Is there any solution for this scenario?
Not resolving private dns zone over point to site VPN connection into Azure
Having issues getting a private DNS setup, attached to a vnet, to resolve over a point to site VPN connection.
My point to site VPN connection is working and I am able to ping the IP and get to IIS on the server. I've set the private DNS up and it's attached to the vnet with the machines automatically registering in the DNS fine. The domain resolves fine from within the vnet/vm but not from across the point to site VPN.
I'm deploying the setup using an ARM template and have the following dependencies to see if that makes a difference:
vnet - depending on a couple of NSGs and the private DNS zone
virtual network gateway - depending on the gateway IP, vnet and the private dns zone
I've waited for everything to deploy and then downloaded, installed and connected the VPN. Connects fine but just no DNS resolution from the private zone.
Anyone any ideas?
14 answers
Sort by: Most helpful
-
-
Rob H 61 Reputation points
2021-08-28T12:55:33.717+00:00 I had this issue and spent 3 days trying to find an answer.
Setup was:- The virtual network in Azure is assigned a local VM DNS server (internal IP)
- Azure VPN client showed the DNS server when connected and IpConfig did NOT show the dns server
- Powershell Get -DnsClientNrptPolicy showed the correct local dns server was assigned
- Could not resolve any internal IP addresses in the azure network as nslookup always used the lan/wlan dns server for resolution
- Followed every step for setting up DNS forwarders for file shares and privatelink
- Still could not resolve any internal IP addresses in the azure network as nslookup always used the lan/wlan dns server for resolution
The answer turns out to be ridiculously simple but took me 3 days to finally resolve. Modify the xml file that you download from the azure portal for the vpn client to add the in the dnssuffixes you want resolved via the vpn (make sure to put the (.) before typing out the domain name
<dnssuffixes>
<dnssuffix>.XXXXX.org</dnssuffix>
<dnssuffix>.core.windows.net</dnssuffix>
</dnssuffixes>Nslookup immediately returned the correct internal IP's of every query. Since I had also setup an azure file share and had setup the forwarders for it in the DNS server I added the dns suffix ".core.windows.net" and now mapping drives resolves to the internal IP. Anyway, I hope this helps because this was a ridiculous problem I spent HOURS and HOURS trying to find an answer.
Reference
https://zcusa.951200.xyz/en-us/azure/vpn-gateway/openvpn-azure-ad-clientHow do I add DNS suffixes to the VPN client?
You can modify the downloaded profile XML file and add the <dnssuffixes><dnssufix> </dnssufix></dnssuffixes> tags.<azvpnprofile>
<clientconfig><dnssuffixes> <dnssuffix>.mycorp.com</dnssuffix> <dnssuffix>.xyz.com</dnssuffix> <dnssuffix>.etc.net</dnssuffix> </dnssuffixes>
</clientconfig>
</azvpnprofile> -
Jose Armando Porto 11 Reputation points
2021-09-24T18:57:14.17+00:00 I'm having this problem when I try to access a Postgres DB via VPN. I already created a Private Link between Postgres and my VPN and I can access the DB using the IP assigned by the private link. However, can't access using the generated FQDN.
Any idea?
BR's
-
Pasquale De Vita 21 Reputation points
2022-02-28T21:09:58.647+00:00 from early answer https://zcusa.951200.xyz/answers/comments/602906/view.html
Virtual Network gateway actually not works with private dns zones and Azure DNS 168.63.129.16, you need to configure your own DNS proxy/forwarder.
Actually we solved with this workaround:
- create a container instance called dns-forwarder with coredns docker image that forward all dns request to internal Azure DNS 168.63.129.16
- download vpn configuration from azure portal and add a clientconfig section pointing to dns forwarder ip <clientconfig> <dnsservers> <dnsserver>DNS_FORWARDER_IP</dnsserver> </dnsservers> </clientconfig>
here you can find our terraform configuration https://github.com/pagopa/selfcare-infra/blob/main/src/core/vpn.tf and module https://github.com/pagopa/azurerm/tree/main/dns_forwarder
tested with:
- aks
- postgresql
- mysql
- storage account
- cosmos-db
- event-hub
- storage account
- redis
PS: we hate virtual machines so container instance it's the best choice for our workload with isolated and fully self contained products.
-
msrini-MSFT 9,286 Reputation points Microsoft Employee
2020-06-24T14:00:04.113+00:00 Hi @foxj77 ,
You cannot resolve DNS queries from P2S using Private DNS Zones. Here is the cheat sheet for the DNS resolution in different scenarios and how to can achieve them: https://zcusa.951200.xyz/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
Let me know if you have any questions.
Regards,
Msrini