Azure · Copilot · Aug 29, 2025 · Aug 29, 2025 · Aug 29, 2025 · AlexanderSehr
@@ -2,6 +2,16 @@
 
 The latest version of the changelog can be found [here](https://github.com/Azure/bicep-registry-modules/blob/main/avm/res/network/azure-firewall/CHANGELOG.md).
 
+## 0.8.2
+
+### Changes
+
+- Added `enableDnsProxy` parameter to support DNS proxy functionality on Azure Firewall. When enabled, the firewall acts as a DNS proxy and forwards DNS requests to configured DNS servers, which is required for network rules using FQDN destinations.
+
+### Breaking Changes
+
+- None
+
 ## 0.8.1
 
 ### Changes

@@ -1919,6 +1919,7 @@ param virtualNetworkResourceId = '<virtualNetworkResourceId>'
 | [`availabilityZones`](#parameter-availabilityzones) | array | The list of Availability zones to use for the zone-redundant resources. |
 | [`azureSkuTier`](#parameter-azureskutier) | string | Tier of an Azure Firewall. |
 | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. |
+| [`enableDnsProxy`](#parameter-enablednsproxy) | bool | Enable/Disable DNS proxy. When enabled, the firewall will act as a DNS proxy and forward DNS requests to the configured DNS servers. |
 | [`enableForcedTunneling`](#parameter-enableforcedtunneling) | bool | Enable/Disable forced tunneling. |
 | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. |
 | [`firewallPolicyId`](#parameter-firewallpolicyid) | string | Resource ID of the Firewall Policy that should be attached. |
@@ -2393,6 +2394,14 @@ Resource ID of the diagnostic log analytics workspace. For security reasons, it
 - Required: No
 - Type: string
 
+### Parameter: `enableDnsProxy`
+
+Enable/Disable DNS proxy. When enabled, the firewall will act as a DNS proxy and forward DNS requests to the configured DNS servers.
+
+- Required: No
+- Type: bool
+- Default: `False`
+
 ### Parameter: `enableForcedTunneling`
 
 Enable/Disable forced tunneling.

@@ -75,6 +75,9 @@ param availabilityZones int[] = [1, 2, 3]
 @description('Optional. Enable/Disable forced tunneling.')
 param enableForcedTunneling bool = false
 
+@description('Optional. Enable/Disable DNS proxy. When enabled, the firewall will act as a DNS proxy and forward DNS requests to the configured DNS servers.')
+param enableDnsProxy bool = false
+
 import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.5.1'
 @description('Optional. The diagnostic settings of the service.')
 param diagnosticSettings diagnosticSettingFullType[]?
@@ -278,44 +281,62 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2024-05-01' = {
   zones: map(availabilityZones, zone => '${zone}')
   tags: tags
   properties: azureSkuName == 'AZFW_VNet'
-    ? {
-        threatIntelMode: threatIntelMode
-        firewallPolicy: !empty(firewallPolicyId)
-          ? {
-              id: firewallPolicyId
-            }
-          : null
-        ipConfigurations: ipConfigurations
-        managementIpConfiguration: requiresManagementIp ? managementIPConfiguration : null
-        sku: {
-          name: azureSkuName
-          tier: azureSkuTier
-        }
-        applicationRuleCollections: applicationRuleCollections ?? []
-        natRuleCollections: natRuleCollections ?? []
-        networkRuleCollections: networkRuleCollections ?? []
-      }
-    : {
-        autoscaleConfiguration: {
-          maxCapacity: autoscaleMaxCapacity
-          minCapacity: autoscaleMinCapacity
-        }
-        firewallPolicy: !empty(firewallPolicyId)
+    ? union(
+        {
+          threatIntelMode: threatIntelMode
+          firewallPolicy: !empty(firewallPolicyId)
+            ? {
+                id: firewallPolicyId
+              }
+            : null
+          ipConfigurations: ipConfigurations
+          managementIpConfiguration: requiresManagementIp ? managementIPConfiguration : null
+          sku: {
+            name: azureSkuName
+            tier: azureSkuTier
+          }
+          applicationRuleCollections: applicationRuleCollections ?? []
+          natRuleCollections: natRuleCollections ?? []
+          networkRuleCollections: networkRuleCollections ?? []
+        },
+        enableDnsProxy
           ? {
-              id: firewallPolicyId
+              additionalProperties: {
+                'Network.DNS.EnableProxy': 'true'
+              }
             }
-          : null
-        sku: {
-          name: azureSkuName
-          tier: azureSkuTier
-        }
-        hubIPAddresses: !empty(hubIPAddresses) ? hubIPAddresses : null
-        virtualHub: !empty(virtualHubResourceId)
+          : {}
+      )
+    : union(
+        {
+          autoscaleConfiguration: {
+            maxCapacity: autoscaleMaxCapacity
+            minCapacity: autoscaleMinCapacity
+          }
+          firewallPolicy: !empty(firewallPolicyId)
+            ? {
+                id: firewallPolicyId
+              }
+            : null
+          sku: {
+            name: azureSkuName
+            tier: azureSkuTier
+          }
+          hubIPAddresses: !empty(hubIPAddresses) ? hubIPAddresses : null
+          virtualHub: !empty(virtualHubResourceId)
+            ? {
+                id: virtualHubResourceId
+              }
+            : null
+        },
+        enableDnsProxy
           ? {
-              id: virtualHubResourceId
+              additionalProperties: {
+                'Network.DNS.EnableProxy': 'true'
+              }
             }
-          : null
-      }
+          : {}
+      )
 }
 
 resource azureFirewall_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') {

@@ -52,6 +52,7 @@ module testDeployment '../../../main.bicep' = [
     params: {
       name: '${namePrefix}${serviceShort}001'
       azureSkuTier: 'Basic'
+      enableDnsProxy: true
       virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId
       location: resourceLocation
       threatIntelMode: 'Deny'

@@ -207,6 +207,7 @@ module testDeployment '../../../main.bicep' = [
           principalType: 'ServicePrincipal'
         }
       ]
+      enableDnsProxy: true
       availabilityZones: [
         1
         2
-Original file line number
+Diff line change
@@ Expand Up / @@ -207,6 +207,7 @@ module testDeployment '../../../main.bicep' = [ @@
               principalType: 'ServicePrincipal'
             }
           ]
+          enableDnsProxy: true
           availabilityZones: [
@@ Expand Down @@