Azure Private DNS Conditional forwarders from on-prem/different cloud AD/DNS Server.

Question

Azure Private DNS Conditional forwarders from on-prem/different cloud AD/DNS Server.

Reinis Tropiņš 1

Hello.

We have a very simple setup with ADDS/DNS VM in Azure & for redundancy a ADDS/DNS in an on-premises environment.
Both sites are linked via site-to-site VPN. All traffic is allowed.

So following the basic guidelines, we have a Virtual Network Link set up with Private DNS zone - privatelink.1.azurestaticapps.net
And a conditional forwarder in the VNET that is linked with the Private Zone - azurestaticapps.net, that points to 168.63.129.16 (as per instructions to use the Public domain name)

Resolution when querying the specific Azure based DNS server works with no issues whatsoever.

However the issue shows up when trying to set up a Conditional forwarder in the other DNS server.
As described in the article we have a DNS conditional forwarder for the zone - azurestaticapps.net, that points to the Azure DNS virtual machine.

However when trying to query the non-azure DNS Server, query always responds with public IP address, as if the Conditional Forwarder is ignored completely.

At the same time we have a non-cname based Private DNS zone e.g., contoso.lan, which is populated in Azure Private DNS with A records, and it works flawlessly from both DNS servers, which means that Conditional forwarding works with no issues.

Maybe it's something to do with Azure Static Web Apps and custom domain names.
We have an Azure Static Web app with enabled Private Endpoint, that has the FQDN passed from the Static Web App. And the setup is as per the Instructions.

PNE has FQDN - mango-field-9c2719f03.1.azurestaticapps.net
Private Zone (privatelink.1.azurestaticapps.net), has A record - mango-field-9c2719f03 that corresponds to the IP address of the PNE
And abovementioned DNS Conditional Forwarders are configured correctly.

Is there a mistake in the setup somewhere?

We've verified all traffic is passing through, DNS resolution works, AD Replication between both ADDS servers has no issues.

Any help would be appriciated.

2 answers

Your answer

Answer 1

GitaraniSharma-MSFT 50,096 Microsoft Employee Moderator

Hello @Reinis Tropiņš ,

Apologies for the delay in response.

I understand that you have a conditional forwarder in your Azure VNET that is linked with the Private Zone - azurestaticapps.net, that points to 168.63.129.16, however, when trying to query the non-azure DNS Server, query always responds with public IP address and the Conditional Forwarder is ignored completely.

You can find all the details regarding conditional forwarding & the recommended config by Azure in the below doc:
https://github.com/dmauser/PrivateLink/tree/master/DNS-Integration-Scenarios#41-which-conditional-forwarder-zone-should-be-used

"There are reports that BIND-based DNS Servers (including Infoblox) work using conditional forwarders towards the privatelink.PaaS-domain zone (example: privatelink.blob.core.windows.net for storage accounts) without any issues. Therefore, please validate in your environment before deciding between adding the privatelink .PaaS-domain zone (privatelink.blob.core.windows.net as an example for storage accounts) or the default/Public PaaS zone (blob.core.windows.net)."

Most of On-premises DNS servers fall into the category where they will have a forwarder setup to point to another DNS server in customer's DMZ or point to ISP DNS Servers. Hence, conditional forwarding to the Public DNS forwarder is recommended because it is easy to implement.
Please check how your OnPrem DNS is configured and you may have an option to configure conditional forwarders to the PaaS domain zone or subdomain zone private link returned by the CNAME.

In your case, for Static webapps, the recommended Public DNS zone forwarder is either azurestaticapps.net or {partitionId}.azurestaticapps.net.
Refer : https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns#azure-services-dns-zone-configuration

Since, your Static webapp has a FQDN "mango-field-9c2719f03.1.azurestaticapps.net" which has a partition ID "1", I would advise you to setup the on-prem conditional forwarding to "1.azurestaticapps.net" and check again.

Could you please try the below setup:
Azure VM - 10.1.0.5 - Conditional forwarder pointing to - 168.63.129.16 for the zone 1.azurestaticapps.net
On-prem VM - 10.1.1.5 - Conditional forwarder pointing to - 10.1.0.5 for the zone 1.azurestaticapps.net

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Reinis Tropiņš 1 Reputation point

2022-06-21T14:14:53.503+00:00

Hello,

I've tried the scenario as requested

Could you please try the below setup:
Azure VM - 10.1.0.5 - Conditional forwarder pointing to - 168.63.129.16 for the zone 1.azurestaticapps.net
On-prem VM - 10.1.1.5 - Conditional forwarder pointing to - 10.1.0.5 for the zone 1.azurestaticapps.net

And the same issue appears.
Azure VM resolves everything flawlessly, whereas On-prem VM just disregards conditional forwarder fully.
Custom domain name - demo.contoso.com (attached to the Static Web App), nor the FQDN of the Static Web App "mango-field-9c2719f03.1.azurestaticapps.net" gets passed towards the Azure VM for further resolution.

Which is strange, since there's a direct conditional forwarder for the zone 1.azurestaticapps.net

At this point this leaves me baffled, as mentioned before the configured "contoso.lan" private DNS zone resolves from both DNS servers, and the Conditional Forwarder settings are 1:1 copy (aside from the domain name that is).
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-06-24T11:29:58.21+00:00

Hello @Reinis Tropiņš ,

Thank you for the update.

May I know how the custom domain for your Static web app is configured?
Where the DNS record configuration for custom name resides - Azure or external?

Did you follow the below doc and all the configuration is done accordingly?
https://learn.microsoft.com/en-us/azure/static-web-apps/custom-domain-azure-dns

Regards,
Gita
Reinis Tropiņš 1 Reputation point

2022-06-28T09:07:30.527+00:00

Hello.

DNS record configuration in Azure hosted DNS Zone (Nameservers pointing to Azure DNS)
And DNS settings are exactly like in the documentation.
Here's an example from a slightly different web app, but with working config.

Static Web app default assigned FQDN - thankful-glacier-01d9e0d03.1.azurestaticapps.net
custom domain mapped to the resource - demo.mogo.ee

which then resolves in the following way from the Azure ADDS / DNS server linked to the Private DNS zone - privatelink.1.azurestaticapps.net

demo.mogo.ee CNAME 18 Answer thankful-glacier-01d9e0d03.1.azurestaticapps.net
thankful-glacier-01d9e0d03.1.azurestaticapps.net CNAME 18 Answer thankful-glacier-01d9e0d03.privatelink.1.azurestaticapps.net

Name : thankful-glacier-01d9e0d03.privatelink.1.azurestaticapps.net
IP4Address : 10.xxx.xxx.xxx (IP address of the Private Network Endpoint)

So the DNS Conditional forwarder works.

When trying to resolve-dns against the on-premises ADDS / DNS server, which has a conditional forwarder for zone - 1.azurestaticapps.net
Pointing towards the Azure ADDS / DNS Server

It results in the Public Resolution.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-07-04T13:38:42.787+00:00

Hello @Reinis Tropiņš ,

Thank you for the update.

So, you have a working setup with Azure Static webapp (i.e. thankful-glacier-01d9e0d03.1.azurestaticapps.net)?
And only the static webapp with FQDN - mango-field-9c2719f03.1.azurestaticapps.net is not working?

Or both the static websites are not getting resolved privately from your on-premises?

Regards,
Gita
Reinis Tropiņš 1 Reputation point

2022-07-05T06:37:24.723+00:00

Hello @GitaraniSharma-MSFT ,

None of the static Apps with custom domain name get resolved from on-premises.
Only when querying via Azure ADDS DNS Server which has the direct network link with the private zone.

We have around 15 Static Web Apps with Private endpoint connection, and custom domain name.
And none of them get forwarded to the Azure ADDS DNS server for resolution.

Regards,
Reinis.
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-07-05T14:16:55.603+00:00

Hello @Reinis Tropiņš ,

Thank you for the update.

Please allow me some time to discuss this issue with the backend team and get back to you with an update.

Regards,
Gita
GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator

2022-08-05T10:42:25.51+00:00

Hello @Reinis Tropiņš ,

Apologies for the delay in my response.

I discussed this case with the Azure Private endpoint PG team & Azure DNS PG team but looks like they are not aware of any known issues that could be causing this.

I checked internally and found that you also have a support case raised for this issue. I will track the case and also try to discuss it a bit further with the PG team to find the root cause of the issue. Will update this post once I have some inputs to share.

Regards,
Gita

Answer 2

Carlos Solís Salazar 18,196 MVP Volunteer Moderator

Hi @Reinis Tropiņš

Thank you for asking this question on the **Microsoft Q&A Platform. **

I have kind of an analogous situation in my environment.

I fix it by doing the conditional forward in my On-premises to my ADDS/DNS VM in Azure not to 168.63.129.16

If you already have the conditional forward in your ADDS/DNS VM in Azure to 168.63.129.16 you won't have any issue.

Hope this helps,
Carlos Solís Salazar

----------

Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.
NOTE: To answer you as quickly as possible, please mention me in your reply.

Reinis Tropiņš 1 Reputation point

2022-06-10T05:49:54.027+00:00

Hi,

Thanks for the answer, this is the setup we do have.
As I wrote in the initial post

However the issue shows up when trying to set up a Conditional forwarder in the other DNS server.

As described in the article we have a DNS conditional forwarder for the zone - azurestaticapps.net, that points to the Azure DNS virtual machine.

So the configuration is how it should work, but it doesn't work.

e.g.
Azure VM - 10.1.0.5 has Conditional forwarder pointing to - 168.63.129.16 for the zone azurestaticapps.net
On-prem VM - 10.1.1.5 has Conditional forwarder pointing to - 10.1.0.5 for the zone azurestaticapps.net

And it doesn't work.
As mentioned above, we have a private zone in Azure, let's say - contoso.lan, with all the A records, and for that zone, the conditional forwarders work with no issues whatsoever.
And the on-prem DNS server can resolve them.

So this is quite frustrating.
We have Private Network Endpoints marked down in the contoso.lan zone, and it all works as expected.

The big issue seems to be specifically with Azure Static Web Apps, with a Private Network Endpoint + Custom Domain added.

Share via

Azure Private DNS Conditional forwarders from on-prem/different cloud AD/DNS Server.

2 answers

Your answer