Exam AZ-700 topic 2 question 13 discussion

Requests sent to Azure DNS Private Zones go to the platform address of 168.63.129.16 that is only reachable from inside of Azure. Therefore, if the DNS request originates from on-premises (outside of Azure), there is a requirement to proxy the DNS request via a service inside of a Virtual Network. With this general availability announcement, Azure Firewall DNS proxy is an option to meet this DNS forwarding requirement, applicable with a hub-and-spoke model. To do this, configure your on-premises DNS server to conditionally forward requests to Azure Firewall for the required zone name.

C and D... whilst E looks correct, it isnt a viable answer. Currently that IP address resolves to ns1-02.azure-dns.com - on which your custom domain may not even sit. If the on premise DNS was bind, id probably skip the dns proxy stuff and just put forwarders in but the question and possible answers don't mention that scenario.

C and D

Correct Answer, you need conditional forwarding for the on-prem DNS to the Azure Firewall. In the firewall policy enable DNS Proxy.

Azure Firewall DNS proxy is an option to meet this DNS forwarding requirement, applicable with a hub-and-spoke model. To do this, configure your on-premises DNS server to conditionally forward requests to Azure Firewall for the required zone name. Ensure that your private DNS zone is linked to the Virtual Network within which the Azure Firewall resides. Configure Azure Firewall to use the default Azure DNS for lookups, and enable DNS proxy in Azure Firewall DNS settings. https://azure.microsoft.com/en-us/blog/new-enhanced-dns-features-in-azure-firewall-now-generally-available/

Explanation provided by "Erima21" is best. There are two ways to do it. 1) Create DNS Proxy on Azure Firewall in Hub VNET to foward all external DNS requests (from On-prem) to Azure DNS (168.63.129.16) and configure your on-prem DNS server with forwarder to Azure Firewall DNS Proxy. In this case you can still you Azure DNS in VNETs or configure them with Azure Firewall DNS Proxy IP (Custom DNS server) 1) Provision a VM as custom DNS Server in Hub VNET and configure all your private zones requests and external DNS requests to be forwarded to Azure DNS (168.63.129.16) and conficure your on-prem DNS server with forwarder to Azure DNS VM.

Can someone explain why the answers are CD? I thought E would be one of the answers.

Technically you would need to perform both B and C, but enable DNS proxy is the best exam answer. You need to add the custom server and then turn on Proxy so that the AFW sends DNS to said server. DNS proxy listens for requests on TCP port 53 and forwards them to Azure DNS or the custom DNS specified.

A version of this question appeared on the exam. Make sure you know WHY these are correct

DNS proxy configuration requires three steps: Enable DNS proxy in Azure Firewall DNS settings. Optionally configure your custom DNS server or use the provided default. Finally, you must configure the Azure Firewall’s private IP address as a custom DNS server in your virtual network DNS server settings. This ensures DNS traffic is directed to Azure Firewall.

C and D are correct.

Provided answers are correct. This is similar to private link resolution. https://github.com/adstuart/azure-privatelink-dns-azurefirewall

So it would be A and C, not E as per the link, I would much appreciate it if someone can clarify this question for me, what is the actual answer and why?

A & E would be better options?

ae - the answer

better explanation : https://azure.microsoft.com/en-us/blog/new-enhanced-dns-features-in-azure-firewall-now-generally-available/