Unable to create a DNS outbound private resolver

Question

Unable to create a DNS outbound private resolver

Steve Harrison 25

Aug 22, 2023, 8:33 AM

I am attempting to create a private DNS resolver for my cloud services to resolve DNS from my on-premises environment. I can create the resolver, but when I go to create the outbound endpoint, the drop-down to select subnet doesn't function. I cannot select one of the subnets in the network that I have selected.

If I change the network to a different one, for some reason, it then allows me to drop the subnets down. However, I do not want this in that network. I want this in the network I have selected. It does not advise why it cannot select any of the subnets I have created for this service.

Accepted answer

0 additional answers

Your answer

Answer 1

GitaraniSharma-MSFT 49,866 Microsoft Employee

Aug 22, 2023, 1:21 PM

Hello @Steve Harrison ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you are trying to create an Azure DNS Private Resolver and when you go to create the outbound endpoint, the drop-down to select subnet doesn't show the required subnet. If you change the network to a different one, it allows you to drop the subnets down.

As mentioned in the Azure DNS Private Resolver doc, the outbound endpoint requires a dedicated subnet in the VNet where it’s provisioned, with no other service running in the subnet, and can only be delegated to Microsoft.Network/dnsResolvers.

https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview#outbound-endpoints

A subnet that is in use by another resource cannot be delegated to "Microsoft.Network/dnsResolvers" and won't be available for the Outbound endpoint selection.

There are also a few additional subnet restrictions that can be used for DNS resolver as below:

A subnet must be a minimum of /28 address space or a maximum of /24 address space.
A subnet can't be shared between multiple DNS resolver endpoints. A single subnet can only be used by a single DNS resolver endpoint.
All IP configurations for a DNS resolver inbound endpoint must reference the same subnet. Spanning multiple subnets in the IP configuration for a single DNS resolver inbound endpoint isn't allowed.
The subnet used for a DNS resolver inbound endpoint must be within the virtual network referenced by the parent DNS resolver.

Refer: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview#subnet-restrictions

I would request you to check the subnet that you are trying to select from the drop down and make sure that it meets all the above requirements.

Once it does, you should be able to select the subnet.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Steve Harrison 25 Reputation points

Aug 22, 2023, 2:43 PM

Hi

Thank you for getting back to me

Yes i have reviewed that document and cannot see what is failing.

This is a completely new subnet created solely for this task:

172.19.0.16/28

It is actually 1 of 2 subnets suitable for selection

I have tried leaving it as is and also delegating it to "Microsoft.Network/dnsResolvers" and this seems to make no difference. I have also deleted the subnet and recreated it just in case. It is almost like it refuses to list subnets for this given virtual network

Could there be some other limiting factor preventing me from selecting this subnet?

Thank you
GitaraniSharma-MSFT 49,866 Reputation points Microsoft Employee

Aug 22, 2023, 3:30 PM

Thank you for the update, @Steve Harrison .

Let me check this internally and get back to you with an update.
GitaraniSharma-MSFT 49,866 Reputation points Microsoft Employee

Aug 23, 2023, 10:15 AM
Hello @Steve Harrison ,

I checked internally but couldn't find any similar reported issues.

Could you please let me know if this issue is happening when you try to create the Azure DNS Private Resolver and go to the Outbound endpoint creation tab, or you already have an Azure DNS Private Resolver created and are just trying to add an Outbound endpoint to the existing Resolver?

What is the region where you are trying to deploy the DNS resolver?

The only restrictions that apply to virtual networks for DNS resolver are below:

A DNS resolver can only reference a virtual network in the same region as the DNS resolver.

A virtual network can't be shared between multiple DNS resolvers. A single virtual network can only be referenced by a single DNS resolver.

Refer: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview#virtual-network-restrictions

Could you try to create the Outbound endpoint using the Preview Azure portal and see if it works?

Preview Portal link: https://preview.portal.azure.com

If the preview portal doesn't work, then we can also try to check if it works with Azure PowerShell commands.

Refer: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-get-started-powershell

If it fails with Azure PowerShell commands, we can get some error message that can help in further investigation.

Also, could you please share some screenshots of the issue, if possible?

