Azure 虛擬網路中的資源名稱解析Name resolution for resources in Azure virtual networks

根據您使用 Azure 來裝載 IaaS、PaaS 以及混合式解決方案的方式,您可能需要允許虛擬網路中所部署的虛擬機器 (VM) 與其他資源可以彼此通訊。Depending on how you use Azure to host IaaS, PaaS, and hybrid solutions, you might need to allow the virtual machines (VMs), and other resources deployed in a virtual network to communicate with each other. 雖然可以使用 IP 位址來進行通訊,但是使用能輕鬆記住且不會變更的名稱會更加簡單。Although you can enable communication by using IP addresses, it is much simpler to use names that can be easily remembered, and do not change.

當部署在虛擬網路中的資源需要將功能變數名稱解析為內部 IP 位址時,可以使用下列三種方法之一:When resources deployed in virtual networks need to resolve domain names to internal IP addresses, they can use one of three methods:

您使用的名稱解析類型取決於資源如何彼此通訊。The type of name resolution you use depends on how your resources need to communicate with each other. 下表說明各種案例和對應的名稱解析解決方案:The following table illustrates scenarios and corresponding name resolution solutions:

注意

Azure DNS 私人區域是慣用的解決方案,可讓您彈性地管理 DNS 區域和記錄。Azure DNS private zones is the preferred solution and gives you flexibility in managing your DNS zones and records. 如需詳細資訊,請參閱使用私人網域的 Azure DNSFor more information, see Using Azure DNS for private domains.

注意

如果您使用 Azure 提供的 DNS,則會自動將適當的 DNS 尾碼套用至您的虛擬機器。If you use Azure Provided DNS then appropriate DNS suffix will be automatically applied to your virtual machines. 針對其他所有選項,您必須使用完整功能變數名稱 (FQDN) 或手動將適當的 DNS 尾碼套用至您的虛擬機器。For all other options you must either use Fully Qualified Domain Names (FQDN) or manually apply appropriate DNS suffix to your virtual machines.

案例Scenario 解決方案Solution DNS 尾碼DNS Suffix
相同虛擬網路內的 VM 之間或相同雲端服務的 Azure 雲端服務角色執行個體之間所進行的名稱解析。Name resolution between VMs located in the same virtual network, or Azure Cloud Services role instances in the same cloud service. Azure DNS 私人區域Azure 提供的名稱解析Azure DNS private zones or Azure-provided name resolution 主機名稱或 FQDNHostname or FQDN
不同虛擬網路的 VM 之間或不同雲端服務的角色執行個體之間所進行的名稱解析。Name resolution between VMs in different virtual networks or role instances in different cloud services. Azure DNS 私人區域 或客戶管理的 DNS 伺服器會在虛擬網路之間轉送查詢,以供 AZURE (DNS proxy) 解析。Azure DNS private zones or, Customer-managed DNS servers forwarding queries between virtual networks for resolution by Azure (DNS proxy). 請參閱 使用您自己的 DNS 伺服器的名稱解析See Name resolution using your own DNS server. 僅 FQDNFQDN only
從使用虛擬網路整合的 Azure App Service (Web App、Function 或 Bot) 將名稱解析相同虛擬網路中的角色執行個體或 VM。Name resolution from an Azure App Service (Web App, Function, or Bot) using virtual network integration to role instances or VMs in the same virtual network. 客戶管理的 DNS 伺服器將虛擬網路之間的查詢轉送供 Azure (DNS Proxy) 解析。Customer-managed DNS servers forwarding queries between virtual networks for resolution by Azure (DNS proxy). 請參閱 使用您自己的 DNS 伺服器的名稱解析See Name resolution using your own DNS server. 僅 FQDNFQDN only
從 App Service Web Apps 將名稱解析到相同虛擬網路中的 VM。Name resolution from App Service Web Apps to VMs in the same virtual network. 客戶管理的 DNS 伺服器將虛擬網路之間的查詢轉送供 Azure (DNS Proxy) 解析。Customer-managed DNS servers forwarding queries between virtual networks for resolution by Azure (DNS proxy). 請參閱 使用您自己的 DNS 伺服器的名稱解析See Name resolution using your own DNS server. 僅 FQDNFQDN only
從某個虛擬網路的 App Service Web Apps 將名稱解析到不同虛擬網路中的 VM。Name resolution from App Service Web Apps in one virtual network to VMs in a different virtual network. 客戶管理的 DNS 伺服器將虛擬網路之間的查詢轉送供 Azure (DNS Proxy) 解析。Customer-managed DNS servers forwarding queries between virtual networks for resolution by Azure (DNS proxy). 請參閱 使用您自己的 DNS 伺服器的名稱解析See Name resolution using your own DNS server. 僅 FQDNFQDN only
由 Azure 中的 VM 或角色執行個體解析內部部署電腦及伺服器名稱。Resolution of on-premises computer and service names from VMs or role instances in Azure. 客戶管理的 DNS 伺服器 (例如,內部部署的網域控制站、本機唯讀網域控制站或使用區域傳輸同步的次要 DNS)。Customer-managed DNS servers (on-premises domain controller, local read-only domain controller, or a DNS secondary synced using zone transfers, for example). 請參閱 使用您自己的 DNS 伺服器的名稱解析See Name resolution using your own DNS server. 僅 FQDNFQDN only
從內部部署電腦解析 Azure 主機名稱。Resolution of Azure hostnames from on-premises computers. 將查詢轉送到所對應虛擬網路中客戶管理的 DNS Proxy 伺服器,Proxy 伺服器將查詢轉送給 Azure 進行解析。Forward queries to a customer-managed DNS proxy server in the corresponding virtual network, the proxy server forwards queries to Azure for resolution. 請參閱 使用您自己的 DNS 伺服器的名稱解析See Name resolution using your own DNS server. 僅 FQDNFQDN only
從內部 IP 還原 DNS。Reverse DNS for internal IPs. 使用您自己的 DNS 伺服器Azure DNS 私人區域Azure 提供的名稱解析或名稱解析。Azure DNS private zones or Azure-provided name resolution or Name resolution using your own DNS server. 不適用Not applicable
在 VM 或角色執行個體之間解析名稱,其中的VM 或角色執行個體分屬不同的雲端服務 (而非虛擬網路)。Name resolution between VMs or role instances located in different cloud services, not in a virtual network. 不適用。Not applicable. 虛擬網路外部不支援不同雲端服務中 VM 和角色執行個體之間的連線。Connectivity between VMs and role instances in different cloud services is not supported outside a virtual network. 不適用Not applicable

Azure 提供的名稱解析Azure-provided name resolution

Azure 提供的名稱解析只會提供基本的授權 DNS 功能。Azure provided name resolution provides only basic authoritative DNS capabilities. 如果您使用此選項,Azure 會自動管理 DNS 區功能變數名稱稱和記錄,而您將無法控制 dns 區功能變數名稱稱或 DNS 記錄的生命週期。If you use this option the DNS zone names and records will be automatically managed by Azure and you will not be able to control the DNS zone names or the life cycle of DNS records. 如果您的虛擬網路需要功能完整的 DNS 解決方案,您必須使用 Azure DNS 私人區域客戶管理的 dns 伺服器If you need a fully featured DNS solution for your virtual networks you must use Azure DNS private zones or Customer-managed DNS servers.

