Private DNS vs Custom DNS for one VNET

Question

Private DNS vs Custom DNS for one VNET

Jun Han 31

Context

I have one VNET01, which is already associated with a number of on-prem DNS servers though the "custom DNS server" settings. These on-prem DNS servers have some DNS forwarders, which point to ISP DNS servers.

Task

For a new project, I need to use private endpoints and hence private DNS zone for name solution within the VNET. I hence created a private DNS zone and linked it with VNET01.

Issue
The name resolution always used custom DNS servers, not used private DNS zone. The DNS request was from within VNET01.

Observation

If I disabled the custom DNS servers, the private DNS zone works.

Questions

Does custom DNS server setup work along with private DNS zone implementation?
If it does, what should I do to make it work?
Also, my understanding is that a virtual network can be linked to multiple private DNS zone if the auto registration is not enabled. Can you confirm it? In our case, we need to use private links for SQL DB, Blob Storage and Key Vault etc. Hence we need to use multiple private DNS zones as per Azure recommended private zone names.

Regards,

Jun

Accepted answer

1 additional answer

Your answer

Answer 1

Hi Jun,

The behavior you are seeing in regards to having custom DNS server specified for the VNet is expected. When you set custom DNS servers you are specifying the list of DNS servers to be given to VMs via DHCP, which means they will not be querying the Azure private DNS.

For your scenario I would recommend Azure Private DNS Resolver. How you configure it is up to your specific needs. For example, you could keep current configuration whereby you set custom DNS and have queries sent to your on-premises servers. After you have Private DNS Resolver set up, you would configure you on-premises DNS servers to conditionally forward requests for private endpoints to the Private DNS Resolver's inbound endpoint. In this way VMs in the VNet as well as VMs/machines in your on-premises network would be able to resolve your private endpoints.

Also, my understanding is that a virtual network can be linked to multiple private DNS zone if the auto registration is not enabled. Can you confirm it? In our case, we need to use private links for SQL DB, Blob Storage and Key Vault etc. Hence we need to use multiple private DNS zones as per Azure recommended private zone names.

A: Yes, you can have multiple Private DNS zones linked to your VNet. These would be resolution zones.

Please see article below for more information on Azure DNS Private Resolver:

What is Azure DNS Private Resolver?

https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

Thanks.

-TP

Jun Han 31 Reputation points

2023-01-04T03:26:13.883+00:00

Hi TP-MVP,

Thanks for your advice. I have thought about the private DNS resolver as well. That will significantly increase the complexity of the solution because it will require inbound and outbound endpoint subnets, plus conditional forwarding rulesets. Besides, I will need to remove the custom dns servers as I want to use private dns zone to resolve dns queries within the VNET. There is an Azure document describing how to do it. I just want to check with the microsoft community and find out if there is a simpler way. From what I have read so far, it seems using private dns resolver is the only solution because the objective is to use private dns zone for Azure VNETs and on-prem dns for on-prem networks.

Regards,

Jun

Answer 2

Hello @Jun Han ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you have one VNET01, which is already associated with on-prem DNS servers though the "custom DNS server" settings but now for a new project, you need to use private endpoints and hence private DNS zone for name solution within the VNET but the private DNS zone is not working when the custom DNS server setting is enabled. So you have a few questions that you need help with.

Answering your questions below:

Does custom DNS server setup work along with private DNS zone implementation?

Yes, custom DNS server setup works along with private DNS zone implementation.
Refer : https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder

If it does, what should I do to make it work?

As explained in the below docs, to configure your Vnet & On-premises workloads using a DNS forwarder properly, you need the following resources:
https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder
https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#virtual-network-and-on-premises-workloads-using-a-dns-forwarder

On-premises network with a custom DNS solution in place
Virtual network connected to on-premises
DNS forwarder deployed in Azure
Private DNS zones privatelink.database.windows.net with type A record
Private endpoint information (FQDN record name and private IP address)

So, you would need to use a DNS forwarder to resolve the Azure service public DNS zone in Azure. A DNS forwarder is a Virtual Machine running on the Virtual Network linked to the Private DNS Zone that can proxy DNS queries coming from other Virtual Networks or from on-premises. This is required as the query must be originated from the Virtual Network to Azure DNS.

Conditional forwarder setup on the DNS forwarder in Azure:
Refer : https://github.com/adstuart/azure-privatelink-dns-microhack#task-3--add-conditional-forwarder-to-az-dns-vm-vm-in-azure

Conditional forwarder setup on your on-premise DNS server:
The conditional forwarding must be made to the recommended public DNS zone forwarder of the respective resource.
For example: database.windows.net instead of privatelink.database.windows.net.
Refer: https://github.com/adstuart/azure-privatelink-dns-microhack#task-3---setup-conditional-forwarder

For more clarity on the on-premise private DNS integration, please refer the below doc :
https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-Scenarios#4-on-premises-dns-integration

Or as an alternative to using a DNS forwarder in Azure, you can also use Azure DNS Private Resolver service.
Azure DNS Private Resolver is a new service that enables you to query Azure DNS private zones from an on-premises environment and vice versa without deploying VM based DNS servers.
Refer : https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview
https://learn.microsoft.com/en-us/azure/dns/private-resolver-hybrid-dns

Also, my understanding is that a virtual network can be linked to multiple private DNS zone if the auto registration is not enabled. Can you confirm it? In our case, we need to use private links for SQL DB, Blob Storage and Key Vault etc. Hence we need to use multiple private DNS zones as per Azure recommended private zone names.

