Share via

Private DNS Zone

James Lux 31 Reputation points
2022-04-25T22:19:15.03+00:00

I have an Azure SQL Database, a Windows 10 VM and a CentOS VM all on the same VNet. I added a private endpoint to the SQL DB and linked it to the VNet. It correctly obtained an IP address from the VNet DHCP scope. So far so good.

I created a Private DNS Zone and the SQL IP Address was automatically added with an A Name of DBname.privatelink.database.windows.net.

Everything seems to be aligned.

However, from the Windows10 or CentOS VM, I cannot correctly resolve the private VNet address.

We also have Azure AD DS tied to this Azure VNet.

Azure SQL Database
Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
778 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
550 questions

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Carlos Solís Salazar 18,201 Reputation points MVP Volunteer Moderator
    2022-04-26T00:06:06.093+00:00

    Hi @James Lux

    Thank you for asking this question on the **Microsoft Q&A Platform. **

    I understand that you require to resolve DBname.privatelink.database.windows.net from your network, right?

    In your DNS you need to set a Conditional Forward for database.windows.net to 168.63.129.16.

    The conditional forwarding must be made to the recommended public DNS zone forwarder. For example: database.windows.net instead of privatelink.database.windows.net.

    You have more information in https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns and https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances

    Hope this helps,
    Carlos Solís Salazar

    ----------

    Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.
    NOTE: To answer you as quickly as possible, please mention me in your reply.

  2. Alberto Morillo 34,676 Reputation points MVP Volunteer Moderator
    2022-04-26T00:09:54.073+00:00
    0 comments
  3. James Lux 31 Reputation points
    2022-04-26T17:46:39.29+00:00

    I continue to have problems with the Point to Site VPN DNS despite following the proper MS instructions. I prefer not to use a hack to make this work.

    Here are my details.

    1. VNet is setup correctly with Custom DNS servers: 168.63.129.16, 209.244.0.3 and 209.244.0.4
    2. I then added a a Virtual Network Gateway linked to this VNet
    3. Next I added a Point to Site configuration with Azure AD Authentication
    4. I downloaded the VPN Client File from the Portal and imported it into my installed Azure VPN Client on my mac
    5. I can connect to the Azure VPN Gateway and the client shows 168.63.129.16, 209.244.0.3 and 209.244.0.4 as the VPN DNS Servers

    So, this should be working.

    Here is some information from testing....on my Mac

    Without VPN connected

    1. The output of scutil --dns | grep nameserver | sort -u shows nameserver[0] : 192.168.2.1 as the only DNS server
    2. The result of nslookup awh-datawarehouse.database.windows.net shows Server: 192.168.2.1 and Address: 40.79.153.12
    3. This is correct without the VPN connected

    With VPN connected

    1. The output of scutil --dns | grep nameserver | sort -u shows nameserver[0] : 168.63.129.16, nameserver[0] : 192.168.2., nameserver[1] : 209.244.0.3 & nameserver[2] : 209.244.0.4
    2. The result of nslookup awh-datawarehouse.database.windows.net shows Server: 209.244.0.3 and Address: 40.79.153.12
    3. This is incorrect; for some reason the VPN network is not returning the awh-datawarehouse.database.windows.net returned from the first DNS server

    On a Linux VM on the VNet

    1. The output of cat /etc/resolve.conf shows search reddog.microsoft.com, nameserver 168.63.129.16, nameserver 209.244.0.3 & nameserver 209.244.0.4
    2. The result of nslookup awh-datawarehouse.database.windows.net shows Server: 168.63.129.16 and Address: 10.0.1.6
    3. This is correct

    How do I get the DNS resolver at 168.63.129.16 to properly return the Private IP Address (10.0.1.6) when VPN is connected? DNS is working when on a VM (windows or linux) on the VNet and the configuration appears to be correct. What can I do next?

    0 comments
  4. Carlos Solís Salazar 18,201 Reputation points MVP Volunteer Moderator
    2022-04-27T09:18:38.12+00:00

    @James Lux

    About this

    This is incorrect; for some reason the VPN network is not returning the awh-datawarehouse.database.windows.net returned from the first DNS server

    I think that could be because when you are on a VPN you have a split connection

    Try to use the private link name (DBname.privatelink.database.windows.net)

    Also, from a host in the VPN, run these commands: 

    nslookup awh-datawarehouse.database.windows.net 168.63.129.16  
nslookup DBname.privatelink.database.windows.net 168.63.129.16

    With those commands, we are forcing do the DNS consult to that specific DNS server

    Hope this helps,
    Carlos Solís Salazar

    ----------

    Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.
    NOTE: To answer you as quickly as possible, please mention me in your reply.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.