Not resolving private dns zone over point to site VPN connection into Azure

John Fox 21 Reputation points
2020-06-24T08:53:42.657+00:00

Having issues getting a private DNS setup, attached to a vnet, to resolve over a point to site VPN connection.

My point to site VPN connection is working and I am able to ping the IP and get to IIS on the server. I've set the private DNS up and it's attached to the vnet with the machines automatically registering in the DNS fine. The domain resolves fine from within the vnet/vm but not from across the point to site VPN.

I'm deploying the setup using an ARM template and have the following dependencies to see if that makes a difference:

vnet - depending on a couple of NSGs and the private DNS zone

virtual network gateway - depending on the gateway IP, vnet and the private dns zone

I've waited for everything to deploy and then downloaded, installed and connected the VPN. Connects fine but just no DNS resolution from the private zone.

Anyone any ideas?

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
691 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,557 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,505 questions
{count} votes

14 answers

Sort by: Most helpful
  1. Tariq Mahmood 1 Reputation point
    2022-03-23T14:55:14.347+00:00

    We were also having same problem that was, able to reach server through IP but not url. It worked for us by adding custom DNS in vnet where the SubnetGatway is deployed. e.g you have DNS1 20.20.20.1 and DNS2 20.20.20.2. Just goto Vnet(in which Gateway is deployed)-->DNS servers-->change default to custom and give DNS IPs and save. It worked for me. Note we didn't have any azure firewall etc and these DNS are in azure.

    0 comments No comments

  2. Jeremy 136 Reputation points
    2022-03-29T19:33:53.9+00:00

    I have got DNS working for users VPNing in with OpenVPN, using an ubuntu server hosting a DNS forwarder (using bind9) forwarding to the Azure Virtual DNS which has the DNS records.

    I am assuming you already have a Virtual Network and Gateway setup so you are able to vpn in with OpenVPN and access VMs via IP.

    Step 1. Create a Private DNS zone. use an A record to point to one of your VMs in your network. Attach the private zone to the network "virtual network link" menu option in the zone menu.
    Step 2. Create an Ubuntu VM. Place it in the VNet. Shouldn't need a public IP.
    Step 3. Install bind9 on ubuntu:

    sudo apt-get update   
    sudo apt-get upgrade  
    sudo apt-get dist-upgrade  
    sudo apt install bind9  
    

    Step 4. edit the config file: '/etc/bind/named.conf.options' as follows:

    acl goodclients {  
            10.1.0.0/16;  
            10.2.0.0/16;  
            localhost;  
            localnets;  
    };  
      
    options {  
            directory "/var/cache/bind";  
      
            recursion yes;  
            allow-query { goodclients; };  
      
            forwarders {  
                    168.63.129.16;  
            };  
            forward only;  
      
            dnssec-validation no;  
      
            auth-nxdomain no;    # conform to RFC1035  
            listen-on-v6 { any; };  
    };  
    

    notes:

    • goodclients should have your address range of your vnet, and maybe the address range of the virtual gateway users (that's what i did)
    • azure doesn't support dnssec so you have to explicitly set it to no
    • the forwarders IP is Azure's global DNS IP, it's the same for everybody all the time.

    Step 5. Check your settings and restart the service:

    named-checkconf  
    sudo service bind9 restart  
    

    Step 6. Go to your Virtual Network > DNS Servers. and switch to custom and enter the private IP for the Ubuntu Server we just made
    Step 7. Go to your Virtual Network Gateway's Connection and click the 'Download Configuration' button
    Step 8. Grab the openvpn configuration file and place it in your openvpn config directory (C:\Program Files\OpenVPN\config)
    Step 9. Copy in your Certs following Azure's instructions
    Step 10. Add the following two lines to the openvpn config file before the certs begin. (this tells your vpn connection to use your DNS instead of whatever azure uses, and YOUR DNS knows to use the Private DNS zone, unlike whatever the default connection is doing)

    dhcp-option DNS x.x.x.x  
    register-dns  
    

    Where x.x.x.x is the private IP address for the Ubuntu DNS server we made

    Step 11. Use putty or ssh and use the custom domain to access your VM!

    helpful links that got me here:
    https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04
    https://learn.microsoft.com/en-us/azure/dns/dns-overview#:~:text=Azure%20DNS%20does%20not%20currently%20support%20DNSSEC.%20In,host%20these%20zones%20with%20third-party%20DNS%20hosting%20providers
    https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances

    0 comments No comments

  3. James Lux 26 Reputation points
    2022-04-26T17:39:38.78+00:00

    I continue to have problems with the Point to Site VPN DNS despite following the proper MS instructions. I prefer not to use a hack to make this work.

    Here are my details.

    1. VNet is setup correctly with Custom DNS servers: 168.63.129.16, 209.244.0.3 and 209.244.0.4
    2. I then added a a Virtual Network Gateway linked to this VNet
    3. Next I added a Point to Site configuration with Azure AD Authentication
    4. I downloaded the VPN Client File from the Portal and imported it into my installed Azure VPN Client on my mac
    5. I can connect to the Azure VPN Gateway and the client shows 168.63.129.16, 209.244.0.3 and 209.244.0.4 as the VPN DNS Servers
    6. So, this should be working.

    Here is some information from testing....on my Mac

    Without VPN connected

    1. The output of scutil --dns | grep nameserver | sort -u shows nameserver[0] : 192.168.2.1 as the only DNS server
    2. The result of nslookup awh-datawarehouse.database.windows.net shows Server: 192.168.2.1 and Address: 40.79.153.12
    3. This is correct without the VPN connected

    With VPN connected

    1. The output of scutil --dns | grep nameserver | sort -u shows nameserver[0] : 168.63.129.16, nameserver[0] : 192.168.2., nameserver[1] : 209.244.0.3 & nameserver[2] : 209.244.0.4
    2. The result of nslookup awh-datawarehouse.database.windows.net shows Server: 209.244.0.3 and Address: 40.79.153.12
    3. This is incorrect; for some reason the VPN network is not returning the awh-datawarehouse.database.windows.net returned from the first DNS server

    On a Linux VM on the VNet

    1. The output of cat /etc/resolve.conf shows search reddog.microsoft.com, nameserver 168.63.129.16, nameserver 209.244.0.3 & nameserver 209.244.0.4
    2. The result of nslookup awh-datawarehouse.database.windows.net shows Server: 168.63.129.16 and Address: 10.0.1.6
    3. This is correct

    How do I get the DNS resolver at 168.63.129.16 to properly return the Private IP Address (10.0.1.6) when VPN is connected?


  4. Ryan Adler 36 Reputation points
    2022-05-25T11:31:07.227+00:00

    This is now possible with the new Azure DNS Private Resolver - same idea as setting up an Azure Firewall as forwarder or VM as forwarder described above, but easier. Keep in mind it's currently in Preview.

    https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.