Yes, your understanding is correct, A private DNS zone can have multiple registration virtual networks. However, every virtual network can only have one registration zone associated with it, meaning a specific virtual network can be linked to only one private DNS zone when automatic VM DNS registration is enabled.
Refer: https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links
https://learn.microsoft.com/en-us/azure/dns/private-dns-autoregistration

Also, Auto registration works only for virtual machines. For all other resources like internal load balancers, you can create DNS records manually in the private DNS zone linked to the virtual network.

So, if you need need to use multiple private DNS zones for a single Vnet, you should not enable the autoregistration setting and create the DNS records manually for your resources.
A virtual network can get linked to a total of 1000 private DNS zones (without auto-registration enabled).
Refer: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-dns-limits

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Jun Han 31 Reputation points

2023-01-04T04:42:45.413+00:00

Hi GitaraniSharmaMSFT-4262,

I have read the article (https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder), but it does not answer my question. My question is specific about using custom DNS server and Azure private DNS zone with one VNET. That example is about a DNS query from on-prem to the Azure VNET. My situation is different. I have VNET already associated with on-prem DNS servers, but I need to build a new infrastructure using private endpoints and use private DNS zone for the same VNET. In this case, I have to remove custom DNS servers to make private DNS zone work.

You can run a test. Associate a VNET with on-prem DNS servers. Then create a private dns zone and link it with the VNET. Use a VM console to nslookup for a server in the VNET. It can't resolve it as the query goes directly to the on-prem DNS servers. Then to the DNS forwarders configured in the on-prem DNS servers. Probably eventually end up with Azure public DNS. But because the query at this stage is from the Internet, it can't access the private DNS zone for name resolution.

Based on my testing so far, I do not see it will work. But there might be a way you can make it work?

Regards,

Jun
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2023-01-04T06:42:59.34+00:00

Hello @Jun Han ,

The article I provided can also be applied to your setup of using custom DNS server and Azure private DNS zone with one VNET.

You can deploy a DNS forwarder in your VNET01 and set conditional forwarding for the private DNS zones to work.
So, your setup will be something as below:

Custom DNS Servers in Azure pointing to other DNS Server as Forwarders – This scenario is common when customers want to make sure Custom DNS Servers don't have access directly to Internet for Name resolution. They may forward to other dedicated "External DNS Servers" in a dedicated Azure VNET or Root Hints or an On-prem DNS Server.
Refer: https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-Scenarios#33-private-dns-resolution-with-custom-dns-inside-the-vnet

You could deploy a custom DNS server in your VNET01 and add this custom DNS to your Vnet settings. And then configure this Azure custom DNS server by creating a conditional forwarder to the original PaaS domain name (example- for Storage, blob.core.windows.net) and point it to Azure Provided DNS 168.63.129.16 and global forward all other requests to your on-prem DNS servers.

This way, your Azure custom DNS Server will forward all unknown requests to your on-prem servers, but will have a more specific condition to forward requests matching blob.core.windows.net to Azure Provided DNS 168.63.129.16.

Regards,
Gita
Jun Han 31 Reputation points

2023-01-04T13:12:09.887+00:00

Hi Gita,

Thank you very much for sharing your thoughts on this. I followed the link you provided and read the document. I think there is a misunderstanding on the term of custom DNS in different context. In the your context, the custom DNS refers to a custom DNS server set up in the VNET, which functions as a forwarder. In my context, the custom DNS servers are on-prem DNS servers. Namely my VNET01 uses the on-prem DNS servers directly. No DNS forwarder is used here. In my scenario the DNS query is initiated inside the VNET01 and goes to the on-prem DNS servers. If no matching is found, the query is forwarded to ISP DNS servers from the on-prem DNS servers. In this case, private DNS zone won't work.

However, using a DNS forwarder in the VNET01 presents an interesting option for accessing Azure PaaS services using private links. It though requires a CNAME in the Azure public DNS zone for the PaaS service in the private DNS zone. It seems to me that this approach is designed for setting up private links for PaaS services. My intention is to use private DNS zone for VNET name resolution if the DNS query is initiated inside the VNET or from the on-prem networks, while resources in the VNET01 can also access on-prem services using the on-prem DNS servers. I feel this approach of using a custom DNS forwarder inside the VNET needs to be expanded to fully cater for my intention.

So I guess using Azure private DNS resolver will address my design challenge, but it will complicate the design.

Again I really appreciate your kind help and prompt response.

Regards,

Jun

Share via

Private DNS vs Custom DNS for one VNET

1 additional answer

Your answer