How to resolve Private DNS Zone names while using Point to Site VPN

Sam Yande 1

I understand P2S VPN doesnt resolve private dns zone names by default but we need to resolve them as there is no corporate network or private dns server.

I heard the VPN client XML profile can include DNS zone configuration. Can you share a sample XML with such DNS config?

Greg Bonk 41

Edit: MacOS Azure VPN Client exported dnsssuffix and not dnssuffix

    <clientconfig>
        <dnssuffixes>
            <dnssuffix>.azurecr.io</dnssuffix>
            <dnssuffix>.azuredatabricks.net</dnssuffix>
            <dnssuffix>.azurestaticapps.net</dnssuffix>
            <dnssuffix>.1.azurestaticapps.net</dnssuffix>
            <dnssuffix>.2.azurestaticapps.net</dnssuffix>
            <dnssuffix>.azurewebsites.net</dnssuffix>
            <dnssuffix>.scm.azurewebsites.net</dnssuffix>
            <dnssuffix>.blob.core.windows.net</dnssuffix>
            <dnssuffix>.database.windows.net</dnssuffix>
            <dnssuffix>.datafactory.azure.net</dnssuffix>
            <dnssuffix>.dfs.core.windows.net</dnssuffix>
            <dnssuffix>.file.core.windows.net</dnssuffix>
            <dnssuffix>.postgres.database.azure.com</dnssuffix>
            <dnssuffix>.vault.azure.net</dnssuffix>
            <dnssuffix>.vaultcore.azure.net</dnssuffix>
            <dnssuffix>.wvd.microsoft.com</dnssuffix>
            <dnssuffix>.azurecontainerapps.io</dnssuffix>
        </dnssuffixes>
        <dnsservers>
            <dnsserver>10.2.0.4</dnsserver>
        </dnsservers>
    </clientconfig>
    ```

2 answers

Alan Kinane 16,806 Reputation points MVP

2022-07-22T16:06:23.82+00:00

Here's how to configure the DNS servers in the config file.

https://video2.skills-academy.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client#how-do-i-add-custom-dns-servers-to-the-vpn-client

Up to recently I believe you had to configure a DNS forwarder (VM in Azure acting as a DNS server) that is like to the private DNS zone. Azure DNS Server IP address is: 168.63.129.16

However, there is a new server (currently still in public preview) which may give you another option.

Have a look at Azure DNS private resolver - https://video2.skills-academy.com/en-us/azure/dns/dns-private-resolver-overview
Please sign in to rate this answer.
Sam Yande 1 Reputation point

2022-07-22T17:59:20.527+00:00

Tried option 1 and it's not working.

If I modify the profile xml and import it, it doesn't work. Perhaps I'm doing this wrong but I tried adding the dnssuffix snippet in variety of different ways, it doesnt work and cannot import the profile. Also after importing the profile if you make changes, does the VPN client read the xml file every time? Can you post a sample XML with the correct placement?

Need to explore private resolver, does it work in case of P2S VPN? I have currently no DNS server setup, once VPN is connected, does it not use DNS config of the VNET which is default (Azure Provided)

Alan Kinane 16,806 Reputation points MVP

2022-07-25T12:47:45.627+00:00

Hi Sam, I've just tested the DNS private resolver and yes it does with with P2S. You will need to deploy an inbound endpoint for your DNS private resolver.

Then in the XML file you specify the IP address of the inbound endpoint as your DNS server. You can also specify DNS suffixes if required. These must be in the 'clientconfig' section.

XML config example below:

<clientconfig> <dnsservers> <dnsserver>10.1.2.4</dnsserver> </dnsservers> <dnssuffixes> <dnssuffix>.alanco.com</dnssuffix> </dnssuffixes> </clientconfig>

Edit: Just published a new blog post to cover this exact scenario, hope it helps!
https://azurealan.ie/2022/07/26/how-to-query-a-private-dns-zone-over-point-to-site-connection-with-azure-dns-private-resolver/

Sam Yande 1 Reputation point

2022-08-04T17:33:06.3+00:00

Hi, my apologies for not getting back all this while.

I tried this but it's not working:

My setup.

Azure Private DNS zone created in VNet1 for abc.com with A record mypc.abc.com

Private resolver inbound and outbound endpoints created from VNet1 subnet

Azure DNS Forwarding Ruleset created for abc.com pointing to inbound endpoint IP of the resolver (10.0.17.4)

With VPN connected tried this:

nslookup mypc.abc.com 10.0.17.4
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 10.0.17.4

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

PS: I've not modified the azurevpnconfig.xml yet because I first thought of trying this manaually. Hope that is not a requirement?

Rodrigo Nogueira 11 Reputation points

2022-12-11T19:23:11.59+00:00

Thank you for you blog post. Helped me a lot. Works fine.
Sign in to comment

Raffaele Fanizzi 0 Microsoft Employee

Please, double check your XML. <dnsssuffix> nodes are wrong. Is dnssuffix and not dnsssuffix

Try the followings:

<dnssuffix>.azurecr.io</dnssuffix>
<dnssuffix>.azuredatabricks.net</dnssuffix>
<dnssuffix>.azurestaticapps.net</dnssuffix>
<dnssuffix>.1.azurestaticapps.net</dnssuffix>
<dnssuffix>.2.azurestaticapps.net</dnssuffix>
<dnssuffix>.azurewebsites.net</dnssuffix>
<dnssuffix>.scm.azurewebsites.net</dnssuffix>
<dnssuffix>.blob.core.windows.net</dnssuffix>
<dnssuffix>.database.windows.net</dnssuffix>
<dnssuffix>.datafactory.azure.net</dnssuffix>
<dnssuffix>.dfs.core.windows.net</dnssuffix>
<dnssuffix>.file.core.windows.net</dnssuffix>
<dnssuffix>.postgres.database.azure.com</dnssuffix>
<dnssuffix>.cognitiveservices.azure.com</dnssuffix>
<dnssuffix>.vault.azure.net</dnssuffix>
<dnssuffix>.vaultcore.azure.net</dnssuffix>
<dnssuffix>.wvd.microsoft.com</dnssuffix>
<dnssuffix>.azurecontainerapps.io</dnssuffix>
<dnssuffix>.notebooks.azure.net</dnssuffix>
<dnssuffix>.api.azureml.ms</dnssuffix>

Greg Bonk 41 Reputation points

2023-09-18T15:33:28.91+00:00
Wow, that's really weird. I checked my config file and it's correct, but I had used an export from the MacOS Azure Virtual Desktop and the tags are with and extra 's'

Import file is ok, but export is not. Thank you for the better eyes.

<dnsssuffix>

Share via

How to resolve Private DNS Zone names while using Point to Site VPN

2 answers