Azure DNS Conditional Forwarding is not working

Richard Duane Wolford Jr 206

We have an Azure Storage account and have configured a file share. We've set up Active Directory integration. Under security, we are allowing public access (per client request) but have also set up a private endpoint. We have a VPN gateway from Azure to on-prem using an Azure Gateway. We have set up a DNS resolver. We've set up a conditional forwarder to forward core.windows.net to the inbound IP of the resolver. However, although VMs in Azure obtain the proper IP address, the conditional forwarder is unable to resolve the Azure Private IP, it says it can't find the storage account. Additionally, attempts to use AD credentials from the VMs in Azure always fail. We've followed all of the instructions to the letter, so I was hoping someone might be able to help here.

KapilAnanth-MSFT 36,396 Reputation points Microsoft Employee

2023-04-13T09:11:30.9+00:00
@Richard Duane Wolford Jr Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I understand that you are using Private EndPoints + Azure DNS Private Resolver and is unable to resolve the Storage Account's Private IP for OnPrem resources.

What is the DNS being used for the VMs in Azure VNet?

Can you please share a nslookup <storageaccountFQDN>

nslookup <storageaccountFQDN> <InBoundEndPoint IP>

And nslookup <storageaccountFQDN> 168.63.129.16 from a Azure VM?

Your conditional forwarder, is it located in Azure or a OnPrem server forwarding requests to the InBoundEndPoint IP of the resolver?

It’a a bit confusing when you say “Azure DNS Conditional Forwarding” is not working. AFAIK , conditional forwarders will be in OnPrem only Cheers, Kapil
Richard Duane Wolford Jr 206 Reputation points

2023-04-13T18:51:53.8233333+00:00

Hi, thanks for responding. The conditional forwarders are implemented on-prem on AD controllers. The nslookup on-prem presents with the public IP of the storage account while the nslookup on an Azure VM provides the IP of the private endpoint. If we do a conditional forwarder on-prem, nslookup fails on prem, it is unable to resolve the storage account's fqdn, but you can ping the private endpoint from on-prem to verify the IP.
KapilAnanth-MSFT 36,396 Reputation points Microsoft Employee

2023-04-14T04:56:27.19+00:00
@Richard Duane Wolford Jr

This looks like an expected behavior only.

Again what do you mean by "we do a conditional forwarder on-prem"?

Are you forwarding the requests to Azure Private DNS Resolver from this conditional forwarder DNS Server located at OnPrem?

If you are using a Azure Private DNS Resolver,

You have to make sure this is properly configured or not

To check this, you have to do, nslookup <storageaccountFQDN> <InBoundEndPoint IP> from a VM in the VNet

If you look at the below architecture,

I want you to do a nslookup from the Hub VNet using the InboundEndPoint VIP as DNS server

This should tell us if there are any configurational issue in the Private DNS Resolver or not

Just doing a nslookup <storageaccountFQDN> will not help (without specifying the InboundEndPoint VIP as DNS server) as by default, the DNS server used here will be 168.63.129.16 (Azure wireserver IP)

Once we are sure that InboundEndPoint is capable of resolving the private DNS Zone records, then we can troubleshoot why doing a conditional forwarding from OnPrem to InboundEndPoint fails

In case you are not using a Azure Private DNS Resolver, please do let me know.

P.S : Being able to ping/connect to the Private EndPoint IP from OnPrem has no inference on DNS failing.

Cheers, Kapil
KapilAnanth-MSFT 36,396 Reputation points Microsoft Employee

2023-04-18T04:40:08.7666667+00:00

@Richard Duane Wolford Jr Reaching out to check if there are any questions on this. Please let us know if we can be of any further assistance here. Thanks, Kapil
Richard Duane Wolford Jr 206 Reputation points

2023-04-24T15:14:06.5166667+00:00

Okay, I'm not sure where we're getting lost here, the answers aren't making sense to me. We have an Azure Private DNS Resolver. We have a storage account. The storage account has a private endpoint. On-prem, we have AD controllers serving as our DNS servers. When we add a conditional forwarder to forward core.windows.net to the DNS resolver, the FQDN of the storage account resolves from an Azure VM. However, the FQDN cannot be found when trying to resolve the name from any on-prem machine. If we remove the conditional forward from the on-prem machines, the FQDN resolves from on-prem machines but it resolves to the public IP. This is the problem.
Richard Duane Wolford Jr 206 Reputation points

2023-04-24T15:15:24.7633333+00:00

Also, when adding the conditional forwarder, the public endpoint of the DNS resolver times out. We have verified that we can RDP to VMs from on-prem to VMs in Azure, so we do have S2S connectivity.
KapilAnanth-MSFT 36,396 Reputation points Microsoft Employee

2023-04-24T16:41:10.92+00:00
@Richard Duane Wolford Jr

Apologies for the confusion.

There is a resource in Azure that is called "Azure Private DNS Resolver"

Are you using this resource?

Or by "Azure Private DNS Resolver"

Do you mean you have an Azure VM that acts as a DNS server?

Cheers,

Kapil

1 answer

Richard Duane Wolford Jr 206 Reputation points

2023-04-24T21:15:11.64+00:00

I was using the private DNS resolver. However, it turns out that the network engineer didn't know that he had to allow traffic both ways, which is what caused the problem. It's actually been fixed now that he understands, and unfortunately the networking piece there was not in my control. I used WireShark to show that DNS traffic was never making it across. But thanks everyone for the assistance, I hope this will help others.
Please sign in to rate this answer.

1 person found this answer helpful.
Kian 20 Reputation points

2024-01-05T22:37:50.3633333+00:00

Hi Richard,

Been facing this exact problem for quite some time now too. Happy to hear you got the issue resolved. By any chance, would you be able to specify where the network engineer had to configure traffic to be allowed both ways?

Rohit Patel 0 Reputation points

2024-03-12T14:49:43.3633333+00:00

Hello Richard, is it possible to share what the network engineer configured to allow both ways? Like port required. The rule is configured on the on-prem server or router. Thank you in advance.
Sign in to comment

Share via

Azure DNS Conditional Forwarding is not working

1 answer