Conditional Forwarder to Azure DNS Wire IP not working

Ghulam Abbas 151 Reputation points
2024-03-28T13:05:04.9766667+00:00

Hi, please bear with me while I explain a quick summary of our existing setup:

We have some servers in Azure and some in our on-prem Datacenter. We have S2S VPN connection between Azure and our on-prem DC. We have 4 domain controllers, 2 on-prem and 2 in Azure and they all act as the DNS servers too. For Azure VMs, we have the domain controller (DC) in Azure as our primary DNS and on-prem as secondary, while for on-prem servers, we have on-prem DC as primary and Azure domain controller as secondary. We have some storage accounts in Azure that we have enabled private endpoints. We have also configured a recovery services vault to replicate our Azure servers from our primary region A to the secondary region B. The recovery services vault is in the region B and the public access is not allowed and we have private endpoint configured to access this RSV.

Currently, we are using the forward lookup zones in our DNS servers (all 4) and have these zones for blob.core.windows.net and privatelink.siterecovery.windowsazure.com. For storage accounts, we have manually added the name and IPs of the private endpoints to blob.core.windows.net dns forward lookup zone and for the site recovery private endpoints and their respective IPs to privatelink.siterecovery.windowsazure.com zone. This is working fine for us now except a downside. We have several applications that need to communicate outbound to some vendors specific endpoints and every time we need to enter the name and IP to these forward lookup zones manually to resolve (through private endpoints). We need to use the conditional forwarders so we wont need to enter these manually to our forward lookup zones every time we receive a request for a new IP or endpoint.

As a test, we created the conditional forwarders in our domain controller DNS servers to point to Azure DNS Wire IP (168.63.129.16) and deleted the previously created forward lookup zones (including all records) for both blob.core.windows.net and privatelink.siterecovery.windowsazure.com. This has resulted in breaking our site recovery replication as the storage account failed to resolve the DNS through private endpoints.

We are configuring something like this first time so would like to get some advice as there is something missing that we need to configure (additionally) or anything else that we are missing here. We have also some conditional forwarders setup for some of our other storage accounts with the same setup to point to Azure DNS wire IP and they are working fine. Any advice to get this around would be highly appreciated. Many thanks

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
592 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,130 questions
{count} votes

Accepted answer
  1. TP 74,391 Reputation points
    2024-03-28T16:29:55.22+00:00

    Hi,

    For the on-premises domain controllers, configure them to conditionally forward to your domain controllers that are in Azure, and those DCs will contact 168.63.129.16. In this way the on-premises DCs will be able to properly resolve DNS lookups for your private endpoints.

    Please reference Use a DNS forwarder VM diagram and the Workflow details underneath it. You could use Azure DNS Private Resolver instead, however, based on your description you already have DCs in Azure so it seems using those would make more sense.

    Architecture diagram that shows a solution without DNS Private Resolver. Traffic from an on-premises server to an Azure database is visible.

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP


0 additional answers

Sort by: Most helpful