|
If encryption is enabled in the virtual network, Azure blocks UDP port 53 traffic from virtual machines within the virtual network. Virtual machines created using the Azure marketplace can bypass this restriction and make DNS queries against the DNS server configured on the device's virtual NIC. However, Azure is not able to modify the required internal files on a FortiGate virtual machine to enable this bypass.
As a result, if Azure Virtual Network encryption is enabled on a virtual network, FortiGate virtual machines hosted in this network must be configured to use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to resolve hostnames. The FortiGate's DNS client uses DoT by default, but if the configuration is changed (for example, to point to an internal DNS server to resolve private DNS names), the DNS client may be affected.
Resolution:
To resolve the conflict, either disable Azure Virtual Network encryption or configure the FortiGate DNS client to use DoT and/or DoH for encrypted DNS.
config system dns
set primary 96.45.45.45
set secondary 96.45.46.46
set protocol dot
set server-hostname "globalsdns.fortinet.net"
end
Note: If using an encrypted DNS protocol, verify that the configured remote DNS servers support it.
This issue does not exclusively affect FortiGate virtual machines. Other devices or services on an Azure virtual network can also be affected in the same way. For example, Azure Private DNS Resolver is not compatible with Azure Virtual Network encryption. See this third-party reference: What is Azure DNS Private Resolver?.
Related document:
What is Azure Virtual Network encryption?
|
