diff --git a/avm/res/network/azure-firewall/CHANGELOG.md b/avm/res/network/azure-firewall/CHANGELOG.md
index 2c9f6c08d41..bc4224baa53 100644
--- a/avm/res/network/azure-firewall/CHANGELOG.md
+++ b/avm/res/network/azure-firewall/CHANGELOG.md
@@ -2,6 +2,16 @@
 
 The latest version of the changelog can be found [here](https://github.com/Azure/bicep-registry-modules/blob/main/avm/res/network/azure-firewall/CHANGELOG.md).
 
+## 0.8.2
+
+### Changes
+
+- Added `enableDnsProxy` parameter to support DNS proxy functionality on Azure Firewall. When enabled, the firewall acts as a DNS proxy and forwards DNS requests to configured DNS servers, which is required for network rules using FQDN destinations.
+
+### Breaking Changes
+
+- None
+
 ## 0.8.1
 
 ### Changes
diff --git a/avm/res/network/azure-firewall/README.md b/avm/res/network/azure-firewall/README.md
index 28396f4a07e..032cd1eed04 100644
--- a/avm/res/network/azure-firewall/README.md
+++ b/avm/res/network/azure-firewall/README.md
@@ -1919,6 +1919,7 @@ param virtualNetworkResourceId = '<virtualNetworkResourceId>'
 | [`availabilityZones`](#parameter-availabilityzones) | array | The list of Availability zones to use for the zone-redundant resources. |
 | [`azureSkuTier`](#parameter-azureskutier) | string | Tier of an Azure Firewall. |
 | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. |
+| [`enableDnsProxy`](#parameter-enablednsproxy) | bool | Enable/Disable DNS proxy. When enabled, the firewall will act as a DNS proxy and forward DNS requests to the configured DNS servers. |
 | [`enableForcedTunneling`](#parameter-enableforcedtunneling) | bool | Enable/Disable forced tunneling. |
 | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. |
 | [`firewallPolicyId`](#parameter-firewallpolicyid) | string | Resource ID of the Firewall Policy that should be attached. |
@@ -2393,6 +2394,14 @@ Resource ID of the diagnostic log analytics workspace. For security reasons, it
 - Required: No
 - Type: string
 
+### Parameter: `enableDnsProxy`
+
+Enable/Disable DNS proxy. When enabled, the firewall will act as a DNS proxy and forward DNS requests to the configured DNS servers.
+
+- Required: No
+- Type: bool
+- Default: `False`
+
 ### Parameter: `enableForcedTunneling`
 
 Enable/Disable forced tunneling.
diff --git a/avm/res/network/azure-firewall/main.bicep b/avm/res/network/azure-firewall/main.bicep
index 53d18408e81..4a4f7049aee 100644
--- a/avm/res/network/azure-firewall/main.bicep
+++ b/avm/res/network/azure-firewall/main.bicep
@@ -75,6 +75,9 @@ param availabilityZones int[] = [1, 2, 3]
 @description('Optional. Enable/Disable forced tunneling.')
 param enableForcedTunneling bool = false
 
+@description('Optional. Enable/Disable DNS proxy. When enabled, the firewall will act as a DNS proxy and forward DNS requests to the configured DNS servers.')
+param enableDnsProxy bool = false
+
 import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
 @description('Optional. The diagnostic settings of the service.')
 param diagnosticSettings diagnosticSettingFullType[]?
@@ -294,6 +297,13 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2024-05-01' = {
         applicationRuleCollections: applicationRuleCollections ?? []
         natRuleCollections: natRuleCollections ?? []
         networkRuleCollections: networkRuleCollections ?? []
+        ...(enableDnsProxy
+          ? {
+              additionalProperties: {
+                'Network.DNS.EnableProxy': 'true'
+              }
+            }
+          : {})
       }
     : {
         autoscaleConfiguration: {
@@ -315,6 +325,13 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2024-05-01' = {
               id: virtualHubResourceId
             }
           : null
+        ...(enableDnsProxy
+          ? {
+              additionalProperties: {
+                'Network.DNS.EnableProxy': 'true'
+              }
+            }
+          : {})
       }
 }
 
diff --git a/avm/res/network/azure-firewall/tests/e2e/basic/main.test.bicep b/avm/res/network/azure-firewall/tests/e2e/basic/main.test.bicep
index 3440dec8620..f8a91adba02 100644
--- a/avm/res/network/azure-firewall/tests/e2e/basic/main.test.bicep
+++ b/avm/res/network/azure-firewall/tests/e2e/basic/main.test.bicep
@@ -52,6 +52,7 @@ module testDeployment '../../../main.bicep' = [
     params: {
       name: '${namePrefix}${serviceShort}001'
       azureSkuTier: 'Basic'
+      enableDnsProxy: true
       virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId
       location: resourceLocation
       threatIntelMode: 'Deny'
diff --git a/avm/res/network/azure-firewall/tests/e2e/max/main.test.bicep b/avm/res/network/azure-firewall/tests/e2e/max/main.test.bicep
index 9fff8069493..d2661b50b2a 100644
--- a/avm/res/network/azure-firewall/tests/e2e/max/main.test.bicep
+++ b/avm/res/network/azure-firewall/tests/e2e/max/main.test.bicep
@@ -207,6 +207,7 @@ module testDeployment '../../../main.bicep' = [
           principalType: 'ServicePrincipal'
         }
       ]
+      enableDnsProxy: true
       availabilityZones: [
         1
         2