Private DNS zone and public (internet) domains

Question

Private DNS zone and public (internet) domains

Eugene Romero 1 MVP

Hi!

I am facing some issues with Azure Private DNS Zones and would like to know if this is expected behavior or if I am missing a setting somewhere.

We've used Private DNS Zones in our project for a while successfully. However, these have always been for internal domains, say for example, microsoft.local. This works well.

Now, we wanted to have a record for an internal address which uses the company's public domain, say microsoft.com.

We add a new Private DNS Zone called "microsoft.com" and create a single record, "internalservice.microsoft.com".

Once this Private DNS Zone is in place, all microsoft.com DNS calls from inside that Vnet no longer resolve (except for the internalservice one). So, this works:

internal-server$ nslookup internalservice.microsoft.com
Non-authoritative answer:
Name: internalservice.microsoft.com
Address: 1.2.3.4

but this doesn't:

internal-server$ nslookup www.microsoft.com
** server cant find www.microsoft.com: NXDOMAIN

internal-server$ nslookup microsoft.com
** server cant find microsoft.com: NXDOMAIN

This means that the Private DNS Zone is hijacking all calls to microsoft.com, instead of returning the records it knows about, and forwarding the rest upstream.

Is this expected behavior? Can public (internet facing) domains not be used for Private DNS Zones without hijacking the entire domain? Or is there some way to tell the zone to send a request upstream if it can't resolve it?

Some extra information, we do not use Azure DNS for managing our public DNS records. I read about split-horizon with Azure DNS but I don't believe that is the answer to our issue.

Thanks for your help!

ChaitanyaNaykodi-MSFT 27,486 Reputation points Microsoft Employee Moderator

2022-03-19T01:35:50.987+00:00

Hello @Eugene Romero , welcome to the Microsoft Q&A forum.
I have reached out to the team internally regarding this issue and will make an update here shortly.
Eugene Romero 1 Reputation point MVP

2022-03-21T08:14:47.897+00:00

Thank you very much, I look forward to hearing back from you.

1 answer

Your answer

ChaitanyaNaykodi-MSFT 27,486 Reputation points Microsoft Employee Moderator

2022-03-19T01:35:50.987+00:00

Hello @Eugene Romero , welcome to the Microsoft Q&A forum.
I have reached out to the team internally regarding this issue and will make an update here shortly.
Eugene Romero 1 Reputation point MVP

2022-03-21T08:14:47.897+00:00

Thank you very much, I look forward to hearing back from you.

Answer 1

ChaitanyaNaykodi-MSFT 27,486 Microsoft Employee Moderator

Hello @Eugene Romero , Thank you for your patience throughout this process. I got a response back from the team.

This is an expected behavior. In order to resolve this issue, you will have to add an apex record of type @ which points to your domains public IP and a CNAME record of type www that points to your apex domain so that it can resolve microsoft.com and www.microsft.com from your example above. As shown below.

Hope this help! Please let me know if you have any additional questions. Thank you!

----------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Eugene Romero 1 Reputation point MVP

2022-03-23T08:18:24.067+00:00

Thank you for getting back to me! So if I'm understanding this correctly, this means that ALL public records we have under that domain, need to be added to the Private DNS Zone, correct? So if we also had say blog.microsoft.com and api.microsoft.com, these would also need to be added, true?
ChaitanyaNaykodi-MSFT 27,486 Reputation points Microsoft Employee Moderator

2022-03-28T20:43:32.767+00:00

Hello @Eugene Romero , apologies for the delay. Yes, that is true you will have to add CNAME record for blog and api as well.

----------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

Private DNS zone and public (internet) domains

1 answer

Your answer