Azure Virtual Gateway not resolving private DNS Zone

Shiney 25 Reputation points
2023-01-24T13:43:26.12+00:00

Hi all,

I am having an issue where by clients connecting to a virtual gateway (linked to a VNet) are not resolving the private dns zone entries that I have setup. (A records mostly).

Short description of setup:

  • Virtual network created "Vlan1" (uses the default Azure DNS Servers not custom)
  • VNet has a subnet called VmsSubnet
  • VM1 has been created on the VmsSubnet
  • Private DNS zone created for local.somedomain.com & linked to Vlan1
  • Inside this DNS zone I have created an A record entry pointing vm1(.local.somedomain.com) to the IP for the VM.
  • This is all accessed via a virtual gateway via Azure VPN client.
  • I can successfully connect to the VPN & ping the private IP of the VM, however the DNS name resolution does not work.

Can someone advise what part of the process i am missing that would allow clients who connect with the Azure VPN client to successfully resolve the private dns hostnames?

Apologies if this has been asked for, I did find multiple topics with this issue but none of the solutions worked for me.

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
587 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,347 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 46,261 Reputation points Microsoft Employee
    2023-01-24T14:23:37.4433333+00:00

    Hello @Shiney ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you have set up point to site VPN in Azure and are able to connect to the VPN & ping the private IP of the VM, however the private DNS name resolution does not work.

    For on-premises workloads to resolve the FQDN of a private endpoint, you must use a DNS forwarder in Azure, which in turn is responsible for resolving all the DNS queries via a server-level forwarder to the Azure-provided DNS 168.63.129.16. A DNS forwarder is a Virtual Machine running on the Virtual Network linked to the Private DNS Zone that can proxy DNS queries coming from other Virtual Networks or from on-premises. A few options for DNS proxies are : Windows running DNS services, Linux running DNS services, Azure Firewall.

    Refer: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder

    If you check the table in Name resolution for resources in Azure virtual networks article, you can find the below:

    User's image

    For P2S VPN clients to be able to resolve Private Endpoint entries hosted on Azure Private DNS Zones, you must leverage an existing DNS Server (Forwarder or Proxy) or deploy one IaaS VM using a DNS Server role. That is required for P2S VPN clients to be able to consume Azure Private DNS Zone which is exposed to 168.63.129.16 via DNS Forwarder/Proxy.

    Once you have a DNS forwarder/proxy deployed on Azure, you can define the DNS server at the VNET level or set DNS Server configuration directly on client XLM profile. Post this, you will be able to resolve Private Endpoint entries from your P2S clients.

    Refer: https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-P2S

    https://learn.microsoft.com/en-us/azure/vpn-gateway/azure-vpn-client-optional-configurations#add-custom-dns-servers

    As an alternative to using a DNS forwarder in Azure, you can also use Azure DNS Private Resolver service.

    Azure DNS Private Resolver is a new service that enables you to query Azure DNS private zones from an on-premises environment and vice versa without deploying VM based DNS servers.

    Refer: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

    https://learn.microsoft.com/en-us/azure/dns/private-resolver-hybrid-dns

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful