private resolution architectures, and traffic filtering as important components for secure enterprise networking

Azure 101. Exploring the Azure Portal and Key Services

Tags:
No Comments

Post A Comment

Verified by MonsterInsights