Azure private zone with on prem ADDNS

prasantc 901 Reputation points
2024-07-02T05:59:18.92+00:00

I had a requirement to use the Azure firewall proxy to capture and log DNS traffic comping Azure private link services. My plan was to setup conditional forwarder for all private DNS resources from on prem to Azure firewall using firewall proxy to DNS hosted in Azure.

After reviewing the AD with DNS on prem I found that all private DNS zones are resolved using forward lookup zone for each services instead of conditional forwarder and the DNS server hosted in Azure was setup with AD roles and all DNS zones are replicated across and all server with AD / DNS roles.

Now I see a challenge to meet the ask of using DNS proxy -

One way to achieve is by 1) removing DNS server name from firewall proxy and using conditional forwarder to Azure firewall which will send all Azure services request directly to wired DNS while this seem like easier implementation for the current environment but I will still have to keep the conditional forwarder to resolve private.services.xx along with the conditional forwarder to ensure name resolution does not break. Not sure if is worth using firewall proxy with this method or don't even use the firewall proxy.

2> Another option is create new DNS application partition to replicate only those partition with azure hosted DNS and use forwarder in Azure hosted DNS and use firewall proxy forwarding request to Azure hosted DNS. Now this is a recommended solution but it will require cleanup of all the existing forwad lookup zone and some service interruption.

3> completely remove Azure hosted DNS out of the picture and deploy DNS resolve with inbound resolver for cloud resources and outbound resolver with rule-set for onprem.

Which approach would be better in a environment that is using Azure forward lookup zone full ADDS zone replication between on prem and azure for privatelink name instead of public name of the resource.

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
634 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
612 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,233 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Jing Zhou 5,210 Reputation points Microsoft Vendor
    2024-07-03T09:35:36.16+00:00

    Hello,

     

    Thank you for posting in Q&A forum.

    It's more recommended to choose resolution 2: New DNS Application Partition.

    By partitioning DNS zones, you can better manage DNS replication and DNS data access which bring better security.

    At the same time, it can be seperated from on-prem zones management and bring lower management cost comparing with other resolutions.

     

    Best regards,

    Jill Zhou

     


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments