Azure-DNS resolution

testuser7 271 Reputation points
2022-01-27T13:23:51.933+00:00

Hello,

I have a VNET and one VM in it.
This VNET is using Default Azure-builtin DNS-server for name resolution.
And this VNET is linked with one private-zone named fabrikam.com

if this VM is trying to resolve mybox.fabrikam.com, then there are good chances that the private-zone will have record-set for it.

However, this VM is trying to resolve mybox1.contoso.com
Obviously the DNS-resolver can not resolve privately.
So my question is, will the DNS-resolver automatically look out in internet to resolve mybox1.contoso.com and handover the public-ip address back to VM ??

Thanks.

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
603 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
    2022-01-31T07:45:13.477+00:00

    Hello @testuser7 ,

    Apologies for the delay in response.

    If your VNET is linked with a private DNS zone named "fabrikam.com" and has an A record for "mybox.fabrikam.com", then it will resolve privately to the IP address listed in the DNS zone. For any other domain which is not in your linked private DNS zone such as "mybox1.contoso.com", yes, the default Azure built-in DNS server will automatically look out in internet to resolve it, if publicly resolvable.

    For example, I have a VM with a linked private DNS zone named "fabrikam.com" and a "A" record set named "bing.fabrikam.com" with IP address : 10.10.0.4.
    If I login to the VM and do a nslookup for "bing.fabrikam.com", I will get 10.10.0.4
    But if I do a nslookup for only bing.com, I will get the public IP for it.

    169778-image.png

    NOTE : "mybox1.contoso.com" should be publicly resolvable for the VM to resolve it directly using default Azure DNS server. If it is in another virtual network or your on-premises, then your VM will not be able to resolve it directly and you need further configuration of your own custom DNS server. For more information on name resolution, please refer the below doc:
    https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


  2. GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
    2022-02-03T10:09:58.31+00:00

    Hello @testuser7 ,

    It is correct that IP address 168.63.129.16 enables communication with the DNS virtual server to provide filtered name resolution to the resources (such as VM) that do not have a custom DNS server.

    But Azure Platform DNS and Azure DNS are 2 different concepts. Below is a comparison:

    Azure Platform DNS:
    It is the basic infrastructure (default) DNS service.
    Azure provided name resolution provides only basic authoritative DNS capabilities. If you use this option the DNS zone names and records will be automatically managed by Azure and you will not be able to control the DNS zone names or the life cycle of DNS records.
    Along with resolution of public DNS names, Azure provides internal name resolution for VMs and role instances that reside within the same virtual network or cloud service.
    This is configured on the Vnet level as below:

    170964-image.png

    Refer:
    https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances#azure-provided-name-resolution
    https://learn.microsoft.com/en-us/azure/virtual-network/manage-virtual-network#change-dns-servers

    Azure DNS:
    It is a resource type that you can create in Azure portal to consume DNS services.
    Azure DNS is a hosting service for DNS domains that provides name resolution by using Microsoft Azure infrastructure. By hosting your domains in Azure, you can manage your DNS records. You can't use Azure DNS to buy a domain name but the domains that you have bought from 3rd party DNS providers can be hosted in Azure DNS for record management by delegating that domain to Azure DNS.
    This is created in Azure portal as a DNS zone:

    170975-image.png

    Refer:
    https://learn.microsoft.com/en-us/azure/dns/dns-overview
    https://learn.microsoft.com/en-us/azure/dns/dns-getstarted-portal

    Hope this helps!

    Regards,
    Gita


  3. GitaraniSharma-MSFT 48,011 Reputation points Microsoft Employee
    2022-02-08T15:20:57.043+00:00

    Hello @testuser7 ,

    Apologies for the delay in my response as I was testing this scenario in my lab.

    No matter if it is a azure hosted public zone or a domain hosted outside Azure, 168.63.129.16 will recurse and follow the normal DNS resolution process.

    I have a Azure public DNS zone named "msazurelabs.tk" whose nameservers have been added to the DNS registrar and is delegated to Azure.
    I launched a VM and used dig’s +trace to show, here is the output:

    C:\Users\azureuser>dig www.msazurelabs.tk @168.63.129.16 +trace  
      
    ; <<>> DiG 9.16.25 <<>> www.msazurelabs.tk @168.63.129.16 +trace  
    ;; global options: +cmd  
    .                       517241  IN      NS      j.root-servers.net.  
    .                       517241  IN      NS      e.root-servers.net.  
    .                       517241  IN      NS      i.root-servers.net.  
    .                       517241  IN      NS      b.root-servers.net.  
    .                       517241  IN      NS      d.root-servers.net.  
    .                       517241  IN      NS      a.root-servers.net.  
    .                       517241  IN      NS      f.root-servers.net.  
    .                       517241  IN      NS      l.root-servers.net.  
    .                       517241  IN      NS      m.root-servers.net.  
    .                       517241  IN      NS      c.root-servers.net.  
    .                       517241  IN      NS      g.root-servers.net.  
    .                       517241  IN      NS      h.root-servers.net.  
    .                       517241  IN      NS      k.root-servers.net.  
    ;; Received 824 bytes from 168.63.129.16#53(168.63.129.16) in 3 ms  
      
    tk.                     172800  IN      NS      c.ns.tk.  
    tk.                     172800  IN      NS      d.ns.tk.  
    tk.                     172800  IN      NS      a.ns.tk.  
    tk.                     172800  IN      NS      b.ns.tk.  
    tk.                     86400   IN      NSEC    tkmaxx. NS RRSIG NSEC  
    tk.                     86400   IN      RRSIG   NSEC 8 1 86400 20220221050000 20220208040000 9799 . ipNC6MxVezjLgvhTQ6ZEbQ+z/PfxApvRXqpKFKQoC/o17B2AqF7m+Rea Ulk6umP7zY5On7y4tA4NJ8SXaEfOU++m7exxpIohFh6TVHLhy4boQXcf G1yFhbe/gsZYAUmiUPB+CeXG2m5V4KrMT9vAi9KdPLe71B2Hk7tkPFBJ vFJdoPeEBj3H7pSyMbOrwTDhNcGVWVhlw+66onWm0DdGfPqVWLTUs1c7 KhPNaEGEMK+bZzyEDzQSjf1dTToAbawEBZG8cvK03BP6AtZbV9xIoFr6 DXUB9zkdJvKdeVphRjQso5olmCfxqaCnTUMaqORTexNrpaenviCHC30/ 0HSBUQ==  
    ;; Received 605 bytes from 202.12.27.33#53(m.root-servers.net) in 62 ms  
      
    msazurelabs.tk.         300     IN      NS      ns1-09.azure-dns.com.  
    msazurelabs.tk.         300     IN      NS      ns2-09.azure-dns.net.  
    msazurelabs.tk.         300     IN      NS      ns3-09.azure-dns.org.  
    msazurelabs.tk.         300     IN      NS      ns4-09.azure-dns.info.  
    ;; Received 184 bytes from 194.0.38.1#53(a.ns.tk) in 15 ms  
      
    www.msazurelabs.tk.     3600    IN      A       20.20.20.20  
    ;; Received 63 bytes from 64.4.48.9#53(ns2-09.azure-dns.net) in 31 ms  
    

    Refer this blog to see how to use dig +trace to understand DNS Resolution: https://ns1.com/blog/using-dig-trace

    As mentioned in this doc, Azure DNS provides an authoritative DNS service. It doesn't provide a recursive DNS service. Cloud Services and VMs in Azure are automatically configured to use a recursive DNS service that is provided separately as part of Azure's infrastructure. DNS clients in PCs or mobile devices typically call a recursive DNS server to do any DNS queries the client applications need. So, the Azure VM also calls the recursive DNS service that is provided as part of Azure's infrastructure to resolve both Azure public DNS zone and domains hosted outside Azure.

    Also, you can find the difference between authoritative & recursive DNS server as below:

    • An authoritative DNS server hosts DNS zones. It answers DNS queries for records in those zones only.
    • A recursive DNS server doesn't host DNS zones. It answers all DNS queries by calling authoritative DNS servers to gather the data it needs.

    Since, Azure public DNS hosts DNS zones, it is an authoritative DNS server which answers DNS queries for records in those zones only.
    But the DNS resolution process doesn't change which means when you are in your Azure VM and try to resolve "mydomain.com" which is a delegated azure-hosted public-zone, 168.63.129.16 (Azure infrastructure recursive DNS service) will answer DNS queries by calling authoritative DNS servers starting from the root server and then eventually will call Azure DNS public zone "mydomain.com" which is hosting the respective domain and here the Azure public DNS will answer the query for the record asked as this is where the zone is hosted.

    Hope this helps!

    Regards,
    Gita