Azure Private DNS Zone Resolution from On-prem

Shola Lawani 531 Reputation points Microsoft Employee
2020-12-01T13:25:40.943+00:00

Hello experts,

When building an Azure private endpoint infrastructure (with Azure Private DNS zone) that requires On-prem access with Azure VNet that uses a custom DNS Server from On-prem, Microsoft recommendation as stated here https://video2.skills-academy.com/en-us/azure/private-link/private-endpoint-dns#virtual-network-and-on-premises-workloads-using-a-dns-forwarder is that a conditional forwarder will be set up to a DNS forwarder in Azure that will then query the Azure private DNS with the IP
168. 63.129.16.

My question is there no way an On-prem AD-DNS server can query the Azure Private DNS zone hosted by the 168.63.129.16 without an extra hop?

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
625 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,256 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
483 questions
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 49,006 Reputation points Microsoft Employee
    2020-12-02T12:46:59.287+00:00

    Hello anonymous user ,

    It is correct that for on-premises workloads to resolve an FQDN of a private endpoint into the private IP address, you must use a DNS forwarder in Azure, which in turn is responsible for resolving all the DNS queries via a server-level forwarder to the Azure-provided DNS 168.63.129.16.

    If you check the table in Name resolution for resources in Azure virtual networks article, you can find the below:
    44379-nameresolutionfromonprem.jpg

    Currently, there is no other way to accomplish this requirement but Azure Private DNS Zone resolution from OnPremise is planned and is on the roadmap. You can vote for this feature in the below forum:
    https://feedback.azure.com/forums/217313-networking/suggestions/36317164-azure-private-dns-zone-resolution-from-onpremise

    Hence, at the moment, you need to configure your on-premises DNS solution to forward DNS traffic to Azure DNS via a conditional forwarder that references the DNS forwarder deployed in Azure.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    3 people found this answer helpful.

6 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Paul Finol 171 Reputation points
    2021-05-25T19:49:16.683+00:00

    i think the limitation is here

    99612-screenshot-2021-05-25-124519.jpg

    0 comments
  2. Malloy, Cody 1 Reputation point
    2021-09-16T18:10:05.923+00:00

    @GitaraniSharma-MSFT do you have any update on the following?:

    "Currently, there is no other way to accomplish this requirement but Azure Private DNS Zone resolution from On-Premise is planned and is on the roadmap."

    We are trying to solve for this now, and wanted to know if this is still on the roadmap, and how near term we expect preview or private preview.

    Thanks!