Cannot get Private DNS Resolver to work in P2S setup

Question

Hello all,

I have set up the private resolver based on the docs and articles online, but I cannot access my VMs using their FQDNs from the client.

Here are the details:

• Set up using Hub and Spoke layout. Hub VNet contains a VPN Gateway (in its own subnet, obviously), and two subnets - one for the inbound endpoint and outbound.
• Hub and Spoke VNets are peered and traffic can move between VMs in spokes and the hub without problems.
• Private DNS has been linked to both spoke vnets and the hub vnet. For spoke vnets, the auto-registration is enabled, but not for the hub VNet (which doesn't have any VMs in it).
• In the VPN XML config, the inbound endpoint has been set as the DNS server.

    <dnsservers>
    	<dnsserver>10.3.2.4</dnsserver>
    </dnsservers>
  

• I can ping from my local machine to the VMs in the spokes using their private addresses and get a response without issues.
• I can also ping from VMs in the spokes to the client machine using its private IP without issues once the VPN is connected.
• However, trying to ping the VM using its private link tells me that the address cannot be found.
• I can confirm that the VPN is using the specified private DNS. It shows up in the Azure VPN UI once connected and I can no longer browse the internet since my machine's normal DNS is no longer being queried.
• Pinging from one VM to another using the FQDN works.
• I can run nslookup from the VMs, explicitly specifying the inbound endpoint as the DNS address and it works.

    azureuser@VMA1:~$ nslookup vmb1.azureprivatelink.com.au 10.3.2.4
    Server:10.3.2.4
    Address:10.3.2.4#53
    Non-authoritative answer:
    Name:vmb1.azureprivatelink.com.au
    Address: 10.2.0.4
  

• Trying to do the same on the local machine connected to VPN just says that the connection timed out and no server could be reached.
• The subnets that host the VMs have network security groups attached, but there are no custom rules on them.
• None of the subnets in the hub (VPN Gateway, Inbound Endpoint, Outbound Endpoint) have any network security groups attached.
• I do not have a firewall or NAT gateway in my setup right now.
• Probably irrelevant, but I have assigned custom routes to the spoke subnets that contain the VMs, for inter-spoke routing through the hub gateway. The inter-spoke pings work with FQDNs.
• I haven't tried querying the local machine from the VM using a FQDN, but for this thread, I would like to focus on the inbound endpoint first. Though, even if I can get that working, I strongly suspect the cloud VNet to on-prem DNS lookup will not work next, but let's discuss inbound for now.

Does anyone know what I might have missed? I have gone through all the steps I could find everywhere, it just refuses to work and I have no idea what to do.

Answer 1

Hi Udbhav Jain,

Good day,

As an original poster cannot accept their own answer, I am reposting it so that you can accept it an answer. Accepted answer will help other community members navigate to the appropriate solutions.

Issue: Cannot get Private DNS Resolver to work in P2S setup

 Solution:

1. Added a Firewall resource in the hub VNet.
2. In the Firewall policies, enabled the application of DNS settings to policies, and then enabled DNS proxy. Left the DNS server setting to default.
3. Changed the DNS address in the VPN XML config file to the private IP address of the Firewall.

Now I can ping to the VMs in the spokes using their FQDNs. Nothing else was changed in the network setup, the DNS queries from the on-premises client just needed to go through a proxy rather than going directly to the inbound endpoint.

---

If you have any further concerns, please do not hesitate to contact us. We are pleased to help you.

If the information is helpful, please click on "Upvote" and "Accept Answer" so that it would be helpful to other community members.