Azure Private DNS Zone Resolution from On-prem

Shola Lawani 531 Reputation points Microsoft Employee
2020-12-01T13:25:40.943+00:00

Hello experts,

When building an Azure private endpoint infrastructure (with Azure Private DNS zone) that requires On-prem access with Azure VNet that uses a custom DNS Server from On-prem, Microsoft recommendation as stated here https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#virtual-network-and-on-premises-workloads-using-a-dns-forwarder is that a conditional forwarder will be set up to a DNS forwarder in Azure that will then query the Azure private DNS with the IP
168. 63.129.16.

My question is there no way an On-prem AD-DNS server can query the Azure Private DNS zone hosted by the 168.63.129.16 without an extra hop?

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
587 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,090 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
450 questions
0 comments No comments
{count} vote

Accepted answer
  1. GitaraniSharma-MSFT 46,266 Reputation points Microsoft Employee
    2020-12-02T12:46:59.287+00:00

    Hello anonymous user ,

    It is correct that for on-premises workloads to resolve an FQDN of a private endpoint into the private IP address, you must use a DNS forwarder in Azure, which in turn is responsible for resolving all the DNS queries via a server-level forwarder to the Azure-provided DNS 168.63.129.16.

    If you check the table in Name resolution for resources in Azure virtual networks article, you can find the below:
    44379-nameresolutionfromonprem.jpg

    Currently, there is no other way to accomplish this requirement but Azure Private DNS Zone resolution from OnPremise is planned and is on the roadmap. You can vote for this feature in the below forum:
    https://feedback.azure.com/forums/217313-networking/suggestions/36317164-azure-private-dns-zone-resolution-from-onpremise

    Hence, at the moment, you need to configure your on-premises DNS solution to forward DNS traffic to Azure DNS via a conditional forwarder that references the DNS forwarder deployed in Azure.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    3 people found this answer helpful.

6 additional answers

Sort by: Most helpful
  1. Anthony Sharpe 11 Reputation points
    2021-03-11T18:41:49.803+00:00

    Okay, so what if you have a domain controller in Azure? Do you still need to forward those request to the Azure Private DNS Zone?

    2 people found this answer helpful.

  2. Alexis (Wefight) 36 Reputation points
    2022-03-16T14:36:06.287+00:00

    Is there any alternative to set up a DNS forwarder in the Azure Network or use an Azure Firewall to resolve Azure Private DNS Zone records from On-premise network (when a Site-to-Site connection has already been established)?

    1 person found this answer helpful.

  3. Daniel Schwendeman 6 Reputation points
    2022-05-12T17:29:18.807+00:00

    For anyone happening upon this topic, you can utilize AADDS DNS servers as a DNS Forwarder and not have to spin up a dedicated VM (this is assuming you have AADDS in your environment).

    Requirements:

    You must have Peering configured from your VM VNET to the VNET that houses your AADDS DCs/DNS.
    The private zone configured in your VM Resource group that is linked to your VM VNET must also be linked to your AADDS VNET.
    You can then add a conditional forwarder to your AADDS DNS for the name of your private zone and point it to Azure DNS resolver, IE example.contoso.com -> 168.63.129.16.
    Then configure your On-Prem (or across ExpressRoute or Site to Site) environment to forward DNS requests for your private zone to the AADDS DNS. example.contoso.com -> [AADDS DC internal IP address]

    1 person found this answer helpful.
    0 comments No comments

  4. Nathaniel Hansen 6 Reputation points
    2022-05-17T09:41:27.793+00:00

    I haven't tried it yet (date on the article is 1 day ago as of my comment) and maybe in public preview, but:

    https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

    The announcement: https://azure.microsoft.com/en-au/updates/public-preview-azure-dns-private-resolver-hybrid-name-resolution-and-conditional-forwarding/

    If it's good.... finally!

    1 person found this answer helpful.