DNS traffic excluded from Deny All rule by default in Azure

In the last 2 years of my carrier, I worked a lot with Microsoft Azure services including the networking. Because the constant changes in Azure fabric, we need to make sure we are familiar with the current running environment, so we constantly need to develop ourselves and get the necessary experience with all the related services. During this process I was accidentally bumped into one of the interesting features of the Virtual Network and its configured DNS servers in Azure.

Scenario

It was needed to create a completely isolated subnet in an existing network for server testing purposes. The servers deployed in this subnet should not be able to communicate anything else, than accepting incoming RDP connection from a range of IP addresses. Otherwise, I would not be able to actually test those servers without RDP access.

Implementation

So, I went and created the required subnet in the existing Virtual Network. I then created a Network Security Group (NSG) for this specific subnet only which would allow RDP connection (on port TCP/UDP 3389) from computers in the 10.0.0.0/8 address range and deny all other inbound and outbound communication. Because I needed, internet access to these servers, I had to release a little on the configuration, so I only denied the in- and out-bound connection to and from the 3 well-known Private RFC ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). The deployment also contains a firewall appliance and all traffic in and out of the Azure Virtual Network are pushed through on that.

Eureka

I started to work on my testing, but something was not completely working, and I wanted to check the firewall appliance that none of the important traffic are blocked. And that was the time when the enlightening experience happened. I logged into the firewall and started to check the in- and outbound traffic to and from that specific server. It was weird to see the servers was communicating with 3 IP addresses in the 10.0.0.0/8 network range which should be blocked by the NSG. The only used port was the TCP/UDP 53 and when I checked the Virtual Network settings the 3 IP addresses was related to servers registered as DNS servers with the Virtual Network in Azure.

So, it looks, the Azure NSG does not block the TCP/UDP 53 port communication to the IP addresses registered as DNS servers with the Virtual Network, even if you create a DENY_ALL rule. So, if you need to somehow block everything but only allow DNS resolution for the server in your Virtual Network, it is good to know that we do not need to take care of it, because Azure does it for us by default.

Note: This behavior exists when this article was written, I haven’t tested the theory since then

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.