Configuring DNS with Azure VPN Client and Private DNS Resolver to Resolve Private Endpoint DNS

Rémi Céraline 20

Hi,

I am attempting to configure a VPN client to resolve Azure DNS queries automatically.

The infrastructure is illustrated in the attached diagram.

diagrams-VPN

My goal is to run the following command on my laptop:

nslookup stvpn20250120.blob.core.windows.net

and retrieve the private IP address of the storage account.

Here is the setup I currently have:

A VPN Gateway
A Private DNS Resolver with an inbound endpoint
A storage account with a private endpoint

However, I consistently receive the public IP address when performing the nslookup query.

When I explicitly specify the DNS server IP address in the command, as shown below, I can successfully retrieve the private IP address:

nslookup stvpn20250120.blob.core.windows.net 10.0.3.4

I have modified my VPN profile with the configuration below. The VPN Gateway is set up to use OpenVPN, and everything functions as expected except for DNS resolution.


<AzVpnProfile xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
  xmlns="http://schemas.datacontract.org/2004/07/">
...
  <clientconfig>
    <dnssuffixes>
        <dnssuffix>.azurecr.io</dnssuffix>
        <dnssuffix>.azuredatabricks.net</dnssuffix>
        <dnssuffix>.azurestaticapps.net</dnssuffix>
        <dnssuffix>.1.azurestaticapps.net</dnssuffix>
        <dnssuffix>.2.azurestaticapps.net</dnssuffix>
        <dnssuffix>.azurewebsites.net</dnssuffix>
        <dnssuffix>.scm.azurewebsites.net</dnssuffix>
        <dnssuffix>.blob.core.windows.net</dnssuffix>
        <dnssuffix>.database.windows.net</dnssuffix>
        <dnssuffix>.datafactory.azure.net</dnssuffix>
        <dnssuffix>.dfs.core.windows.net</dnssuffix>
        <dnssuffix>.file.core.windows.net</dnssuffix>
        <dnssuffix>.postgres.database.azure.com</dnssuffix>
        <dnssuffix>.vault.azure.net</dnssuffix>
        <dnssuffix>.vaultcore.azure.net</dnssuffix>
        <dnssuffix>.wvd.microsoft.com</dnssuffix>
        <dnssuffix>.azurecontainerapps.io</dnssuffix>
    </dnssuffixes>
    <dnsservers>
      <dnsserver>10.0.3.4</dnsserver>
    </dnsservers>
  </clientconfig>
...
</AzVpnProfile>

What am I missing? Is it possible to configure automatic DNS resolution to the Private DNS Resolver with a Point-to-Site VPN setup?

Thank you for your help.

89737969 0 Reputation points

2025-01-21T20:32:38.1433333+00:00
To configure DNS with Azure VPN Client and Private DNS Resolver to resolve Private Endpoint DNS, follow these steps:

Step 1: Create a Private DNS Zone

Go to the Azure portal and navigate to Private DNS zones.

Click + Create private DNS zone.

Enter the name of your private DNS zone (e.g., privatelink.azurewebsites.net).

Click Create.

Step 2: Create a Private Endpoint

Go to the Azure portal and navigate to Private endpoints.

Click + Create private endpoint.

Select the resource type (e.g., Azure Web App).

Select the resource (e.g., your web app).

Select the private DNS zone created in Step 1.

Click Create.

Step 3: Configure Private DNS Resolver

Go to the Azure portal and navigate to Private DNS resolvers.

Click + Create private DNS resolver.

Enter the name of your private DNS resolver.

Select the virtual network where your Azure VPN Client is deployed.

Click Create.

Step 4: Configure Azure VPN Client

Install the Azure VPN Client on your device.

Connect to your Azure VPN gateway.

Go to the Azure portal and navigate to Virtual networks.

Select the virtual network where your Azure VPN Client is deployed.

Click Subnets and select the subnet where your Azure VPN Client is deployed.

Click Edit and add the private DNS resolver IP address to the DNS servers field.

Step 5: Test DNS Resolution

Open a command prompt or terminal on your device.

Run the command nslookup <private-endpoint-name>.<private-dns-zone-name> (e.g., nslookup mywebapp.privatelink.azurewebsites.net).

Verify that the private endpoint IP address is resolved correctly.

Additional Configuration Options

Conditional forwarding: Configure conditional forwarding to forward DNS queries for specific domains to the private DNS resolver.

DNS caching: Enable DNS caching on the private DNS resolver to improve DNS query performance.

Security: Configure security settings, such as access control lists (ACLs), to restrict access to the private DNS resolver.

By following these steps, you should be able to configure DNS with Azure VPN Client and Private DNS Resolver to resolve Private Endpoint DNS.
Praveen Bandaru 75 Reputation points Microsoft Vendor

2025-01-22T08:17:20.21+00:00
Hello Rémi Céraline

Greetings!

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Adding additional information for above response.

Thank you for bringing the DNS resolution issue to our attention. To assist further, could you please provide the following information:

Are the Private DNS resolver and private endpoint in the same VNET?

If they are in the same VNET, which DNS are you using (custom DNS or Azure provided DNS)?

Could you share a screenshot of the nslookup results?

Please verify whether the private endpoint VNET is linked in the private DNS zone. If the Private DNS resolver and private endpoint are in different VNETs, ensure both VNETs are linked in the private DNS zone.

