Not resolving private dns zone over point to site VPN connection into Azure

Question

Having issues getting a private DNS setup, attached to a vnet, to resolve over a point to site VPN connection.

My point to site VPN connection is working and I am able to ping the IP and get to IIS on the server. I've set the private DNS up and it's attached to the vnet with the machines automatically registering in the DNS fine. The domain resolves fine from within the vnet/vm but not from across the point to site VPN.

I'm deploying the setup using an ARM template and have the following dependencies to see if that makes a difference:

vnet - depending on a couple of NSGs and the private DNS zone

virtual network gateway - depending on the gateway IP, vnet and the private dns zone

I've waited for everything to deploy and then downloaded, installed and connected the VPN. Connects fine but just no DNS resolution from the private zone.

Anyone any ideas?

Answer 1

We were also having same problem that was, able to reach server through IP but not url. It worked for us by adding custom DNS in vnet where the SubnetGatway is deployed. e.g you have DNS1 20.20.20.1 and DNS2 20.20.20.2. Just goto Vnet(in which Gateway is deployed)-->DNS servers-->change default to custom and give DNS IPs and save. It worked for me. Note we didn't have any azure firewall etc and these DNS are in azure.

Answer 2

I have got DNS working for users VPNing in with OpenVPN, using an ubuntu server hosting a DNS forwarder (using bind9) forwarding to the Azure Virtual DNS which has the DNS records.

I am assuming you already have a Virtual Network and Gateway setup so you are able to vpn in with OpenVPN and access VMs via IP.

Step 1. Create a Private DNS zone. use an A record to point to one of your VMs in your network. Attach the private zone to the network "virtual network link" menu option in the zone menu.
Step 2. Create an Ubuntu VM. Place it in the VNet. Shouldn't need a public IP.
Step 3. Install bind9 on ubuntu:

sudo apt-get update   
sudo apt-get upgrade  
sudo apt-get dist-upgrade  
sudo apt install bind9  

Step 4. edit the config file: '/etc/bind/named.conf.options' as follows:

acl goodclients {  
        10.1.0.0/16;  
        10.2.0.0/16;  
        localhost;  
        localnets;  
};  
  
options {  
        directory "/var/cache/bind";  
  
        recursion yes;  
        allow-query { goodclients; };  
  
        forwarders {  
                168.63.129.16;  
        };  
        forward only;  
  
        dnssec-validation no;  
  
        auth-nxdomain no;    # conform to RFC1035  
        listen-on-v6 { any; };  
};  

notes:

• goodclients should have your address range of your vnet, and maybe the address range of the virtual gateway users (that's what i did)
• azure doesn't support dnssec so you have to explicitly set it to no
• the forwarders IP is Azure's global DNS IP, it's the same for everybody all the time.

Step 5. Check your settings and restart the service:

named-checkconf  
sudo service bind9 restart  

Step 6. Go to your Virtual Network > DNS Servers. and switch to custom and enter the private IP for the Ubuntu Server we just made
Step 7. Go to your Virtual Network Gateway's Connection and click the 'Download Configuration' button
Step 8. Grab the openvpn configuration file and place it in your openvpn config directory (C:\Program Files\OpenVPN\config)
Step 9. Copy in your Certs following Azure's instructions
Step 10. Add the following two lines to the openvpn config file before the certs begin. (this tells your vpn connection to use your DNS instead of whatever azure uses, and YOUR DNS knows to use the Private DNS zone, unlike whatever the default connection is doing)

dhcp-option DNS x.x.x.x  
register-dns  

Where x.x.x.x is the private IP address for the Ubuntu DNS server we made

Step 11. Use putty or ssh and use the custom domain to access your VM!

helpful links that got me here:
https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04
https://learn.microsoft.com/en-us/azure/dns/dns-overview#:~:text=Azure%20DNS%20does%20not%20currently%20support%20DNSSEC.%20In,host%20these%20zones%20with%20third-party%20DNS%20hosting%20providers
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances

Answer 3

I continue to have problems with the Point to Site VPN DNS despite following the proper MS instructions. I prefer not to use a hack to make this work.

Here are my details.

1. VNet is setup correctly with Custom DNS servers: 168.63.129.16, 209.244.0.3 and 209.244.0.4
2. I then added a a Virtual Network Gateway linked to this VNet
3. Next I added a Point to Site configuration with Azure AD Authentication
4. I downloaded the VPN Client File from the Portal and imported it into my installed Azure VPN Client on my mac
5. I can connect to the Azure VPN Gateway and the client shows 168.63.129.16, 209.244.0.3 and 209.244.0.4 as the VPN DNS Servers
6. So, this should be working.

Here is some information from testing....on my Mac

Without VPN connected

1. The output of scutil --dns | grep nameserver | sort -u shows nameserver[0] : 192.168.2.1 as the only DNS server
2. The result of nslookup awh-datawarehouse.database.windows.net shows Server: 192.168.2.1 and Address: 40.79.153.12
3. This is correct without the VPN connected

With VPN connected

1. The output of scutil --dns | grep nameserver | sort -u shows nameserver[0] : 168.63.129.16, nameserver[0] : 192.168.2., nameserver[1] : 209.244.0.3 & nameserver[2] : 209.244.0.4
2. The result of nslookup awh-datawarehouse.database.windows.net shows Server: 209.244.0.3 and Address: 40.79.153.12
3. This is incorrect; for some reason the VPN network is not returning the awh-datawarehouse.database.windows.net returned from the first DNS server

On a Linux VM on the VNet

1. The output of cat /etc/resolve.conf shows search reddog.microsoft.com, nameserver 168.63.129.16, nameserver 209.244.0.3 & nameserver 209.244.0.4
2. The result of nslookup awh-datawarehouse.database.windows.net shows Server: 168.63.129.16 and Address: 10.0.1.6
3. This is correct

How do I get the DNS resolver at 168.63.129.16 to properly return the Private IP Address (10.0.1.6) when VPN is connected?

Answer 4

This is now possible with the new Azure DNS Private Resolver - same idea as setting up an Azure Firewall as forwarder or VM as forwarder described above, but easier. Keep in mind it's currently in Preview.

https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview