question

foxj77 avatar image
3 Votes"
foxj77 asked PeterBursky-9133 commented

Not resolving private dns zone over point to site VPN connection into Azure

Having issues getting a private DNS setup, attached to a vnet, to resolve over a point to site VPN connection.

My point to site VPN connection is working and I am able to ping the IP and get to IIS on the server. I've set the private DNS up and it's attached to the vnet with the machines automatically registering in the DNS fine. The domain resolves fine from within the vnet/vm but not from across the point to site VPN.

I'm deploying the setup using an ARM template and have the following dependencies to see if that makes a difference:

vnet - depending on a couple of NSGs and the private DNS zone

virtual network gateway - depending on the gateway IP, vnet and the private dns zone

I've waited for everything to deploy and then downloaded, installed and connected the VPN. Connects fine but just no DNS resolution from the private zone.

Anyone any ideas?

azure-virtual-networkazure-vpn-gatewayazure-dns
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Usually the VPN client will inherit the DNS servers configured on the VNet. I’m wondering if this doesn’t apply to Private DNS.

1 Vote 1 ·

I can confirm that this works for me, I changed the DNS server configured on my VNet.

You can confirm it working with this Powershell command: Get-DnsClientNrptPolicy
It should show you your nameservers. Keep in mind that you need to have the client VPN tunnel active while running the command.

0 Votes 0 ·

Are you using SSTP or OpenVPN?

0 Votes 0 ·
msrini-MSFT avatar image
0 Votes"
msrini-MSFT answered PaweSokoowski-2452 commented

Hi @foxj77 ,


You cannot resolve DNS queries from P2S using Private DNS Zones. Here is the cheat sheet for the DNS resolution in different scenarios and how to can achieve them: https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances


Let me know if you have any questions.


Regards,
Msrini


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you provide any tips on how to configure DNS in such a scenario?

1 Vote 1 ·
AlexisBel avatar image
5 Votes"
AlexisBel answered Umesh-2358 commented

Is there any solution for this scenario?

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

^I'd like to get on this request also.

1 Vote 1 ·

I'm here with the same problem.
Does anybody has a good solution?
Its very strange, that no vpn client (openvpn, IKEv2) sets up a dns server for the vpn...

1 Vote 1 ·

Gave up and deployed an OpenVPN appliance in the same subscription. It allows you to pass through DNS exactly as you'd expect/need. I don't think the Azure VPN Client Point to Site solution is purpose built like we need it to be. An even bigger issue is the inability to force MFA per launch (the Azure VPN client holds a token) and despite some crafty hacks it's clear we should be using something a little bit more....robust. Sorry that's probably not the answer you wanted to hear.

2 Votes 2 ·

Can you share your OpenVPN configuration for pass through DNS ? What would be the IP address of the DNS server I need to configure on my desktop ?

0 Votes 0 ·
RobH-8309 avatar image
2 Votes"
RobH-8309 answered Seanyao-4164 commented

I had this issue and spent 3 days trying to find an answer.
Setup was:
1. The virtual network in Azure is assigned a local VM DNS server (internal IP)
2. Azure VPN client showed the DNS server when connected and IpConfig did NOT show the dns server
3. Powershell Get -DnsClientNrptPolicy showed the correct local dns server was assigned
4. Could not resolve any internal IP addresses in the azure network as nslookup always used the lan/wlan dns server for resolution
5. Followed every step for setting up DNS forwarders for file shares and privatelink
6. Still could not resolve any internal IP addresses in the azure network as nslookup always used the lan/wlan dns server for resolution

The answer turns out to be ridiculously simple but took me 3 days to finally resolve. Modify the xml file that you download from the azure portal for the vpn client to add the in the dnssuffixes you want resolved via the vpn (make sure to put the (.) before typing out the domain name
<dnssuffixes>
<dnssuffix>.XXXXX.org</dnssuffix>
<dnssuffix>.core.windows.net</dnssuffix>
</dnssuffixes>

Nslookup immediately returned the correct internal IP's of every query. Since I had also setup an azure file share and had setup the forwarders for it in the DNS server I added the dns suffix ".core.windows.net" and now mapping drives resolves to the internal IP. Anyway, I hope this helps because this was a ridiculous problem I spent HOURS and HOURS trying to find an answer.

Reference
https://docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client

How do I add DNS suffixes to the VPN client?
You can modify the downloaded profile XML file and add the <dnssuffixes><dnssufix> </dnssufix></dnssuffixes> tags.

<azvpnprofile>
<clientconfig>

 <dnssuffixes>
       <dnssuffix>.mycorp.com</dnssuffix>
       <dnssuffix>.xyz.com</dnssuffix>
       <dnssuffix>.etc.net</dnssuffix>
 </dnssuffixes>

</clientconfig>
</azvpnprofile>

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm trying here to confirm work done by @RobH-8309 above.

Context & status before trying:

What i deployed:
- I deployed a private AKS cluster to a subscription
- Kubernetes Api Server DNS address is: "<myClusterName>-dns-<someGUID>.privatelink.northeurope.azmk8s.io"
- AKS creates a private Endpoint for the Api Server which refers to a private ip in the k8s subnet. This is the Api Server endpoint of my k8s cluster (IP=10.1.0.4)
- AKS also creates a private DNS zone that links the clusters DNS address to the IP given above
- I also deployed a Virtual Network gateway supporting P2S VPN.

What i want to achieve:
- using kubectl/Lens on my local workstation to access the Api Server of the cluster

Problem:
- az aks get-credentials creates the required credentials on my local laptop BUT it refernces the DNS Name of the Api Server, not the IP address
- And since this is not propagated via the VPN client, i'm stuck

Let me note that point:
- My problem is related to AKS/kubernetes but the underlying problem is alsways the same: DNS name in private DNS zone not propagated via VPN client

Now trying to reproduce:
- Downloaded VPN client from azure portal and unzipped
- opened VpnSettings.xml from ./Generic folder
- File did not contain any <dnssuffixes> tags but a <CustomDnsServers>

Summary so far: Approach of @RobH-8309 does not work when VPN client is downloaded via Azure portal. Will investigate more options.

1 Vote 1 ·

I had the same issue. Added the dnssuffixes in the xml doesn't fix the issue. The private endpoint names are still resolved to the public addresses. :(

0 Votes 0 ·
Umesh-2358 avatar image
0 Votes"
Umesh-2358 answered

I am having same problem. I have a private dns configured to access azure container registry and I am planning to use the same to access VMS from point-to-site vpn connection. I am able to connect to VMs using IP address, but name resolution doesn't happen. I am using MacOS desktop and using MacOS vpn client and not the Azure VPN client. Any suggestions ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JoseArmandoPorto-0117 avatar image
2 Votes"
JoseArmandoPorto-0117 answered PeterBursky-9133 commented

I'm having this problem when I try to access a Postgres DB via VPN. I already created a Private Link between Postgres and my VPN and I can access the DB using the IP assigned by the private link. However, can't access using the generated FQDN.

Any idea?

BR's

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Virtual Network gateway actually not works with private dns zones (somewhere there is a feature request but I lost the link)

Actually we solved the issue with this workaround:
1. create a container instance called dns-forwarder with coredns docker image that forward all dns request to internal Azure DNS 168.63.129.16
2. download vpn configuration from azure portal and add a clientconfig section pointing to dns forwarder ip

     <clientconfig>
         <dnsservers>
             <dnsserver>DNS_FORWARDER_IP</dnsserver>
         </dnsservers>
     </clientconfig>

here you can find our terraform configuration https://github.com/pagopa/io-infra/blob/main/src/core/vpn.tf

tested with:
1. aks
2. postgreql
3. mysql
4. storage account
5. cosmosdb


1 Vote 1 ·

Thanx @pasqualedevita - your solution did the trick.
If you have Azure Firewall deployed, and the DNS Proxy feature enabled in the Azure Firewall Policy, you can use the Azure Firewall's internal IP as the DNS forwarder.

After you customize the XML file as described, the DNS server shows up in the VPN connection properties, and the i can resolve the resources by their records in Private DNS zones from my laptop.

1 Vote 1 ·