Hi, I am trying to resolve to custom DNS name for virtual machines and SQL on VMs in my tenant; the structure is as follows: We have 2 subscriptions i.e. sub1 and sub2, the private DNS zone and VPN gateway are in sub1 whereas the VMs are in sub2. The VNet of sub1 is VNet 1 and of sub2 is VNet 2. The VNet 2 is peered with VNet1 (and some other VNets as well), the VPN gateway is point-to-site and connected to AWS VPC using site-to-site as well. Both VNet1 and VNet2 are added as virtual network links in the private DNS zone. Now when I connect to the VPN gateway using point-to-site connection, I am able to RDP to the machine using its private IP but when I try using the DNS name (whose A record is configured in the recordsets of private dns zone), it fails. I have tested from within VM in sub2 and I can perform nslookup on the DNS names and they resolve fine, but it no longer works when I am trying to resolve via VPN. Can someone explain what's wrong here? I am happy to share more details.

@Najam ul Saqib , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I understand that you are unable to resolve Private DNS Zone records from a remote device connected via P2S. This is an expected behavior. P2S and S2S Connected devices would not have the knowledge of Private DNS Zone records, and thus the resolution would fail. If you would like to provide DNS resolution for records contained in Private DNS Zone, Consider using Azure DNS Private Resolver or a VM acting as DNS Server in the Hub VNET (for both S2S and P2S) Refer to the highlighted section from the above diagram You should take care of your OnPrem (in your case, AWS VPC) forwarding the DNS requests to the Inbound EndPoint of Private DNS Resolver in case of S2S For P2S , you can consider adding DNS suffixes and custom DNS servers into the P2S Configuration file. The DNS Suffix should be the private DNS Zone name And custom DNS Server should be the InBound EndPoint. You can find a similar environment here : Azure Private Resolver with on-premises DNS forwarder While this architecture highlights private endPoints and their Private DNS Zones The same configuration can be applies for any Private DNS Zone that needs to be resolved from OnPrem via S2S or P2S. Please let us know if we can be of any further assistance here. Thanks, Kapil Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

Hello Even though you have virtual network links, the DNS servers in VNet1 need to know how to forward queries for the custom domain to the DNS servers in VNet2. This is typically done with conditional forwarding rules. so you can check the following links that may help you solve your problem https://learn.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview

Unable to resolve custom DNS name for virtual machines via VPN

Accepted answer

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2024-11-05T06:52:41.3466667+00:00
@Najam ul Saqib ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are unable to resolve Private DNS Zone records from a remote device connected via P2S.

This is an expected behavior.

P2S and S2S Connected devices would not have the knowledge of Private DNS Zone records, and thus the resolution would fail.

If you would like to provide DNS resolution for records contained in Private DNS Zone,

Consider using Azure DNS Private Resolver or a VM acting as DNS Server in the Hub VNET (for both S2S and P2S)

Refer to the highlighted section from the above diagram

You should take care of your OnPrem (in your case, AWS VPC) forwarding the DNS requests to the Inbound EndPoint of Private DNS Resolver in case of S2S

For P2S , you can consider adding DNS suffixes and custom DNS servers into the P2S Configuration file.

The DNS Suffix should be the private DNS Zone name

And custom DNS Server should be the InBound EndPoint.

You can find a similar environment here : Azure Private Resolver with on-premises DNS forwarder

While this architecture highlights private endPoints and their Private DNS Zones

The same configuration can be applies for any Private DNS Zone that needs to be resolved from OnPrem via S2S or P2S.

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.
Please sign in to rate this answer.
Najam ul Saqib 340 Reputation points

2024-11-06T04:51:53.38+00:00

Thank you @KapilAnanth-MSFT for your suggestion.

I dont want to go with VM as DNS Server option if the same can be achieved using Private DNS Resolver because of maintenance and cost overhead associated to a VM.

The link you've shared talks about the situation when you've a DNS solution on-premise which is not the case here. We don't have any DNS solution on-premise, and only Azure Private DNS zones in the subscriptions. Anyone can connect using P2S VPN and there's no DNS forwarder on-premise.

As you mentioned P2S have no knowledge of Private DNS zones (is this mentioned somewhere in the official docs?) so I need some more specific help in configuring the DNS resolution system as I have spent so much time on this and now I am exhausted :/

You can assume that DNS requests are not coming in from AWS, and I have created a Private DNS resolver in the sub1;

What do I need to add in the inbound and outbound addresses? (remember the end goal is just to be able to resolve DNS over P2S VPN)

Do I need to make any changes to the VNet's DNS?

