![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 39%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKB%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
The most likely cause of sudden NXDOMAIN responses for *.database.windows.net through Azure Firewall DNS Proxy is a change in how/where those queries were being forwarded or resolved, not the firewall proxy itself.
From the provided information, the key points are:
- Azure Firewall DNS Proxy was configured with a custom DNS server = 168.63.129.16.
-
168.63.129.16is the Azure-provided DNS recursive resolver for the VNet where the firewall is deployed. - There were no Private DNS zones initially, so resolution for
*.database.windows.netdepended entirely on Azure public DNS via168.63.129.16.
Relevant behaviors from the documentation:
- Azure Firewall DNS Proxy simply forwards queries to its configured upstream DNS server and does not merge or alter results beyond caching.
- If the upstream resolver (here,
168.63.129.16or anything it forwards to) returns NXDOMAIN, the firewall will cache and return NXDOMAIN to clients. - The firewall does not “fix” or override upstream NXDOMAIN responses.
- If the upstream resolver (here,
- For private endpoints, Microsoft recommends using a Private DNS zone such as
privatelink.database.windows.net, and conditional forwarding must be configured to the public zone (database.windows.net) when using custom DNS.- If any change occurred in the path of DNS resolution (for example, conditional forwarders, custom DNS in another VNet, or hybrid forwarding via VPN) that incorrectly forwarded
database.windows.netqueries somewhere that does not know that zone, NXDOMAIN would result.
- If any change occurred in the path of DNS resolution (for example, conditional forwarders, custom DNS in another VNet, or hybrid forwarding via VPN) that incorrectly forwarded
- In hybrid or multi-VNet setups, DNS resolution is sensitive to where the query originates and which resolver is used:
- Queries must originate from the VNet linked to the relevant Private DNS zone for private endpoints.
- If a DNS forwarder or resolver in another VNet or on-premises was introduced or changed (for example, via VPN, Private Resolver, or custom DNS), and that resolver did not correctly forward
database.windows.netto Azure DNS, NXDOMAIN would appear suddenly even though the firewall configuration itself did not change.
Given that the issue was fully resolved by:
- Creating the appropriate Private DNS zones for the SQL private endpoints, and
- Ensuring queries originate from the VNet linked to those zones,
the root cause was almost certainly that database.windows.net queries were no longer being correctly resolved by the upstream DNS path (for example, due to a change in forwarding, resolver behavior, or service-side DNS behavior for private endpoints), and Azure Firewall DNS Proxy simply propagated those NXDOMAIN responses.
The final configuration (private endpoints + Private DNS zones) aligns with the documented, supported pattern for SQL private endpoints and is the recommended long-term fix.
References:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)