Hi. I have three VMs set up in Azure, and a private DNS zone setup. DNS works great between all the VMs. But when I use my P2S VPN client from my laptop to get into the Azure environment, then the DNS doesn’t work. I can access the vm’s by IP but not hostname. I was reading that it’s expected this won’t work, and I should use a DNS private resolver (or other), but I’m not quite sure how to configure it with the inbound/outbound endpoints. Anyone able to help me get going? Thanks!!
Try adding a manual DNS entry to your local machine.
e.g.
Windows - https://4it.com.au/kb/article/how-to-add-a-dns-entry-manually-to-a-windows-computer/
Azure dns resolver is expensive. I made a docker container you can run on your VNET and set your VPN DNS to it. it will forward all requests to the Azure VNET DNS so you can resolve your internal DNS IPs like private endpoints and such. it’s fairly lean, cheap azure container instances will do.
All you need is a single inbound private DNS resolver, take that IP that will be assigned or statically assign it, and use it as DNS server IP on your P2S VPN server config.
All DNS request will now go to the inbound IP resolver. I suggest adding Azure’s public DNS IP - 168.63.129.16 as secondary unless you have a preferred vendor.
Watch out for costs ^
Private DNS Resolver (the managed service) is too expensive in the most cases. We deployed a single linux VM with Core DNS on it to forward dns requests to Azure DNS. All Private DNS Zones are linked to the vnet where the Core DNS machine sits.
Its also possible to use a Container Instance for that.
https://github.com/nielsams/azure-dns-forwarder
Hoping you see this (I know this post is 2 months old).
We currently push out scripts to update peoples hosts files but its getting pretty old pretty fast.
We have deployed private endpoints to our storage accounts to private dns zones. These zones all have a link to a virtual network that are peered to others.
I deployed your container in ACI and updated our AzureVPN Config to include the dnsservers block.
An NSLOOKUP initially appears to be successful and returns the privatelink.blob.core.windows.net name but if i try to access the blobs in storage explorer it returns as no known host.
NSLOOKUP output:
nslookup xxx.blob.core.windows.net
Server: 172.16.196.132 < this is the ACI IP Address
Address: 172.16.196.132#53
Non-authoritative answer:
xxx.blob.core.windows.net canonical name = xxx.privatelink.blob.core.windows.net.
Any ideas what we might be missing
Did you expose TCP or UDP 53 in ACI? That’s a big drawback in ACI - you can’t expose both TCP and UDP of the same port number for some stupid reason. Your Nslookup is probably using TCP, so I am thinking you exposed that. But lookups *usually* use UDP. Guessing your storage explorer is using that.
Try spinning up a small vm, install docker and then the DNS forwarder so you can expose both TCP and UDP.
Thanks for the response. I have set it to udp but happy to spin up a vm and test it in there instead. Will let you know!
Sorry its been a while. Got this working fine on a B1 linux VM. Thank you!