If I have to set it to private DNS zone how will it entertain Azure DNS queries? I hope those services won't stop working

Exactly what changes do I need to make to the VPN configuration file?

Do I need to make some changes on Azure portal as well?

If I want VPN file to be generated using the domain suffixes, how can that be achieved?

Thank you!

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2024-11-06T05:46:28.4566667+00:00

@Najam ul Saqib , You are welcome :)

Wrt, "The link you've shared talks about the situation when you've a DNS solution on-premise which is not the case here. We don't have any DNS solution on-premise, and only Azure Private DNS zones in the subscriptions."

This is why I mentioned "You should take care of your OnPrem (in your case, AWS VPC) forwarding the DNS requests to the Inbound EndPoint of Private DNS Resolver in case of S2S"

You should use a DNS forwarder to forward the requests specific to the Private DNS Zones

Alternatively, you can instead forward any and all DNS requests to the Inbound EndPoint

This does not need you to deploy a DNS forwarded at the OnPrem (everything as in "www.google.com" , "www.example.com")

However, in case of an issue with the S2S, you should make sure there is a local back up DNS Server

Wrt, "As you mentioned P2S have no knowledge of Private DNS zones (is this mentioned somewhere in the official docs?)"

Private DNS Zones are only linked to the Virtual Network, they are not extended to the S2S or P2S

See : What is an Azure Private DNS zone?

Remote Networks are not part of the Virtual Network itself

Remote Networks are an extension of the VNET and they always have their own DNS, Gateway etc.

To address your other queries,

1.What do I need to add in the inbound and outbound addresses? (remember the end goal is just to be able to resolve DNS over P2S VPN)

They are auto configured.

When you create the Private DNS Resolver, you can either set them as dynamic (any IP from the subnet) or static (you can pick a IP of your choice from the subnet)

2.Do I need to make any changes to the VNet's DNS? If I have to set it to private DNS zone how will it entertain Azure DNS queries? I hope those services won't stop working

Azure DNS queries are handled by Wireserver IP (Default)

Please note the Order of DNS Query here

The Default (Azure-provided) DNS server takes precedence over Private DNS Resolver.

So existing VMs in the VNET will not face any problems (provided the VNET is using Default DNS Server)

3.Exactly what changes do I need to make to the VPN configuration file?

Do I need to make some changes on Azure portal as well? - NO

If I want VPN file to be generated using the domain suffixes, how can that be achieved? - It's not supported as of now

You can instead modify a file and distribute it at scale instead of requesting users to download from the VPN Gateway directly.

A step by step instruction on how to set this up is provided in Resolve Azure and on-premises domains

Here, the Zone "azure.contoso.com." is used as an example against your scenario.

You can skip the steps with "OutboundEndPoint" and "RuleSet" creation.

You only have to

Create a Private DNS Resolver (this will need a subnet for InBoundEndPoint) in your HubVNET

Note the IP Address of the InBoundEndPoint

Use it as the DNS Server for OnPrem (S2S) - forward all requests to this IP.

For P2S,

Add it to the custom DNS servers of the P2S Configuration file.

Add the domain "azure.contoso.com." in DNS suffixes

Hope this helps

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Najam ul Saqib 340 Reputation points

2024-11-06T07:58:17.2066667+00:00

@KapilAnanth-MSFT

Thanks a bunch, I was able to resolve DNS locally using this, I have a couple more questions before I can proceed with accepting the answer and closing the question:

Even though via P2S I was able to RDP using DNS name which meant it was getting resolved, but when I ran nslookup on the DNS name it still returned the output of non-existent domain. Why so? I was able to run the nslookup and check private IP address from within the VM.

If we assign the dynamic IP to the inbound endpoint, do we need to update the VPN configuration file with the IP as it changes? How often the IP changes on a private DNS resolver?

What is the best practice to assign the subnet to private DNS resolver, how many IP addresses should be vacant in the subnet?

If I try to create a new subnet, and then assign a fixed IP from it, it throws error that its in reserved range, and if I use other subnet it complains that subnet is already connected to some other service.

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2024-11-06T08:21:11.06+00:00

@Najam ul Saqib , glad we could be of service.

1 . Even though via P2S I was able to RDP using DNS name which meant it was getting resolved, but when I ran nslookup on the DNS name it still returned the output of non-existent domain. Why so? I was able to run the nslookup and check private IP address from within the VM.

I believe this behavior is expected and is similar to "nslookup" not respecting host file entry

What do you see as the DNS Server when you perform nslookup?

