Share via

We want to use Azure DNS private resolver in our network setup to resolve Azure Private DNS zones.

Mahesh Badgujar 40 Reputation points
2024-02-09T08:41:18.3+00:00

We want to use Azure DNS private resolver in our hybrid network design to resolve Azure Private DNS zones from on-premise network. but below MSFT link states that its not recommended by MSFT if we have ExpressRoute connectivity from on-premise to Azure.
Please refer the attached screenshot and link below.

and what does Microsoft recommend to use instead of DNS private resolver for this scenario.
what exactly will be the issue if opt for this service in our design. https://learn.microsoft.com/en-gb/azure/expressroute/expressroute-about-virtual-network-gateways User's image

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
603 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
    2024-02-09T11:03:40.17+00:00

    Hello @Mahesh Badgujar ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to use Azure DNS private resolver in your network setup to resolve Azure Private DNS zones but are concerned about the recommendation from Microsoft mentioned here about deploying Azure DNS Private Resolver into a virtual network that has an ExpressRoute virtual network gateway and setting wildcard rules.

    The recommendation provided in the doc is not against deploying Azure DNS Private Resolver into a virtual network that has an ExpressRoute virtual network gateway, but it is against deploying Azure DNS Private Resolver with wildcard rules to direct all name resolution to a specific DNS server, into a Vnet that has an ExpressRoute gateway.

    This is because of the rule processing behavior mentioned in the below doc:

    https://learn.microsoft.com/en-us/azure/dns/private-resolver-endpoints-rulesets#rule-processing

    Certain domains are ignored when using a wildcard rule for DNS resolution, because they are reserved for Azure services. See Azure services DNS zone configuration (https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#azure-services-dns-zone-configuration) for a list of domains that are reserved. The two-label DNS names listed in this article (for example: windows.net, azure.com, azure.net, windowsazure.us) are reserved for Azure services. So, as long as you are not using a wildcard rule for DNS resolution, you can deploy Azure DNS Private Resolver into a virtual network that has an ExpressRoute virtual network gateway without any issues.

    You can see the suggested architecture below:

    User's image

    Refer: https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

    https://learn.microsoft.com/en-us/azure/dns/private-resolver-hybrid-dns

    https://learn.microsoft.com/en-us/azure/architecture/example-scenario/networking/azure-dns-private-resolver#use-dns-private-resolver

    https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-Scenarios#4-on-premises-dns-integration

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

    0 comments