I have an existing VWAN and single VHUb. The Existing setup. All that is shown here in Subscription A works great. The sub A hub does not have a Firewall at this time. The VNets that are peered with the existing Hub, all have their Vnet DNS set to 10.2.0.4 which is the lP of the Private DNS Resolver. The VNet of the Private DNS Resolver has our Private DNS zones linked and doesn't have any issues resolving private DNS. Now I am creating a second subscription with a new hub. The second subscription is to track costs for this new infrastructure. The new Hub (B) is attached to the existing VWAN. The new B Hub does have a Firewall attached. The firewall is a standard firewall, and has a policy with the DNS Proxy Enabled. The DNS proxy IP points to the Private DNS resolver peered with HUB A. The Vnet that is in Sub B and is peered with Hub B has its DNS pointing to the Firewall attached to the HUB B. The VM that is in Sub B is accessible via its private IP. I can run nslookup and resolve IPs if I add the server IP of the Private DNS Resolver. Works Great using the IP of the Private DNS Resolver The problem is when I'm using the FIREWALL as the DNS Proxy. Some of the Firewall Logs... There are time outs in the firewall logs when it tries to forward DNS queries to the DNS private resolver I know the two hubs are properly swapping and auto discovering routes. The VM can directly query the private resolver in the other hub, and I can connect to the VM from the other hub. I know the default route tables are working... And that's where I think this is failing. Looking at the default route table the CIDR of the Hub's B Network or IP of the Firewall is not automatically propagated via the hub which I think is causing my failure ? What are my options on resolving this ? Simple network diagram

DNS Resolution Issues across Hubs

Greg Bonk 41

I have an existing VWAN and single VHUb. The Existing setup. All that is shown here in Subscription A works great. The sub A hub does not have a Firewall at this time. The VNets that are peered with the existing Hub, all have their Vnet DNS set to 10.2.0.4 which is the lP of the Private DNS Resolver. The VNet of the Private DNS Resolver has our Private DNS zones linked and doesn't have any issues resolving private DNS.

Now I am creating a second subscription with a new hub. The second subscription is to track costs for this new infrastructure. The new Hub (B) is attached to the existing VWAN.
The new B Hub does have a Firewall attached. The firewall is a standard firewall, and has a policy with the DNS Proxy Enabled. The DNS proxy IP points to the Private DNS resolver peered with HUB A. User's image

The Vnet that is in Sub B and is peered with Hub B has its DNS pointing to the Firewall attached to the HUB B. User's image

The VM that is in Sub B is accessible via its private IP. I can run nslookup and resolve IPs if I add the server IP of the Private DNS Resolver.

Works Great using the IP of the Private DNS Resolver User's image

The problem is when I'm using the FIREWALL as the DNS Proxy. User's image

Some of the Firewall Logs...

User's image

There are time outs in the firewall logs when it tries to forward DNS queries to the DNS private resolver I know the two hubs are properly swapping and auto discovering routes. The VM can directly query the private resolver in the other hub, and I can connect to the VM from the other hub. I know the default route tables are working... And that's where I think this is failing. Looking at the default route table the CIDR of the Hub's B Network or IP of the Firewall is not automatically propagated via the hub which I think is causing my failure ? What are my options on resolving this ? Simple network diagram

KapilAnanth-MSFT 39,366 Reputation points Microsoft Employee

2024-01-17T09:55:53.82+00:00
@Greg Bonk

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Your Environment:

Hub A and Private DNS Resolver are in Subscription A.

Hub B and Azure Firewall (Standard with DNS Proxy enabled and custom DNS as Private DNS Resolver) are in Subscription B.

Hub A and Hub B are created in same vWAN resource.

You are trying to do DNS Lookup from a VM connected to Hub B via Azure Firewall as Proxy - this fails.

However, when you directly query the Private DNS Resolver, this works.

Action Plan:

For testing, please add a Network Rule with
DestinationType as FQDN
Destination as <FQDN of the service you are trying to resolve>

Check if the above helps.

Can you specify the custom DNS server as 168.63.129.16 and check if that works or not?

Cheers,

Kapil
KapilAnanth-MSFT 39,366 Reputation points Microsoft Employee

2024-01-18T05:59:56.2733333+00:00

@Greg Bonk

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
Greg Bonk 41 Reputation points

2024-01-18T21:40:14.7533333+00:00

Looks like my diagram didn't get uploaded. I'll take a look at the comment. But it sounds like you understand
KapilAnanth-MSFT 39,366 Reputation points Microsoft Employee

2024-01-22T06:54:22.7966667+00:00

@Greg Bonk

Could you please provide an update on this post?

Thanks,

Kapil
KapilAnanth-MSFT 39,366 Reputation points Microsoft Employee

2024-01-24T06:48:00.9366667+00:00

@Greg Bonk

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks, Kapil

Share via

DNS Resolution Issues across Hubs