Is it the local/ISP's DNS server or the Inbound EndPoint's IP?

I believe, this is more related to the working of "nslookup" as a command than Azure or remote OS.

If you notice, the results of (from Powershell)

ping <VM'sFQDN>

Test-NetConnection -ComputerName <VM'sFQDN> -Port 3389

will give you the Private IP but nslookup may not

2 . a. If we assign the dynamic IP to the inbound endpoint, do we need to update the VPN configuration file with the IP as it changes?

Yes.

2 . b. How often the IP changes on a private DNS resolver?

See : Static and dynamic endpoint IP addresses

"reprovisioned" here indicates updating the InboundEndpoint, not Route Server as a whole

3 . What is the best practice to assign the subnet to private DNS resolver, how many IP addresses should be vacant in the subnet?

A subnet must be a minimum of /28 address space or a maximum of /24 address space.

See : Subnet restrictions

4 . a. If I try to create a new subnet, and then assign a fixed IP from it, it throws error that its in reserved range,

This is a restriction for any Azure subnet.

See : Create the inbound endpoint | If the endpoint IP address is static, it can be specified and reused if the endpoint is reprovisioned. The IP address that you choose can't be a reserved IP address in the subnet.

4 . b. and if I use other subnet it complains that subnet is already connected to some other service.

See : Subnet restrictions

The subnet can only be delegated to Microsoft.Network/dnsResolvers and can't be used for other services.

This means, the subnet should be exclusive to Inbound endpoint and cannot contain any other service such as VMs or VMSS

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

Najam ul Saqib 340 Reputation points

2024-11-06T08:41:00.1066667+00:00

@KapilAnanth-MSFT

Accepting the answer, you can answer the following questions at your ease as the case is resolved:

If we dont update the inbound endpoint, it won't change the dynamic IP? If we just set one inbound endpoint and dont touch dns resolver again the IP wont change automatically right?

The nslookup in cmd prompt is showing the local DNS server, can it be configured to consider the VPN's DNS server?

The ping command does resolve to the private IP but then it returns timed out, why so? How can this be fixed?

Appreciation Note: Kapil, you're a super-hero on this platform. You understand the problem perfectly and suggest solutions in such an easy format. Kudos to you and to your dedication to help the community.

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2024-11-06T10:02:09.1433333+00:00

@Najam ul Saqib - Thank you for your kind words. This means a lot to me :)

1 . If we dont update the inbound endpoint, it won't change the dynamic IP? If we just set one inbound endpoint and dont touch dns resolver again the IP wont change automatically right?

Correct

2 . The nslookup in cmd prompt is showing the local DNS server, can it be configured to consider the VPN's DNS server?

This is not a good idea

If you update the local DNS server to be the inbound endpoint, once P2S VPN gets disconnected - your remote servers would be unable to reach the inbound endpoint and every DNS queries to sites such as "github.com" and "linkedin.com" would fail

In my opinion, you can just let this be

3 . The ping command does resolve to the private IP but then it returns timed out, why so? How can this be fixed?

Do you want it to be allowed?

By default, ICMP Pings are blocked at OS level (in Windows) for security reasons

My intention was only to check the name resolution, not to check if ICMP Pings are allowed

For better security reasons, it's better to keep ICMP blocked.

If you still want to allow this for troubleshooting purposes, you can add an Allow rule in Windows Defender to allow ICMP explicitly

See : Create an inbound ICMP rule

Or use the command

netsh advfirewall firewall add rule name="ICMP Allow incoming V4" protocol=icmpv4:8,any dir=in action=allow

Make sure you do this in both the source and destination windows servers.

Hope this helps.

Cheers,

Kapil

Najam ul Saqib 340 Reputation points

2024-11-08T12:29:57.28+00:00

@KapilAnanth-MSFT Can you tell what changes do we need to make to access storage accounts over private endpoint in the same setup using P2S? I want that once connected to VPN I become able to access storage account access on portal/storage explorer but not without it. Currently, I cant access it with P2S having private resolver configured.

KapilAnanth-MSFT 47,046 Reputation points Microsoft Employee

2024-11-08T13:12:28.4866667+00:00

@Najam ul Saqib , sure.

Same configuration as you did for VMs.

In the P2S Configuration file,

Add the Inbound Endpoint to the custom DNS servers of the P2S Configuration file.

Add the domain ".blob.core.windows.net." in DNS suffixes

This for accessing the blobs within the storage account

For other services, you can refer to the Azure services DNS zone configuration

NOTE : Do you include "privatelink"

Cheers,

Kapil
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.