Azure-DNS resolution

Question

Azure-DNS resolution

testuser7 206

Hello,

I have a VNET and one VM in it.
This VNET is using Default Azure-builtin DNS-server for name resolution.
And this VNET is linked with one private-zone named fabrikam.com

if this VM is trying to resolve mybox.fabrikam.com, then there are good chances that the private-zone will have record-set for it.

However, this VM is trying to resolve mybox1.contoso.com
Obviously the DNS-resolver can not resolve privately.
So my question is, will the DNS-resolver automatically look out in internet to resolve mybox1.contoso.com and handover the public-ip address back to VM ??

Thanks.

Answer 1

GitaraniSharma-MSFT 29,976 Microsoft Employee

Hello @testuser7 ,

Apologies for the delay in response.

If your VNET is linked with a private DNS zone named "fabrikam.com" and has an A record for "mybox.fabrikam.com", then it will resolve privately to the IP address listed in the DNS zone. For any other domain which is not in your linked private DNS zone such as "mybox1.contoso.com", yes, the default Azure built-in DNS server will automatically look out in internet to resolve it, if publicly resolvable.

For example, I have a VM with a linked private DNS zone named "fabrikam.com" and a "A" record set named "bing.fabrikam.com" with IP address : 10.10.0.4.
If I login to the VM and do a nslookup for "bing.fabrikam.com", I will get 10.10.0.4
But if I do a nslookup for only bing.com, I will get the public IP for it.

NOTE : "mybox1.contoso.com" should be publicly resolvable for the VM to resolve it directly using default Azure DNS server. If it is in another virtual network or your on-premises, then your VM will not be able to resolve it directly and you need further configuration of your own custom DNS server. For more information on name resolution, please refer the below doc:
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

testuser7 206 Reputation points

2022-01-31T18:40:28.913+00:00

Thanks @GitaraniSharma-MSFT for your precise answer.

Before we close this topic, the last requires some clarification. You said that,

"mybox1.contoso.com" should be publicly resolvable for the VM to resolve it directly using default Azure DNS server.
If mybox1.contoso.com is in another vnet , then your VM will not be able to resolve it directly."

So are you trying to tell that,
if I have one another VNET1 linked to private zone contoso.com with a A-record for mybox1 and this VNET1 which is NOT linked with my original VNET
then I can not publicly resolve mybox1.contoso.com from my original VNET ???
GitaraniSharma-MSFT 29,976 Reputation points Microsoft Employee

2022-02-01T11:09:00.73+00:00

Hello @testuser7 ,

Yes, you need to link your original virtual network with the private DNS zone "contoso.com" without autoregistration feature. Your original virtual network will be treated as a resolution virtual network only. DNS records for virtual machines deployed in your original Vnet won't be created automatically in the contoso private zone. However, virtual machines deployed in your original Vnet can successfully query for DNS records in the private zone "contoso.com". These records include manually created and auto registered records from other virtual networks linked to the private DNS zone "contoso.com".
Refer : https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links#resolution-virtual-network

So, if "mybox1.contoso.com" is a record in another private DNS zone named "contoso.com" within Azure, you need your original Vnet linked to it for resolving contoso.com fqdns from your VM.

Hope this helps!

Regards,
Gita
testuser7 206 Reputation points

2022-02-01T12:05:33.097+00:00

Yes, totally agree and thanks for validating how various VNETS can be linked with private-zones to resolve privately.

And also thanks for validating the point that , my VM in my VNET will be blocked to PUBLICLY resolve mybox.constoso.com if some other customer in his subscription has created a private-zone named contoso.com with a A-record for mybox (obviously I can not link that zone with my vnet)

Above is true even if Azure-DNS-server is hosting PUBLIC zone named contoso.com

Am I correct in my understanding ?

Thanks.
GitaraniSharma-MSFT 29,976 Reputation points Microsoft Employee

2022-02-01T12:52:46.46+00:00
No @testuser7 , your VM in your VNET will be able to resolve "mybox.constoso.com" if it is accessible publicly (this has nothing to do with another customer having a private zone named contoso.com).

Private DNS zones are private resources which manages and resolves domain names in a linked virtual network and doesn't affect public resolution in any way. You and another customer can have the same private dns zone named contoso.com in your own respective subscriptions. In fact, you can create more than one private dns zone with the same name "contoso.com" in your own subscription as long as they are in different resource groups.

What I meant to say earlier was - If your VNET is linked with a private DNS zone named "fabrikam.com" and has an A record for "mybox.fabrikam.com", then it will resolve privately to the IP address listed in the DNS zone.
However, if your VM tries to resolve "mybox1.contoso.com", then it will ONLY work in 2 cases:

if this fqdn is publicly resolvable such as bing.com or microsoft.com

or you have a private dns zone contoso,com with an A record for "mybox1.contoso.com" which is linked to your original Vnet.

