Not resolving private dns zone over point to site VPN connection into Azure

John Fox 21

Having issues getting a private DNS setup, attached to a vnet, to resolve over a point to site VPN connection.

My point to site VPN connection is working and I am able to ping the IP and get to IIS on the server. I've set the private DNS up and it's attached to the vnet with the machines automatically registering in the DNS fine. The domain resolves fine from within the vnet/vm but not from across the point to site VPN.

I'm deploying the setup using an ARM template and have the following dependencies to see if that makes a difference:

vnet - depending on a couple of NSGs and the private DNS zone

virtual network gateway - depending on the gateway IP, vnet and the private dns zone

I've waited for everything to deploy and then downloaded, installed and connected the VPN. Connects fine but just no DNS resolution from the private zone.

Anyone any ideas?

Jacob 81 Reputation points

2020-06-24T12:38:31.8+00:00

Usually the VPN client will inherit the DNS servers configured on the VNet. I’m wondering if this doesn’t apply to Private DNS.
Jacob 81 Reputation points

2020-06-24T12:43:55.62+00:00

Are you using SSTP or OpenVPN?
Bas Roovers 1 Reputation point

2021-07-21T20:29:58.187+00:00

I can confirm that this works for me, I changed the DNS server configured on my VNet.

You can confirm it working with this Powershell command: Get-DnsClientNrptPolicy
It should show you your nameservers. Keep in mind that you need to have the client VPN tunnel active while running the command.

14 answers

Umesh 6 Reputation points

2021-09-07T15:54:37.45+00:00

I am having same problem. I have a private dns configured to access azure container registry and I am planning to use the same to access VMS from point-to-site vpn connection. I am able to connect to VMs using IP address, but name resolution doesn't happen. I am using MacOS desktop and using MacOS vpn client and not the Azure VPN client. Any suggestions ?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
The Architect 1 Reputation point

2022-01-28T21:24:53.077+00:00

I love it when I read a trend of posts that programmers and developers trying to do a simple fix by hacking codes and files all over the place for days and at the end they end up with a mess that ain't working.

There is absolutely no such thing as DNS issue for Azure P2S VPN, you just didn't do it right.

All you need to do is this,
On the VNET that you plan to have your VPN's GatewaySubnet, make sure you configure your DNS server IP. If it is on a VM in the same tenancy or OnPrem or internal IP of azure firewall when you use it as DNS proxy.

If you didn't do the previous step before building your azure vpn gateway, then you need to rebuild it after configuring the DNS.

That's it.
Please sign in to rate this answer.
Maksimovic Milos 1 Reputation point

2022-02-11T12:25:04.93+00:00

Rebuild? Delete and create the Virtual Gateway again?

Scott Barclay 1 Reputation point

2022-02-25T17:35:35.427+00:00

Bless you, TheArchitect-1413. I spend half my time undoing hacks like the ones described above and reconfiguring things the right way. Kludges are very rarely justified, and result from people not taking the time to fully wrap their brains around something (which would save themselves and others HUGE amounts of time if they did.

Michael McMaster 11 Reputation points

2022-02-28T01:32:59.907+00:00

@The Architect Any chance you could elaborate on

On the VNET that you plan to have your VPN's GatewaySubnet, make sure you configure your DNS server IP

when using Azure Private DNS linked to that VNET? I added the gateway after the DNS was linked and AzueP2S VPN clients still can not resolve names.

Thank you

Scott Barclay 1 Reputation point

2022-02-28T14:55:00.747+00:00

On the existing VNET associated with the VNGW, under DNS Servers, specify the IP address of the DNS server used for the LAN. In my case, it's the same server running NPAS for the RADIUS function, with the external DNS forwarders specified in DNS management.

Regarding Azure Private DNS, I would think the same steps would work as long as your NPAS server has access to the Azure Private DNS as well.

Michael McMaster 11 Reputation points

2022-02-28T19:54:09.693+00:00

Thanks Scott,

I fully admit this may be my lack of knowledge causing the problems here, as networking is not my forte, but there is no option to enter a DNS server IP address when you select Default (Azure provided).

Leaving it as Default (Azure-provided) works for machines on the VNET just not for the Azure VPN P2S clients.