Regards,

Gita
Steve Harrison 25 Reputation points

Aug 23, 2023, 12:03 PM

Hi

I have tried creating it as part of the new Private Resolver wizard, and separately having created the resolver first and then trying to create the endpoint. Both methods fail to provide me a drop down of my subnets.

I have just tried the preview portal and this appears to do exactly the same thing.

I will look at getting connected via powershell and see if i can reproduce in some fashion here. Will update shortly
Steve Harrison 25 Reputation points

Aug 23, 2023, 12:34 PM

Hi

Ok have managed to get further.

Installed the Azure PS module - had to remove old PS module first. Also had to install Az.DnsResolver using this command as without the repo it simply did nothing:

Install-Module -Name Az.dnsresolver -Repository PSGallery -Force

Connected and run this command - had to guess on the location format without a space and it seemed to work:

it now appears under the dnsresolver i created. I have now been able to also add a ruleset.

Clearly something in the UI did not allow this to be done then?

I can now continue to test and see if this works as i hope. Many thanks for your support

Perhaps someone else can explain why this didn't work in the portal?

Regards

Steve
Steve Harrison 25 Reputation points

Aug 23, 2023, 12:56 PM

ok I am trying to test this from a Virtual Desktop in a connected network and not able to resolve names. I am using built in DNS from the client. This should still make use of the private resolver yes - I shouldn't need to host a zone in azure as well to get this to work I am hoping (as i dont really need additional cloud name resolution at all)
GitaraniSharma-MSFT 49,866 Reputation points Microsoft Employee

Aug 23, 2023, 3:20 PM

Thank you for the update, @Steve Harrison .

Glad to hear that it worked via Azure PowerShell. Not sure why it didn't work via Azure portal as I've not seen this issue reported by any other users yet. I will keep an eye on this issue and provide an update if I find anything related to the Portal UI.

Now, coming to your issue of not being able to resolve names from a connected network, I believe you are trying to resolve Azure names from your on-premises. Is that correct?

If yes, have you configured the on-premises DNS conditional forwarders to forward queries to the inbound endpoint IP address for your Azure DNS Private Resolver?

Refer: https://learn.microsoft.com/en-us/azure/dns/private-resolver-hybrid-dns#configure-on-premises-dns-conditional-forwarders

It is mentioned in the Azure DNS Private Resolver inbound endpoints document:

To resolve your Azure private DNS zone from on-premises, enter the IP address of the inbound endpoint into your on-premises DNS conditional forwarder. The on-premises DNS conditional forwarder must have a network connection to the virtual network.

Refer: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview#inbound-endpoints

If you are trying to resolve on-premises names from Azure, then make sure you've configured an Azure DNS forwarding ruleset for your on-premises domain by setting the destination IP address for your rule to be the IP address of your on-premises DNS server. Also make sure that a virtual network link is created to the Vnet where your private resolver is deployed.

Refer: https://learn.microsoft.com/en-us/azure/dns/private-resolver-hybrid-dns#configure-an-azure-dns-forwarding-ruleset

Regards,

Gita
Steve Harrison 25 Reputation points

Aug 24, 2023, 6:52 AM

Hi

No, I am trying to resolve on-Prem addresses hence setup the outbound endpoint. Now the endpoint is live i have also created a ruleset defining the internal DNS servers it should forward to when requesting a given domain name. The DNS servers are reachable by IP, and if i use NSLookup against it from the Azure VM i can resolve but i cannot resolve when simply trying via default name server.

Is there any clever way of testing these resources other than from a vm, as i am aware a lot of other variable could be coming into play here.

Regards

Steve
Steve Harrison 25 Reputation points

Aug 24, 2023, 8:18 AM

Not to worry - this is all working. Forgot that with all the attempts to get the outbound endpoint setup i hadn't added the outbound endpoint subnet to our VPN inbound firewall policies. All is working as it should now. Thank you for your help
GitaraniSharma-MSFT 49,866 Reputation points Microsoft Employee

Aug 24, 2023, 4:06 PM

Thank you for the update, @Steve Harrison .

Glad to hear that the setup is working now.

Do let us know if you need further assistance on this issue.

AI Skills Fest

Share via

Unable to create a DNS outbound private resolver

0 additional answers

Your answer