Not resolving private dns zone over point to site VPN connection into Azure

John Fox 21 Reputation points
2020-06-24T08:53:42.657+00:00

Having issues getting a private DNS setup, attached to a vnet, to resolve over a point to site VPN connection.

My point to site VPN connection is working and I am able to ping the IP and get to IIS on the server. I've set the private DNS up and it's attached to the vnet with the machines automatically registering in the DNS fine. The domain resolves fine from within the vnet/vm but not from across the point to site VPN.

I'm deploying the setup using an ARM template and have the following dependencies to see if that makes a difference:

vnet - depending on a couple of NSGs and the private DNS zone

virtual network gateway - depending on the gateway IP, vnet and the private dns zone

I've waited for everything to deploy and then downloaded, installed and connected the VPN. Connects fine but just no DNS resolution from the private zone.

Anyone any ideas?

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
708 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,596 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,579 questions
{count} votes

14 answers

Sort by: Most helpful
  1. Alexis (Wefight) 36 Reputation points
    2021-02-15T18:22:18.3+00:00

    Is there any solution for this scenario?

    5 people found this answer helpful.

  2. Rob H 61 Reputation points
    2021-08-28T12:55:33.717+00:00

    I had this issue and spent 3 days trying to find an answer.
    Setup was:

    1. The virtual network in Azure is assigned a local VM DNS server (internal IP)
    2. Azure VPN client showed the DNS server when connected and IpConfig did NOT show the dns server
    3. Powershell Get -DnsClientNrptPolicy showed the correct local dns server was assigned
    4. Could not resolve any internal IP addresses in the azure network as nslookup always used the lan/wlan dns server for resolution
    5. Followed every step for setting up DNS forwarders for file shares and privatelink
    6. Still could not resolve any internal IP addresses in the azure network as nslookup always used the lan/wlan dns server for resolution

    The answer turns out to be ridiculously simple but took me 3 days to finally resolve. Modify the xml file that you download from the azure portal for the vpn client to add the in the dnssuffixes you want resolved via the vpn (make sure to put the (.) before typing out the domain name
    <dnssuffixes>
    <dnssuffix>.XXXXX.org</dnssuffix>
    <dnssuffix>.core.windows.net</dnssuffix>
    </dnssuffixes>

    Nslookup immediately returned the correct internal IP's of every query. Since I had also setup an azure file share and had setup the forwarders for it in the DNS server I added the dns suffix ".core.windows.net" and now mapping drives resolves to the internal IP. Anyway, I hope this helps because this was a ridiculous problem I spent HOURS and HOURS trying to find an answer.

    Reference
    https://zcusa.951200.xyz/en-us/azure/vpn-gateway/openvpn-azure-ad-client

    How do I add DNS suffixes to the VPN client?
    You can modify the downloaded profile XML file and add the <dnssuffixes><dnssufix> </dnssufix></dnssuffixes> tags.

    <azvpnprofile>
    <clientconfig>

    <dnssuffixes>  
          <dnssuffix>.mycorp.com</dnssuffix>  
          <dnssuffix>.xyz.com</dnssuffix>  
          <dnssuffix>.etc.net</dnssuffix>  
    </dnssuffixes>  
      
    

    </clientconfig>
    </azvpnprofile>

    5 people found this answer helpful.

  3. Jose Armando Porto 11 Reputation points
    2021-09-24T18:57:14.17+00:00

    I'm having this problem when I try to access a Postgres DB via VPN. I already created a Private Link between Postgres and my VPN and I can access the DB using the IP assigned by the private link. However, can't access using the generated FQDN.

    Any idea?

    BR's

    2 people found this answer helpful.

  4. Pasquale De Vita 21 Reputation points
    2022-02-28T21:09:58.647+00:00

    from early answer https://zcusa.951200.xyz/answers/comments/602906/view.html

    Virtual Network gateway actually not works with private dns zones and Azure DNS 168.63.129.16, you need to configure your own DNS proxy/forwarder.

    Actually we solved with this workaround:

    1. create a container instance called dns-forwarder with coredns docker image that forward all dns request to internal Azure DNS 168.63.129.16
    2. download vpn configuration from azure portal and add a clientconfig section pointing to dns forwarder ip <clientconfig> <dnsservers> <dnsserver>DNS_FORWARDER_IP</dnsserver> </dnsservers> </clientconfig>

    here you can find our terraform configuration https://github.com/pagopa/selfcare-infra/blob/main/src/core/vpn.tf and module https://github.com/pagopa/azurerm/tree/main/dns_forwarder

    tested with:

    1. aks
    2. postgresql
    3. mysql
    4. storage account
    5. cosmos-db
    6. event-hub
    7. storage account
    8. redis

    PS: we hate virtual machines so container instance it's the best choice for our workload with isolated and fully self contained products.

    2 people found this answer helpful.

  5. msrini-MSFT 9,286 Reputation points Microsoft Employee
    2020-06-24T14:00:04.113+00:00

    Hi @foxj77 ,

    You cannot resolve DNS queries from P2S using Private DNS Zones. Here is the cheat sheet for the DNS resolution in different scenarios and how to can achieve them: https://zcusa.951200.xyz/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances

    Let me know if you have any questions.

    Regards,
    Msrini


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.