Mike

Helder Sandrini Mansur 1 Reputation point

2022-04-18T21:27:38.387+00:00

Thanks for the details.
I have a hub-spoke setup using vWan as the main hub.
I cannot change DNS for that subnet - there is no such option.
So I can connect to VPN, will get ips, DNS ips and suffixies names (from the file config), but if I don´t use FQDN, it won´t resolve names (I have 2 VM with DNS running and it has the Azure Private DNS ip as hint root hint configured, so all machines from any VNET will resolve the names).
There is no VNET created for the remote ip addresses, as the VPN GW will ask me what is the remote addressing, that´s all.
Hope you can help me out with some light here.
Thanks.

Helder
Sign in to comment
Scott Barclay 1 Reputation point

2022-02-28T20:37:14.517+00:00

If you have a Domain Controller / DNS server hosted in the environment, change it from Default (Azure-provided) to Custom and specify that DNS server.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Michael McMaster 11 Reputation points

2022-02-28T20:49:56.26+00:00

I don't. I also found the following, that says the only way to do it with Azure Private DNS is to set up a DNS server as a forwarder.

https://github.com/MicrosoftDocs/azure-docs/issues/56217
https://stackoverflow.com/questions/70450341/azure-private-dns-configuration-not-working-with-p2s-vpn

So it seems my scenario is not supported.

Thanks for the replies!
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Gal G 1 Reputation point Microsoft Employee

2022-03-08T08:35:17.58+00:00
After long journey of figuring out how to make it work, here is my solution which is based on all previous comments:

You need to add both to the XML file, DNSsuffix and DNS server IP. Suffix will contain all the domains that you would like redirecting to your VPN DNS server.
<clientconfig>
<dnssuffixes>
<dnssuffix>.x.com</dnssuffix>
<dnssuffix>.y.om</dnssuffix>
</dnssuffixes>
<dnsservers>
<dnsserver>DNS_FORWARDER_IP</dnsserver>
</dnsservers>
</clientconfig>

Create DNS server/forwarder in your Azure ENV. I simply used Azure firewall as a forwarder cause I wanted to keep it Azure native.

Add DNS private zone and make sure it is connected to your VPN gateway network. After creating it, CNAME resource records will automatically updated to an alias with the prefix
'privatelink'. So when accessing your resource xxx.azure.com from the VPN, it will redirect you automatically to your private DNS record xxx.privatelink.azure.com.

Reference: https://learn.microsoft.com/en-us/azure/purview/catalog-private-link-name-resolution

Gal
Please sign in to rate this answer.
Jeremy 136 Reputation points

2022-03-29T13:55:24.943+00:00

@Gal G I think I'm tracking down a path similar to yours (only with openVPN), but I'm still stuck on how the forwarder is supposed to look.

How did you create your DNS server? - when I looked at azure firewall, it looked like I still needed to make a DNS server if I wanted to use it.

What does the configuration look like?

How do you get the IP of the Private DNS Zone to forward to,?

Gal G 1 Reputation point Microsoft Employee

2022-03-29T14:05:45.737+00:00

Hi Jeremy,

You don't need to create a DNS server, only a DNS forwarder. For that, you just need to enable DNS proxy under: Firewall Policy->DNS.

After that, you will need to add to the VPN xml file the firewall IP as DNS server, in this way: <dnsserver>FIREWALL_IP</dnsserver>.

The Private DNS Zone doesn't have any IP, you only need to virtual link it to your VPN GW Vnet or to a Vnet which has peering to your GW Vnet.

Cheers,
Gal

Jeremy 136 Reputation points

2022-03-29T15:28:56.713+00:00

Ah, okay, I think I understand your solution now.

By configuring the firewall policy to act as a reverse proxy, you can point at it using your VPN configuration. Also, when configuring the DNS you can just specify to use the Azure DNS services (you don't have to custom DNS). Together, this will allow VPNed in users to use the private DNS zone to resolve the DNS.

For others, here is a link to the DNS settings documentation. You can grab a 'Firewall Policy' from the marketplace, and the DNS Settings are in the second tab.
https://learn.microsoft.com/en-us/azure/firewall-manager/dns-settings#dns-proxy

Curiously the cost for one policy is similar to a whole standard VM.

Thanks!

Jeremy 136 Reputation points

2022-03-29T17:04:51.76+00:00

Also worth noting:

If you update your VNet's DNS on the blade: Virtual Network > DNS Servers

and set the DNS servers to Custom, and set the IP of you DNS forwarder. The next time you export the client config files for your CPN client, the AzureVPN settings file includes the DNS Server for you, so you shouldn't need to manually add it. (Unfortunately it doesn't seem to do that for the Generic and OpenVPN settings)
Sign in to comment

Share via

Not resolving private dns zone over point to site VPN connection into Azure

14 answers