Client DNS resolution in Azure Virtual WAN

Question

Client DNS resolution in Azure Virtual WAN

IgorTTG 20

Hi MS crew!

I recently deployed an Azure Virtual Hub and I'm facing with DNS resolution issues?! I deployed storage account with private endpoint with ip address: 10.10.10.4. My DNS resolver is deployed on the same Vnet as my private endpoint and it has the IP address of 10.10.9.4.

When I execute nslookup storagename.blob.core.windows.net 10.10.9.4 I'm able to resolve but not without providing the DNS resolver ip address (nslookup storagename.blob.core.windows.net)

I tried to enter the dns server block into the azurevpnconfig.xml but still without success!

  <clientconfig>

    <dnssuffixes>
          <dnssuffix>.privatelink.blob.core.windows.net</dnssuffix>
    </dnssuffixes>
	
	<dnsservers>
		<dnsserver>10.10.9.4</dnsserver>
    </dnsservers>

  </clientconfig>

Thanks in advance!

Praveen Bandaru 5,215 Reputation points Microsoft External Staff Moderator

2025-03-17T13:52:37.0666667+00:00
Hello IgorTTG

Greetings!

I understand that you are experiencing a resolution issue.

You need to set a conditional forwarder on your on-prem DNS server machine pointing to the private DNS resolver IP

Setting the inbound IP address of the Private Resolver as custom DNS servers on the virtual network helps resolve records in the private DNS zone, including those created from Private Endpoints. Ensure the Private DNS zones are linked with the virtual network that contains the Private Resolver.

By default, DNS servers configured on a virtual network are pushed to point-to-site clients connected via a VPN gateway. Therefore, setting the Private resolver inbound IP address as custom DNS servers on the virtual network will automatically push these IP addresses to clients as the VPN DNS server, allowing seamless resolution of records from private DNS zones (including private endpoints).

check the document for more understanding the issue.

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems#i-cant-resolve-records-in-private-dns-zones-using-private-resolver-from-point-to-site-clients

And also, please share the below information for further investigation on the issue.

Please share the nslookup screenshot from your source machine and also provide the forced nslookup screenshot as well.

In the meantime, please check the document below for a better understanding of private endpoint scenarios.

https://github.com/msrini-MSFT/Troubleshooting-Private-Link-DNS-Scenarios?tab=readme-ov-file#scenario-2---if-your-source-machine-is-deployed-on-premises-other-cloud

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
IgorTTG 20 Reputation points

2025-03-17T15:17:04.5833333+00:00
Hello @praveen Bandaru and thank you for fast response!

Here are more details below:

In one Azure virtual network with ip range of 10.10.8.0/21 I have following configuration

subnet a 10.10.8.0/24

subnet dns 10.10.9.0/28

subnet private-endpoint 10.10.10.0/24

Dns resolver is deployed into the inbound dns subnet with an ip address of 10.10.9.4 and my storage account private endpoint is deployed in the private-endpoint subnet with an ip 10.10.10.4.

Private DNS zone (privatelink.blob.core.windows.net) has vnet link with the virtual network described above with autoregistration ON and there is already DNS record with an ip address from the private endpoint.

The goal here is to give my remote clients xml configuration so they can access this storage account private endpoint from anywhere where no one actually have private DNS forwarder on their site!

Currently I'm connected with VPN and the only way how I can resolve the storage account is to point out the dns resolver ip address.

Another workaround is to add DNS resolver ip address into my personal NIC dns where also it will work but definitely is not the right approach

But when I remove the DNS from my nic and and make nslookup I'm not able to resolve the private endpoint.

I'm aware from the benefits of conditional forwarder but unfortunately we can not use is in our case. We need to be able to resolve DNS from our point to site clients.

Thanks in advance!
IgorTTG 20 Reputation points

2025-03-18T08:07:26.96+00:00

@praveen Bandaru thank you for providing me the link from documentation and I do understand the logic of dns conditional provider here since my clients are working remotely and doesn't have office where we could have dns conditional provider but in my case is not possible to set dns conditional provider on each client pc!! I though Azure can offer more reasonable solution for this case.

Btw I have set custom dns ip on the vnet and from the azure network I'm able to resolve any dns name but not from any Vpn clients!
Praveen Bandaru 5,215 Reputation points Microsoft External Staff Moderator

2025-03-19T14:30:21.6166667+00:00

Hello IgorTTG

Greetings!

Thank you for your response.

