Azure Private DNS allows DNS resolution across Azure virtual networks and hybrid scenarios. It provides name resolution for private domains within and between Azure virtual networks. The solution demonstrated used Azure Private DNS zones to enable name resolution across multiple virtual networks in a hub-spoke topology, including resolution between an on-premises network and Azure virtual networks. DNS forwarders were used to resolve names from on-premises to the Azure DNS system. While the solution addressed many scenarios, Azure Private DNS has limitations including supporting a single registration network per zone and conditional forwarding.
6. 6
Recall – DNS
• DNS (Domain Name System) resolves the names
of internet sites with their underlying IP
addresses
• Public DNS / Private DNS
EX: www.example.com => 12.34.56.78 (IPv4)
• DNS Servers :
• (Recursive) Resolver /
• Root Domain /
• Top Level Domain (TLD) /
• Autoritative nameserver A DNS workflow
Credit: cloudflare.com
7. 7
Recall – DNS (2)
• IP vs FQDN
• Registrar
• DNS Zone
• DNS Records
• A
• AAAA
• CNAME
• PTR
• NS
• MX
• SRV
• TXT
• …
>nslookup www.google.com
Serveur : UnKnown
Address: fe80::a63e:51ff:fe7a:6dc6
Non authoritative answer:
Name: www.google.com
Addresses: 2a00:1450:4007:80c::2004
216.58.209.228
8. 8
Azure DNS
• Azure DNS: hosting service for DNS domains that provides name
resolution by using Microsoft Azure infrastructure.
• Manage your DNS records by using the same credentials, APIs, tools, and billing as other Azure services
Benefits
• Managed service
• RBAC
• Activity logging
• Resource locking
• Azure DNS supports all common DNS record types:
A, AAAA, CAA, CNAME, MX, NS, PTR, SOA, SRV, and TXT
9. 9
Azure DNS Delegation
• Delegate the DNS resolution
responsibility to specific name
servers
• In the registrar's DNS
management page, edit the NS
records and replace the NS
records with the Azure DNS
name servers
10. 10
Azure DNS for private domains
• Use our own custom domain names rather than the
Azure-provided names, in private network space
• Service in public preview today
Benefits
• Managed service
• Automatic hostname record management
• Hostname resolution between virtual networks
• Split-horizon DNS support
11. 11
Azure DNS for private domains
Concepts
• Resolution virtual networks: VNETs that are allowed to resolve records within
the zone
• Registration virtual network: a VNET for which Azure DNS maintains hostname
records whenever a VM is created, changes IP, or is deleted
Other capabilities
• Reverse DNS lookup is supported within the virtual-network scope
12. 12
Azure DNS Private Zones scenarios
• Scenario: Name Resolution scoped to a single virtual network
13. 13
Azure DNS Private Zones scenarios
• Scenario: Name Resolution across virtual networks
16. 16
Context and Scenario
Enteprise context:
• Existing (legacy) IT infrastructure (on-premises)
• Additional (new) infrastructure in the Azure cloud
• Hybrid cloud connection, via VPN or ExpressRoute
• Multiple applications in the Cloud
• Multiple VNETs
• Hub & Spoke network topology
• DNS resolution necessary across VNETs
• DNS resolution necessary between on-prem
and cloud
Hub & Spoke VNET topology
18. 18
Solution - Architecture
Hub vnet
Front VM
Client VM
Local IS
App 1 vnet
Forwarder DNS
Hub DNS zone
App DNS zone
Local LAN
ExpressRoute
App 2 DNS zone
Azure
App n DNS zone
21. 21
Solution configuration
• Azure resources
• VNETs + peerings
• 3 vnets
• Hub-vnet
• Local-vnet
• App-vnet
• Spoke vnets are connected to the hub
vnet
• Azure DNS Private zones
• Each vnet is hosting a Azure private DNS
zone
• Forwarder DNS servers (IaaS)
• 2 DNS Forwarder in 1 avset
• Test / Demo VMs
• 1 client Windows VM on the local-vnet
• 1 Linux Apache server on the app-vnet
• DNS Forwarder
• Bind server
• Forward all requests to Azure main
DNS service (168.63.129.16)
• Custom DNS Zones
• hub.gab2019.local
• local.gab2019.local
• app.gab2019.local
• www.app.gab2019.local
23. 23
Service limitations (as of today)
• Only one registration virtual network is
allowed per private zone
• Up to 10 resolution VNETs allowed per
private zone (preview limit)
• Reverse DNS works only for private IP
space in the registration VNET.
• Reverse DNS for a private IP that isn't
registered in the private zone returns
internal.cloudapp.net as the DNS suffix.
•
• The VNET must be completely empty the first time
you link it
• However, the virtual network can then be non-empty for
future linking as a registration or resolution virtual
network, to other private zones.
• VM record not viewable or retrievable from the
Azure Powershell and Azure CLI APIs.
• They are indeed registered and will resolve successfully.
• Currently, conditional forwarding is not supported
• DNS delegation is not supported (in private DNS)
• Creation only via scripts
• DNSSEC not supported
24. 24
Our feedback
• For a full Azure environment the solution does not need any VM
• Records management via the portal makes management easier
• Create records using the Azure API: allows for more industrialized management
• No zone file to manage
• Today the service is not hyper scalable
• DNS Forwarder VM needed in hybrid scenarios
• Flat zone model only
26. 26
Conclusion
PROS
• Very good time-to-market, as a fully managed service
• Azure DNS addresses a large number of simple DNS scenarios
• Specific features like VM autoregistration augment productivity
CONS
• Service not completely mature as today
• Hybrid complex scenarios require more investment
Only one registration virtual network is allowed per private zone
Up to 10 resolution VNETs allowed per private zone (preview limit)
VM record not viewable or retrievable from the Azure Powershell and Azure CLI APIs.
They are indeed registered and will resolve successfully.
Reverse DNS works only for private IP space in the registration VNET.
Reverse DNS for a private IP that isn't registered in the private zone returns internal.cloudapp.net as the DNS suffix.
However, this suffix isn't resolvable.
The VNET must be completely empty the first time you link it to a private zone as a registration or resolution VNET.
However, the virtual network can then be non-empty for future linking as a registration or resolution virtual network, to other private zones.
Currently, conditional forwarding is not supported
DNS delegation is not supported
Creation only via scripts
DNSSEC not supported