Based on my testing, the Azure Network Security Group (NSG) stateful firewall blocks all (UDP and TCP) reflection DDoS Attacks? I did my test by programmatically just creating an NSG incoming tcp port 80,443 allow rule. Is that all I need to do? (I think the answer is yes).
BTW, here is an example of a reflection DDoS Attack. Client 1, part of a botnet, spoofs it's source IP address, to be that of the victim. Client 1 then sends to an innocent 3rd party, which is for example running a UDP port 53 DNS server, this crafted malicious packet. The 3rd party server replies, but the reply goes to the victim server (since the source IP address was spoofed).
You don't even need Azure Firewall to block reflection attacks, provided you have the Standard level of DDoS protection enabled on the VNet your resources are connected to, in your example the DNS server.
https://learn.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview