I'm trying to get a clearer picture of how DNS works in my Azure hub-spoke network setup. Specifically, I'm unsure about the relationship between various DNS configurations and which one is actually used for name resolution. Here's what I have: I have custom DNS services running on my domain controller, DNS forwarders in Active Directory, private DNS zones, and a private resolver. The hub and spoke virtual networks (VNets) are linked to private DNS zones as needed, and they utilize custom DNS servers (the DCs in Azure). The hub has an Azure private resolver configured. I've been told that when a private endpoint is created, the private DNS zone comes into play. However, I've also read that in my architecture, the Azure private DNS zone isn't used directly by VMs, and name resolutions must go through the domain controller. This has left me confused since I assumed the private DNS zones would handle resolutions for endpoints like *.blob.core.windows.net. Can someone clarify how these DNS elements work together?
3 Answers
You're right that the linked private DNS zones are only effective if you're actively using Azure DNS. In your case, all DNS requests are being processed by the custom DNS server (your domain controller) you set up. It's necessary to ensure that you have the right forwarding rules configured there to allow it to query Azure DNS for things like private endpoints. Ultimately, the proper flow should follow the path of your VM to the Domain Controller, then through the DNS resolver, and then to Azure DNS.
When you set a custom DNS on your VNet or VM, that DNS resolver is what will handle queries, not the linked private DNS zones. Basically, if you're using custom DNS that points to your domain controller, it takes charge of DNS resolution. The private DNS zones depend on Azure DNS, and if you're not using Azure DNS directly, then those private zones won't be utilized. For a spoke VM to resolve private endpoints correctly, you need to have a conditional forwarder set up to point to the DNS private resolver inbound IP, along with the appropriate private DNS records.
It's a bit confusing, but you're not wrong. The linked private DNS zones are stored and active in Azure, but since you've configured custom DNS, your VMs will use the domain controller to resolve queries instead. So when a DNS query happens, it flows from the VM to the Domain Controller, then, if configured correctly, through your forwarding setup to reach Azure DNS and retrieve records from the private DNS zones. Just keep in mind that the DC needs to know how to reach those Azure records for them to be resolved.
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux