This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 59%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Hi,
We do have an hybrid environment where several servers / clients computers are either on-prem or in Azure. To be able to reach on-prem resources, we have deployed 2 DNS forwarders in Azure (2 VM's with the DNS Services installed and only conditional forwarders)
Those 2 DNS forwarders are configured on all Azure VNet as 1st and 2nd DNS. We also have added Azure DNS (168.63.129.16) as the 3rd DNS Servers. So all VM's in Azure have 3 DNS Servers
Most of the time, it work well but it happen few times that a client could not connect to a "domain joined" resource either in azure on on-prem.
So i decided to capture network traces using Network Monitor and i found that the client computer is making query to DNS Forwarder-1 as expected but for an unknown reason, it stop using the DNS Forwarder-1 and then jump to DNS Forwarder-2 and then to Azure DNS (168.63. 129.16). Because Azure DNS cannot resolve on-prem resources, the DNS query fail. When this situation is happening, there is nothing to do except wait around 10 minutes to be able to contact DNS Forwarder-1 or DNS Forwarder-2...
Anybody had this issue before... and is there anything to do to prevent this ?
Thanks!
Hi @Anonymous ,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that sometimes VMs do not follow the order of DNS servers specified in the VNet.
Ideally, this should not be the case.
This issue would require a deeper investigation, so if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support
Cheers,
Kapil.
Hi @Anonymous
I haven't seen this issue before, and most things I could suggest might seem like teaching you to suck eggs.
One thing I would look for is any ICMP packets in the trace to see if there are route or next hop issues and client has determined the forwarders are no longer reachable.
Gary.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there,
This behavior exists when one or more DNS server IPs are configured as forwarders or conditional forwarders on a DNS server.
You can check this article which explains what is the default behavior of a DNS server when more than two DNS servers are configured as forwarders https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/forwarders-resolution-timeouts
Please check these discussions for a better understanding of this.
How to get on-prem DNS to resolve the FQDN of Azure Resource to its IP https://learn.microsoft.com/en-us/answers/questions/766816/how-to-get-on-prem-dns-to-have-azure-vm-azure-reso.html
Azure Private DNS Zone Resolution from On-prem https://learn.microsoft.com/en-us/answers/questions/181776/azure-private-dns-zone-resolution-from-on-prem.html
--------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–
Update...
We found that by removing the suffix DNS on our DNS forwarders has fixed issues with most VM's but some issues still happening mostly with Windows 2008 / 2008R2 VM's
We have opened a ticket with Microsoft to try to find out the root cause but without success. But we found a workaround by applying only our 2 customs DNS forwarders (DNS Forwarder-1 and DNS Forwarder-2) on the NIC of the Windows 2008 / 2008 R2 VM.
With this configuration, the VM gets only the 2 custom DNS and no more issues.
But we still have this issue with all OS versions... so we will probably remove the Azure DNS IP from the VNet configuration.
Thanks!