For further understanding how to configure a private endpoint kindly check the reference doc:
https://github.com/msrini-MSFT/Troubleshooting-Private-Link-DNS-Scenarios?tab=readme-ov-file#scenario-2---if-your-source-machine-is-deployed-on-premises-other-cloud

Regards,

Praveen
Rémi Céraline 20 Reputation points

2025-01-22T14:53:02.76+00:00
Hello @Praveen Bandaru

Thank you for your response.

Please refer to the attached diagram to better understand the infrastructure. I have included it again for reference and will address your questions below:

Yes, to keep things simple, this setup includes only one VNET.

I performed tests with both Azure-provided DNS and custom DNS using the DNS inbound endpoint IP: 10.0.3.4.

The primary difference is that when I used custom DNS, the DNS server was automatically specified in the VPN profile upon download.

I tested the solution both with the profile as-is and after updating it to specify the DNS suffixes, but the results remained the same.

Here nslookup with default DNS and with 10.0.3.4.

Yes, the VNET is correctly linked to the private DNS zone.

After conducting multiple tests, I am confident that the Azure configuration is correct. I suspect the issue lies on the client side. Specifically, I am unclear about how Windows determines which DNS server to use.

Here’s why I believe the Azure setup is correct:

When I manually specify the DNS server in the nslookup command, it correctly resolves the private IP address (see previous screenshot).

From my research, the issue might be related to the Name Resolution Policy Table (NRPT) in Windows. When I run the command Get-DnsClientNrptPolicy, it displays the list of domain names with the correct DNS server assigned, but the resolution still doesn’t work as expected. This concept is new to me, so I’m not entirely sure how it is supposed to function or if it’s being applied correctly.

I also came across information about the InterfaceMetric value, which determines the priority of network interfaces in Windows. This concept is also new to me, but I adjusted the VPN interface to have the highest priority by assigning it a value of 1 for the InterfaceMetric. Unfortunately, this change did not resolve the issue either.

Finally, the only solution that worked was updating the DNS setting on my default network interface to 10.0.3.4. Unfortunately, this is not an ideal solution because as soon as I disconnect from the VPN, DNS resolution stops working entirely.

What are your thoughts on this?

Rémi

Rémi Céraline 20

I figured it out! It turns out nslookup was ignoring the NRPT, and everything was already working as expected.

I switched to using Resolve-DnsName instead of nslookup, and I was able to retrieve the correct IP address.

User's image In summary, the key is to configure the VPN profile with the necessary values, and it will work as expected. In my case, I only needed the .blob.core.windows.net suffix, but I included all of them to account for the possibility of deploying additional private endpoints in the future.


<AzVpnProfile xmlns:i="http://www.w3.org/2001/XMLSchema-instance"
  xmlns="http://schemas.datacontract.org/2004/07/">
...
<clientconfig>
    <dnssuffixes>
      <dnssuffix>.azurecr.io</dnssuffix>
      <dnssuffix>.azuredatabricks.net</dnssuffix>
      <dnssuffix>.azurestaticapps.net</dnssuffix>
      <dnssuffix>.1.azurestaticapps.net</dnssuffix>
      <dnssuffix>.2.azurestaticapps.net</dnssuffix>
      <dnssuffix>.azurewebsites.net</dnssuffix>
      <dnssuffix>.scm.azurewebsites.net</dnssuffix>
      <dnssuffix>.blob.core.windows.net</dnssuffix>
      <dnssuffix>.database.windows.net</dnssuffix>
      <dnssuffix>.datafactory.azure.net</dnssuffix>
      <dnssuffix>.dfs.core.windows.net</dnssuffix>
      <dnssuffix>.file.core.windows.net</dnssuffix>
      <dnssuffix>.postgres.database.azure.com</dnssuffix>
      <dnssuffix>.vault.azure.net</dnssuffix>
      <dnssuffix>.vaultcore.azure.net</dnssuffix>
      <dnssuffix>.wvd.microsoft.com</dnssuffix>
      <dnssuffix>.azurecontainerapps.io</dnssuffix>
    </dnssuffixes>
    <dnsservers>
      <DnsServerEntry>
        <dnsserver>10.0.3.4</dnsserver>
      </DnsServerEntry>
    </dnsservers>
    <excluderoutes i:nil="true" />
    <includeroutes i:nil="true" />
  </clientconfig>
...
</AzVpnProfile>

Accepted answer

Praveen Bandaru 75 Reputation points Microsoft Vendor

2025-01-24T10:33:55.8533333+00:00

Hello Rémi Céraline

Greetings!

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution.

Please click "Accept" the answer as original posters help the community find answers faster by identifying the correct answer.

Issue: Configuring DNS with Azure VPN Client and Private DNS Resolver to Resolve Private Endpoint DNS

Resolution:

From your research, the issue might be related to the Name Resolution Policy Table (NRPT) in Windows. When you run the command Get-DnsClientNrptPolicy, it displays the list of domain names with the correct DNS server assigned, but the resolution still doesn’t work as expected.

You adjusted the VPN interface to have the highest priority by assigning it a value of 1 for the InterfaceMetric.

It appears that your machine is using the DNS from the default network interface, which is 192.168.2.1. As a result, the default networking interface resolution is directing traffic to the public network. Additionally, it seems that nslookup was ignoring the NRPT.

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Thanks,

Praveen
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Configuring DNS with Azure VPN Client and Private DNS Resolver to Resolve Private Endpoint DNS

0 additional answers

Your answer