除了公用 DNS 名稱的解析之外,Azure 也提供位於相同虛擬網路或雲端服務內的 VM 和角色執行個體的內部名稱解析。Along with resolution of public DNS names, Azure provides internal name resolution for VMs and role instances that reside within the same virtual network or cloud service. 雲端服務中的虛擬機器和執行個體會共用相同 DNS 尾碼,因此只要主機名稱就已足夠。VMs and instances in a cloud service share the same DNS suffix, so the host name alone is sufficient. 但是在使用傳統部署模型所部署的虛擬網路中,不同的雲端服務會有不同的 DNS 尾碼。But in virtual networks deployed using the classic deployment model, different cloud services have different DNS suffixes. 在此情況下,您需要 FQDN 才能解析不同雲端服務之間的名稱。In this situation, you need the FQDN to resolve names between different cloud services. 在使用 Azure Resource Manager 部署模型部署的虛擬網路中,DNS 尾碼在虛擬網路內的所有虛擬機器上都是一致的,因此不需要 FQDN。In virtual networks deployed using the Azure Resource Manager deployment model, the DNS suffix is consistent across the all virtual machines within a virtual network, so the FQDN is not needed. DNS 名稱可以同時指派給 VM 和網路介面。DNS names can be assigned to both VMs and network interfaces. 雖然 Azure 提供的名稱解析不需要任何設定,但它不適用於所有部署案例,如上表所詳述。Although Azure-provided name resolution does not require any configuration, it is not the appropriate choice for all deployment scenarios, as detailed in the previous table.

注意

使用雲端服務 Web 和背景工作角色時,您也可以使用 Azure 服務管理 REST API,存取角色執行個體的內部 IP 位址。When using cloud services web and worker roles, you can also access the internal IP addresses of role instances using the Azure Service Management REST API. 如需詳細資訊,請參閱服務管理 REST API 參考For more information, see the Service Management REST API Reference. 此位址是以角色名稱和執行個體數目為基礎。The address is based on the role name and instance number.

特性Features

Azure 提供的名稱解析包含下列功能:Azure-provided name resolution includes the following features:

  • 容易使用。Ease of use. 不需要組態。No configuration is required.
  • 高可用性。High availability. 您不需要建立和管理專屬 DNS 伺服器的叢集。You don't need to create and manage clusters of your own DNS servers.
  • 您可以搭配自有的 DNS 伺服器使用此服務,以解析內部部署及 Azure 主機名稱。You can use the service in conjunction with your own DNS servers, to resolve both on-premises and Azure host names.
  • 您可以在相同雲端服務中的虛擬機器與角色執行個體之間使用名稱解析,不需要 FQDN。You can use name resolution between VMs and role instances within the same cloud service, without the need for an FQDN.
  • 您可以在使用 Azure Resource Manager 部署模型之虛擬網路中的虛擬機器之間使用名稱解析,不需要 FQDN。You can use name resolution between VMs in virtual networks that use the Azure Resource Manager deployment model, without need for an FQDN. 當您在不同的雲端服務中解析名稱時,傳統部署模型中的虛擬網路需要 FQDN。Virtual networks in the classic deployment model require an FQDN when you are resolving names in different cloud services.
  • 您可以使用最能描述部署的主機名稱,而不是使用自動產生的名稱。You can use host names that best describe your deployments, rather than working with auto-generated names.

考量Considerations

當您使用 Azure 提供的名稱解析時應考量的重點:Points to consider when you are using Azure-provided name resolution:

  • Azure 建立的 DNS 尾碼不能修改。The Azure-created DNS suffix cannot be modified.
  • DNS 查閱的範圍是虛擬網路。DNS lookup is scoped to a virtual network. 針對一個虛擬網路建立的 DNS 名稱無法從其他虛擬網路解析。DNS names created for one virtual networks can't be resolved from other virtual networks.
  • 您無法手動註冊您自己的記錄。You cannot manually register your own records.
  • 不支援 WINS 和 NetBIOS。WINS and NetBIOS are not supported. 您無法在「Windows 檔案總管」中看到您的 VM。You cannot see your VMs in Windows Explorer.
  • 主機名稱必須與 DNS 相容。Host names must be DNS-compatible. 名稱只能使用 0-9、a-z 和 '-',無法以 '-' 開始或結束。Names must use only 0-9, a-z, and '-', and cannot start or end with a '-'.
  • 每個 VM 的 DNS 查詢流量已經過節流。DNS query traffic is throttled for each VM. 節流應該不會影響大部分的應用程式。Throttling shouldn't impact most applications. 如果觀察到要求節流,請確定用戶端快取已啟用。If request throttling is observed, ensure that client-side caching is enabled. 如需詳細資訊,請參閱 DNS 用戶端組態For more information, see DNS client configuration.
  • 只有前 180 個雲端服務中的 VM 會在傳統部署模型中為每個虛擬網路註冊。Only VMs in the first 180 cloud services are registered for each virtual network in a classic deployment model. 此限制並不適用於 Azure Resource Manager 中的虛擬網路。This limit does not apply to virtual networks in Azure Resource Manager.
  • Azure DNS IP 位址是168.63.129.16。The Azure DNS IP address is 168.63.129.16. 這是靜態 IP 位址,不會變更。This is a static IP address and will not change.

