A discussion of DNS private resolver architecture, how it is leveraged for private resolution for Azure <-> Azure and Azure <-> On-Prem and other things including private DNS zones and conditional forwarding rules.
As presented to the Brisbane Azure Group by Rachel Calleia (https://www.linkedin.com/in/rachel-calleia-669439144/)
2. DNS is the phonebook of the
internet and your private
network
3. Private DNS DNS Private Resolver Public DNS
Azure Private DNS / Private DNS
Zones
Private DNS Records supports custom
domains for the organization & private
endpoint. You link virtual networks to
these zones so records can be read.
Azure DNS Private Resolver
Allowed you to extend your on-
prem DNS infrastructure
into Azure.
Allows you to query records
in private DNS zones from an on-
prem environment and vice versa.
Azure DNS / DNS Zones
Used for Public DNS Records
e.g. We have a public record
for api.org.edu.au pointing to
the public IP of the application
gateway which fronts the APIM
Azure DNS
4. How to extend your on-prem DNS into Azure
IaaS supported
• Operational Management: Requires OS support
such as patching etc.
PaaS supported
• Fully managed: Built-in high availability, zone redundancy.
• Scalability: High performance per endpoint.
• Cost reduction: Reduce operating costs and run at a fraction of
the price of traditional IaaS solutions.
6. DNS Private Resolver Configuration - PaaS
A Virtual Network with dedicated inbound and outbound subnets /28 CIDR range on both.
• 1 or more inbound endpoints are supported (dedicated/visible IP from the subnet)
• 1 or more outbound endpoints are supported
DNS Server Configuration on your Virtual Network (Hub and all spokes)
• For each inbound endpoint you have, you list it as a DNS server in your VNET config
Each outbound endpoint has a DNS forwarding rule set associated
• Multiple rules can exist within 1 rule set i.e. multiple domains can be forwarded on
7. DNS Forwarding Rule Sets
Rules
The individual rules in a ruleset determine how these DNS names are resolved.
• A domain name
• A target IP address
• A target Port and Protocol (UDP or TCP)
Virtual Network Links
Virtual network links for DNS forwarding rulesets enable resources in other VNets to use forwarding rules when resolving DNS names.
You link virtual networks to these rulesets to ensure they are considered when a query is trying to be evaluated.
For Hub-Spoke Topology (less management)
Central DNS approach only requires links to the VNET which the DNS resolver is deployed into, hence the central DNS approach.
For Non Hub-Spoke Topology e.g. legacy network infrastructure (more management)
Requires more admin of VNETs, forwarding ruleset links and private DNS zones.
DNS forwarding rulesets enable you to specify one or more custom DNS servers to answer
queries for specific DNS namespaces.
Organizations on-prem network
Holds: On prem DNS servers, other on-prem source DBs etc.
Hub Virtual Network
Holds: DNS Private Resolver, Express Route, Gateways, Firewalls etc. Also the shared private link zones that many workloads across the enterprise would leverage for private resolution.
Spoke Virtual Network
Holds: spoke / application workload resources e.g. app services, key vaults with private endpoints and workload specific managed dns zones for both public resolution and private resolution.