Hope this helps!

Regards,
Gita
testuser7 206 Reputation points

2022-02-01T13:56:43.167+00:00

Much more clarity now !!!! Thanks @GitaraniSharma-MSFT

I am still studying your answer but will ask one point in-line.

I read in the doc that Azure-DNS server is non-recursive.
So if my VM's DNS query is going to be served by PUBLIC side, then as you said FQDN must be publicly resolvable and the public DNS-zone must be hosted in Azure-DNS
As Azure-DNS is non-recursive, it will NOT go out to other Authoritative Servers.

Am I correct ?

Thanks.
GitaraniSharma-MSFT 29,976 Reputation points Microsoft Employee

2022-02-02T07:04:33.233+00:00

Hello @testuser7 ,

You are referring to Azure Public DNS zone which provides an authoritative DNS service and doesn't provide a recursive DNS service. However, cloud services and VMs in Azure are automatically configured to use a recursive DNS service that is provided separately as part of Azure's infrastructure.

So, your VMs will be able to access/resolve any publicly resolvable fqdns as long as they have Internet connectivity.

Regards,
Gita
testuser7 206 Reputation points

2022-02-02T13:17:46.127+00:00

Thanks @GitaraniSharma-MSFT for being with me.

the same statement of doc that you quoted here i..e, "cloud services and VMs in Azure are automatically configured to use a recursive DNS service that is provided separately as part of Azure's infrastructure." is really confusing me.

All I know is, what we called "Azure-DNS" is nothing but one global service that is accessible by any VM through 168.63.129.16
And the high level functionality of this service is to first resolve any DNS-query privately and if not possible resolve it publicly.
If going for public resolution then it will look into public-DNS-zones

Are you talking about any other DNS-service that is provided separately as part of Azure's infrastructure ??

Thanks.

Answer 2

Hello @testuser7 ,

It is correct that IP address 168.63.129.16 enables communication with the DNS virtual server to provide filtered name resolution to the resources (such as VM) that do not have a custom DNS server.

But Azure Platform DNS and Azure DNS are 2 different concepts. Below is a comparison:

Azure Platform DNS:
It is the basic infrastructure (default) DNS service.
Azure provided name resolution provides only basic authoritative DNS capabilities. If you use this option the DNS zone names and records will be automatically managed by Azure and you will not be able to control the DNS zone names or the life cycle of DNS records.
Along with resolution of public DNS names, Azure provides internal name resolution for VMs and role instances that reside within the same virtual network or cloud service.
This is configured on the Vnet level as below:

Refer:
https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#azure-provided-name-resolution
https://learn.microsoft.com/en-us/azure/virtual-network/manage-virtual-network#change-dns-servers

Azure DNS:
It is a resource type that you can create in Azure portal to consume DNS services.
Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records. You can't use Azure DNS to buy a domain name but the domains that you have bought from 3rd party DNS providers can be hosted in Azure DNS for record management by delegating that domain to Azure DNS.
This is created in Azure portal as a DNS zone:

Refer:
https://learn.microsoft.com/en-us/azure/dns/dns-overview
https://learn.microsoft.com/en-us/azure/dns/dns-getstarted-portal

Hope this helps!

Regards,
Gita

testuser7 206 Reputation points

2022-02-06T14:01:48.477+00:00

Thanks @GitaraniSharma-MSFT for a detailed response.
Sorry for taking a little more time as I was studying it.
I think we can close this topic. I understood what you meant by DNS-service in Azure and how public and private DNS work in cohesion.

Just a request to answer following one binary question before we have closure on this thread.

When I am in any VM, and try to resolve mydomain.com
mydomain.com is azure-hosted public-zone with 4 allocated name-servers that I have given out to my registrar. (GoDaddy)
Can we consider this resolver as an Authoritative DNS server for mydomain.com (similar to those 4 Name-servers) ??
In other words, this recursive at resolver at 168.63.129.16 need NOT have to do any recursion.

Contrast to above, when my same VM sends query to resolve oracle.com, this resolver at 168.63.129.16 must go out because oracle.com is not public-hosted domain in Azure.

Am I correct in my understanding.

Thanks.

Answer 3

Hello @testuser7 ,

Apologies for the delay in my response as I was testing this scenario in my lab.

No matter if it is a azure hosted public zone or a domain hosted outside Azure, 168.63.129.16 will recurse and follow the normal DNS resolution process.

