Hey folks, I have Private DNS Zones for Blob and DFS resources in Azure and have an Azure policy which automates the integration of PEs with DNS zone. But what happening is that whenever I am creating a new PE of the same resource type (let's say blob) the existing entry in DNS zone is getting overridden by the IP address of the newly integrated PE. Is this an expected behavior? Shouldn't it be ' Appending ' the zone if they already exist rather than overriding it because Private DNS Zones support 20 records per record set for private DNS zones as specified here . I have tested it through GUI as well as Terraform but same in both of the cases. Any help with this will be helpful. Cheers! Apurva Pathak

@Apurva Pathak Thank you for reaching out. Based on your question above. I understand that you have an existing Azure Private DNS zone for Blob and DFS services and you have an Azure policy which automates the integration of PEs with DNS zone. But whenever you are creating a new PE of the same resource type (let's say blob) the existing entry in DNS zone is getting overridden by the IP address of the newly integrated PE. This actually expected behavior and it is currently documented here . Hope this helps. Please let me know if you have any question. Thank you!

Azure Private DNS Zone A record sets are getting overridden

Accepted answer

ChaitanyaNaykodi-MSFT 23,341 Reputation points Microsoft Employee

2024-04-29T23:46:42.43+00:00

@Apurva Pathak

Thank you for reaching out.

Based on your question above. I understand that you have an existing Azure Private DNS zone for Blob and DFS services and you have an Azure policy which automates the integration of PEs with DNS zone. But whenever you are creating a new PE of the same resource type (let's say blob) the existing entry in DNS zone is getting overridden by the IP address of the newly integrated PE.

This actually expected behavior and it is currently documented here.

Hope this helps. Please let me know if you have any question. Thank you!
Please sign in to rate this answer.

1 person found this answer helpful.
Apurva Pathak 315 Reputation points

2024-04-30T06:38:30.12+00:00

Hi @ChaitanyaNaykodi-MSFT ,

Thanks a lot for helping!

Is there any way to overcome this limitation please?

Thanks a lot!

Apurva Pathak 315 Reputation points

2024-04-30T07:27:17.8866667+00:00

Hi @ChaitanyaNaykodi-MSFT ,

Thanks a lot for helping!

Is there any way to overcome this limitation please?

Thanks a lot!

ChaitanyaNaykodi-MSFT 23,341 Reputation points Microsoft Employee

2024-04-30T19:46:14.18+00:00

@Apurva Pathak

Thank you for getting back. This is actually a limitation by design, currently there is no way to overcome the limitation.It will definitely help if you could log feedback regarding this on Azure feedback portal

Thanks

Apurva Pathak 315 Reputation points

2024-05-01T11:35:21.81+00:00

Thanks @ChaitanyaNaykodi-MSFT ,

One last thing, if we have more than 1 one IPs in the Private DNS Zone, and one of them is unreachable from the source host, will DNS zone resolution automatically failover the resolution to the IP(s) which are connectable.

Thanks in advance!

ChaitanyaNaykodi-MSFT 23,341 Reputation points Microsoft Employee

2024-05-03T19:26:41.4933333+00:00

@Apurva Pathak

Thank you for getting back.Based on your question above

One last thing, if we have more than 1 one IPs in the Private DNS Zone, and one of them is unreachable from the source host, will DNS zone resolution automatically failover the resolution to the IP(s) which are connectable.

As per my understanding from your question. There can be multiple reasons due to which a service can be unreachable from source host eg. A Firewall can be blocking the connection etc. So, I do not think DNS can help in such scenario where the service is unreachable from the host.

Please let me know if I miss-understood your question, we will gladly continue with our discussion.

Apurva Pathak 315 Reputation points

2024-05-06T08:00:13.78+00:00

@ChaitanyaNaykodi-MSFT

Apologies but what I meant was, if I have two IPs configured in a DNS zone and if one of them is unreachable for any reason, but the other one is reachable from client. So, I try to query the zone will the I resolution of the DNS failover to the reachable IP automatically.

Thanks,

Apurva Pathak

ChaitanyaNaykodi-MSFT 23,341 Reputation points Microsoft Employee

2024-05-08T23:59:22.11+00:00

@Apurva Pathak

Thank you for the clarification above.

No in the scenario above the resolution of the DNS will not failover to the reachable IP.

Although if for some reason the private endpoint gets deleted then all the DNS records within the DNS zone group are deleted. In this scenario the other IP will be used for DNS resolution. This statement is currently documented here

Hope this helps! Thank you!

Apurva Pathak 315 Reputation points

2024-05-09T07:35:25.84+00:00

Hi @ChaitanyaNaykodi-MSFT ,

Thanks for the response, but isn't it a bit weird? Because, if the resolution cannot failover, then what is the benefit of having more than one IP in the record.
Moreover, is there any concept of precedence in place for DNS resolution. For e.g. if I have two IPs in zone and both are reachable which IP will DNS resolve to.

Thanks

ChaitanyaNaykodi-MSFT 23,341 Reputation points Microsoft Employee

2024-05-10T03:01:41.3466667+00:00

@Apurva Pathak

Thank you for getting back. I am checking the internally regarding this issue and will get back to you soon.

ChaitanyaNaykodi-MSFT 23,341 Reputation points Microsoft Employee

2024-05-15T14:51:43.1933333+00:00

@Apurva Pathak

Thank you for your patience here.

Because, if the resolution cannot failover, then what is the benefit of having more than one IP in the record. Moreover, is there any concept of precedence in place for DNS resolution. For e.g. if I have two IPs in zone and both are reachable which IP will DNS resolve to.

The benefit of having multiple IP is that when the client request the DNS resolution the client will receive all the IPs from the A record of the DNS zone. Client usually picks up the first IP address but depending on how the client is designed to behave if the this first IP address results is not reachable the Client can use the other IPs for DNS resolution.

Hope this helps! Thank you!

Apurva Pathak 315 Reputation points

2024-05-15T14:55:42.59+00:00

Hi @ChaitanyaNaykodi-MSFT ,

Thank you so much for your the clarification!

Which means that if there are multiple IP addresses in the A record, and the very first IP is not reachable then the resolution will failover to the reachable IP addresses?

Is my understanding correct please? If yes, could you please share any doc pertaining to the same.

Thanks a ton!

ChaitanyaNaykodi-MSFT 23,341 Reputation points Microsoft Employee

2024-05-16T01:33:16.8766667+00:00

@Apurva Pathak Thank you for getting back.

Which means that if there are multiple IP addresses in the A record, and the very first IP is not reachable then the resolution will failover to the reachable IP addresses?

Yes, but this will happen at the client side and DNS server will provide all the IP address. I checked but as this is client-side behavior, I do not think we have a documentation for this specific scenario.

Hope this helps! Thank you!

Apurva Pathak 315 Reputation points

2024-05-16T07:39:34.54+00:00

Thanks a lot! @ChaitanyaNaykodi-MSFT
Sign in to comment

Share via

Azure Private DNS Zone A record sets are getting overridden

0 additional answers