For the most part, the Azure DNS Private Resolver seems to be working. However, when I try to set up a conditional forwarder in my on-premise DNS to the inbound endpoint it fails with an "Unknown error" message. Azure VMs are able to query my internal network and get the correct results. When I use nslookup in d2 debugging mode from my on-premise systems and set the DNS server to be the inbound endpoint, I see the response is set and properly retrieved. However, when I query for a DNS name of an Azure VM, the query is sent, but no response returned. It appears as if the private resolver is blocked from sending these responses by some policy or other setting. The same queries in Azure VM's work as expected. The private resolver is located it a vnet that contains nothing else. I have set up peering between this vnet and the one that contains my VPN gateway. Thanks for any help.

@Michael , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. From your verbatim, I see you are unable to "query for a DNS name of an Azure VM " However, May I ask what exactly do you mean by "DNS Name" of a Azure VM? Are you using a Particular/dedicated Private DNS Zone where the VMs are auto registered ? Or you are using the internal name resolution provided for a VNET ? Are you able to do the same resolution from a VM in Azure? If yes, can you share the nslookup <DNS-Of-VM> and share the entire results from the VM? Cheers, Kapil

Azure DNS Private Resolver not answering queries from on-premise network

Accepted answer

KapilAnanth-MSFT 46,776 Reputation points Microsoft Employee

2024-07-10T05:11:45.4666667+00:00
@Michael ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

From your verbatim, I see you are unable to "query for a DNS name of an Azure VM"

However,

May I ask what exactly do you mean by "DNS Name" of a Azure VM?

Are you using a Particular/dedicated Private DNS Zone where the VMs are auto registered?

Or you are using the internal name resolution provided for a VNET?

Are you able to do the same resolution from a VM in Azure?

If yes, can you share the nslookup <DNS-Of-VM> and share the entire results from the VM?

Cheers,

Kapil
Please sign in to rate this answer.
Michael 46 Reputation points

2024-07-10T14:06:59.6566667+00:00

Yes, I have a private DNS zone with auto-registration set up in Azure.

By "DNS name of an Azure VM" I mean I am trying to use nslookup from a system in the on-premise network by setting the name server in nslookup to the IP address of the inbound endpoint of the private resolver. I then query for a name such as hostname.azure.domain.com which has been auto-registered in the private DNS zone in Azure. That query will fail. However, if I perform the same nslookup steps on a VM running in Azure (setting the name server address to the same inbound endpoint IP address as used on-premise), the query returns the correct IP address of the Azure VM. Additionally, if I perform a query to my on-premise network (for example hostname.internal.domain.com) in the same Azure nslookup session, the correct value is returned which means the outbound endpoint must be working with its associated ruleset.

I don't believe it is VPN/gateway/firewall related because the traffic seems to be flowing in both directions for this with other requests.

I can give you the nslookup results if you want. I probably should do that it a private message.

Michael 46 Reputation points

2024-07-10T14:40:28.8466667+00:00

My private zone is linked to the vnet. I originally had auto-registration enabled, but now I have it disabled. The query still fails the same.

Michael 46 Reputation points

2024-07-11T01:47:34.65+00:00

The fact the inbound endpoint was not accessible from the on-premise network was due to a setting in the CheckPoint VPN gateway related to NAT. That communication is now working and the on-premise DNS server shows the conditional zone to be "Validated" after entering the IP address of the inbound endpoint in the dialog. However, it still fails when you click the OK button with the error:

A problem occurred when trying to add the conditional forwarder. A zone configuration problem occurred.

What could cause that?

KapilAnanth-MSFT 46,776 Reputation points Microsoft Employee

2024-07-11T10:34:58.1733333+00:00

@Michael ,

Thanks for sharing the details.

You confirmed the issue is because of a configuration related to your OnPrem VPN Device and DNS Lookup now works.

Wrt the OnPrem DNS Configuration,

I would suggest you create a new thread with the correct tag, "Windows Server" so that the right experts can get a traction.

You can also refer to the answer provided here

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I have summarized this into a new answer.

I would highly appreciate if you could Accept the answer and close this thread.

Cheers,

Kapil

Michael 46 Reputation points

2024-07-11T16:09:14.4166667+00:00

I have it fixed. It was due to a stub zone that had the same root as the conditional forwarder. I changed the stub to a conditional forwarder and it is working.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure DNS Private Resolver not answering queries from on-premise network

0 additional answers

Your answer