I have a Azure public DNS zone named "msazurelabs.tk" whose nameservers have been added to the DNS registrar and is delegated to Azure.
I launched a VM and used dig’s +trace to show, here is the output:

C:\Users\azureuser>dig www.msazurelabs.tk @168.63.129.16 +trace  
  
; <<>> DiG 9.16.25 <<>> www.msazurelabs.tk @168.63.129.16 +trace  
;; global options: +cmd  
.                       517241  IN      NS      j.root-servers.net.  
.                       517241  IN      NS      e.root-servers.net.  
.                       517241  IN      NS      i.root-servers.net.  
.                       517241  IN      NS      b.root-servers.net.  
.                       517241  IN      NS      d.root-servers.net.  
.                       517241  IN      NS      a.root-servers.net.  
.                       517241  IN      NS      f.root-servers.net.  
.                       517241  IN      NS      l.root-servers.net.  
.                       517241  IN      NS      m.root-servers.net.  
.                       517241  IN      NS      c.root-servers.net.  
.                       517241  IN      NS      g.root-servers.net.  
.                       517241  IN      NS      h.root-servers.net.  
.                       517241  IN      NS      k.root-servers.net.  
;; Received 824 bytes from 168.63.129.16#53(168.63.129.16) in 3 ms  
  
tk.                     172800  IN      NS      c.ns.tk.  
tk.                     172800  IN      NS      d.ns.tk.  
tk.                     172800  IN      NS      a.ns.tk.  
tk.                     172800  IN      NS      b.ns.tk.  
tk.                     86400   IN      NSEC    tkmaxx. NS RRSIG NSEC  
tk.                     86400   IN      RRSIG   NSEC 8 1 86400 20220221050000 20220208040000 9799 . ipNC6MxVezjLgvhTQ6ZEbQ+z/PfxApvRXqpKFKQoC/o17B2AqF7m+Rea Ulk6umP7zY5On7y4tA4NJ8SXaEfOU++m7exxpIohFh6TVHLhy4boQXcf G1yFhbe/gsZYAUmiUPB+CeXG2m5V4KrMT9vAi9KdPLe71B2Hk7tkPFBJ vFJdoPeEBj3H7pSyMbOrwTDhNcGVWVhlw+66onWm0DdGfPqVWLTUs1c7 KhPNaEGEMK+bZzyEDzQSjf1dTToAbawEBZG8cvK03BP6AtZbV9xIoFr6 DXUB9zkdJvKdeVphRjQso5olmCfxqaCnTUMaqORTexNrpaenviCHC30/ 0HSBUQ==  
;; Received 605 bytes from 202.12.27.33#53(m.root-servers.net) in 62 ms  
  
msazurelabs.tk.         300     IN      NS      ns1-09.azure-dns.com.  
msazurelabs.tk.         300     IN      NS      ns2-09.azure-dns.net.  
msazurelabs.tk.         300     IN      NS      ns3-09.azure-dns.org.  
msazurelabs.tk.         300     IN      NS      ns4-09.azure-dns.info.  
;; Received 184 bytes from 194.0.38.1#53(a.ns.tk) in 15 ms  
  
www.msazurelabs.tk.     3600    IN      A       20.20.20.20  
;; Received 63 bytes from 64.4.48.9#53(ns2-09.azure-dns.net) in 31 ms

Refer this blog to see how to use dig +trace to understand DNS Resolution: https://ns1.com/blog/using-dig-trace

As mentioned in this doc, Azure DNS provides an authoritative DNS service. It doesn't provide a recursive DNS service. Cloud Services and VMs in Azure are automatically configured to use a recursive DNS service that is provided separately as part of Azure's infrastructure. DNS clients in PCs or mobile devices typically call a recursive DNS server to do any DNS queries the client applications need. So, the Azure VM also calls the recursive DNS service that is provided as part of Azure's infrastructure to resolve both Azure public DNS zone and domains hosted outside Azure.

Also, you can find the difference between authoritative & recursive DNS server as below:

An authoritative DNS server hosts DNS zones. It answers DNS queries for records in those zones only.
A recursive DNS server doesn't host DNS zones. It answers all DNS queries by calling authoritative DNS servers to gather the data it needs.

Since, Azure public DNS hosts DNS zones, it is an authoritative DNS server which answers DNS queries for records in those zones only.
But the DNS resolution process doesn't change which means when you are in your Azure VM and try to resolve "mydomain.com" which is a delegated azure-hosted public-zone, 168.63.129.16 (Azure infrastructure recursive DNS service) will answer DNS queries by calling authoritative DNS servers starting from the root server and then eventually will call Azure DNS public zone "mydomain.com" which is hosting the respective domain and here the Azure public DNS will answer the query for the record asked as this is where the zone is hosted.

Hope this helps!

Regards,
Gita

testuser7 206 Reputation points

2022-02-09T15:20:44.807+00:00

Excellent @GitaraniSharma-MSFT !!!!

This clarifies the full spectrum. We can have a closure on this topic.

Once again thanks your patience and being with me.
GitaraniSharma-MSFT 29,976 Reputation points Microsoft Employee

2022-02-09T19:20:26.243+00:00

Thank you for the update, @testuser7 . Happy to help!

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Refer : How to accept an answer in Q&A.

Regards,
Gita

Azure-DNS resolution

3 answers

Activity