We have provided the Microsoft recommended scenario, and this is the only way you need to configure it.

Accepted answer

0 additional answers

Your answer

Praveen Bandaru 5,215 Reputation points Microsoft External Staff Moderator

2025-03-17T13:52:37.0666667+00:00

Hello IgorTTG

Greetings!

I understand that you are experiencing a resolution issue.

You need to set a conditional forwarder on your on-prem DNS server machine pointing to the private DNS resolver IP

Setting the inbound IP address of the Private Resolver as custom DNS servers on the virtual network helps resolve records in the private DNS zone, including those created from Private Endpoints. Ensure the Private DNS zones are linked with the virtual network that contains the Private Resolver.

By default, DNS servers configured on a virtual network are pushed to point-to-site clients connected via a VPN gateway. Therefore, setting the Private resolver inbound IP address as custom DNS servers on the virtual network will automatically push these IP addresses to clients as the VPN DNS server, allowing seamless resolution of records from private DNS zones (including private endpoints).

check the document for more understanding the issue.

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems#i-cant-resolve-records-in-private-dns-zones-using-private-resolver-from-point-to-site-clients

And also, please share the below information for further investigation on the issue.

Please share the nslookup screenshot from your source machine and also provide the forced nslookup screenshot as well.

In the meantime, please check the document below for a better understanding of private endpoint scenarios.

https://github.com/msrini-MSFT/Troubleshooting-Private-Link-DNS-Scenarios?tab=readme-ov-file#scenario-2---if-your-source-machine-is-deployed-on-premises-other-cloud

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
IgorTTG 20 Reputation points

2025-03-17T15:17:04.5833333+00:00

Hello @praveen Bandaru and thank you for fast response!

Here are more details below:

In one Azure virtual network with ip range of 10.10.8.0/21 I have following configuration

subnet a 10.10.8.0/24

subnet dns 10.10.9.0/28

subnet private-endpoint 10.10.10.0/24

Dns resolver is deployed into the inbound dns subnet with an ip address of 10.10.9.4 and my storage account private endpoint is deployed in the private-endpoint subnet with an ip 10.10.10.4.

Private DNS zone (privatelink.blob.core.windows.net) has vnet link with the virtual network described above with autoregistration ON and there is already DNS record with an ip address from the private endpoint.

The goal here is to give my remote clients xml configuration so they can access this storage account private endpoint from anywhere where no one actually have private DNS forwarder on their site!

Currently I'm connected with VPN and the only way how I can resolve the storage account is to point out the dns resolver ip address.

Another workaround is to add DNS resolver ip address into my personal NIC dns where also it will work but definitely is not the right approach

But when I remove the DNS from my nic and and make nslookup I'm not able to resolve the private endpoint.

I'm aware from the benefits of conditional forwarder but unfortunately we can not use is in our case. We need to be able to resolve DNS from our point to site clients.

Thanks in advance!
IgorTTG 20 Reputation points

2025-03-18T08:07:26.96+00:00

@praveen Bandaru thank you for providing me the link from documentation and I do understand the logic of dns conditional provider here since my clients are working remotely and doesn't have office where we could have dns conditional provider but in my case is not possible to set dns conditional provider on each client pc!! I though Azure can offer more reasonable solution for this case.

Btw I have set custom dns ip on the vnet and from the azure network I'm able to resolve any dns name but not from any Vpn clients!
Praveen Bandaru 5,215 Reputation points Microsoft External Staff Moderator

2025-03-19T14:30:21.6166667+00:00

Hello IgorTTG

Greetings!

Thank you for your response.

We have provided the Microsoft recommended scenario, and this is the only way you need to configure it.

Answer 1

Hello IgorTTG

Greetings!

Thank you for your response.By default, DNS servers within a virtual network are configured to direct point-to-site clients through a VPN gateway. When you designate the Private resolver incoming IP address as a custom DNS server for the virtual network, these IP addresses will be automatically assigned to clients as the VPN DNS server. This setup facilitates smooth record resolution from private DNS zones, including private endpoints.

For a clearer understanding of the issue, please refer to the document.

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems#i-cant-resolve-records-in-private-dns-zones-using-private-resolver-from-point-to-site-clients

With out conditional forwarder it will not work as expected you need to set a conditional forwarder on your on-prem DNS server machine pointing to the private DNS resolver IP this the Microsoft recommended scenario.

User's image

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Client DNS resolution in Azure Virtual WAN

0 additional answers

Your answer