反向 DNS 考慮Reverse DNS Considerations

所有以 ARM 為基礎的虛擬網路都支援反向 DNS。Reverse DNS is supported in all ARM based virtual networks. 您可以 (PTR 查詢發出反向 DNS 查詢,) 將虛擬機器的 IP 位址對應至虛擬機器的 Fqdn。You can issue reverse DNS queries (PTR queries) to map IP addresses of virtual machines to FQDNs of virtual machines.

  • 虛擬機器 IP 位址的所有 PTR 查詢將會傳回 vmname 形式的 [ fqdn ] 。 internal.cloudapp.netAll PTR queries for IP addresses of virtual machines will return FQDNs of form [vmname].internal.cloudapp.net
  • 在 vmname 表單的 Fqdn 上進行向前查閱 [ ] 。 internal.cloudapp.net 將解析為指派給虛擬機器的 IP 位址。Forward lookup on FQDNs of form [vmname].internal.cloudapp.net will resolve to IP address assigned to the virtual machine.
  • 如果虛擬網路已連結至 Azure DNS 私人區域 作為註冊虛擬網路,則反向 DNS 查詢會傳回兩筆記錄。If the virtual network is linked to an Azure DNS private zones as a registration virtual network, the reverse DNS queries will return two records. 一筆記錄的格式為 [ vmname ] 。 [privatednszonename],另一個格式則是 [ vmname ] . internal.cloudapp.netOne record will be of the form [vmname].[privatednszonename] and the other will be of the form [vmname].internal.cloudapp.net
  • 反向 DNS 查閱的範圍設定為指定的虛擬網路,即使它對等互連至其他虛擬網路也一樣。Reverse DNS lookup is scoped to a given virtual network even if it is peered to other virtual networks. 反向 DNS 查詢 (PTR 查詢) 對等互連虛擬網路中虛擬機器的 IP 位址將會傳回 NXDOMAIN。Reverse DNS queries (PTR queries) for IP addresses of virtual machines located in peered virtual networks will return NXDOMAIN.
  • 如果您想要在虛擬網路中關閉反向 DNS 函式,您可以使用 Azure DNS 私人區域 建立反向對應區域,並將此區域連結至您的虛擬網路。If you want to turn off reverse DNS function in a virtual network you can do so by creating a reverse lookup zone using Azure DNS private zones and link this zone to your virtual network. 例如,如果您虛擬網路的 IP 位址空間是 10.20.0.0/16,則您可以建立空的私人 DNS 區域 20.10.in-addr. arpa 並將它連結到虛擬網路。For example if the IP address space of your virtual network is 10.20.0.0/16 then you can create a empty private DNS zone 20.10.in-addr.arpa and link it to the virtual network. 將區域連結至您的虛擬網路時,您應該停用連結上的自動註冊。While linking the zone to your virtual network you should disable auto registration on the link. 此區域會覆寫虛擬網路的預設反向對應區域,而且由於此區域是空的,因此您將會 NXDOMAIN 反向 DNS 查詢。This zone will override the default reverse lookup zones for the virtual network and since this zone is empty you will get NXDOMAIN for your reverse DNS queries. 如需如何建立私人 DNS 區域,並將其連結至虛擬網路的詳細資訊,請參閱我們的 快速入門手冊See our Quickstart guide for details on how to create a private DNS zone and link it to a virtual network.

注意

如果您想要反向 DNS 查閱跨越虛擬網路,您可以建立反向對應區域 (arpa) Azure DNS 私人區域 ,並將其連結至多個虛擬網路。If you want reverse DNS lookup to span across virtual network you can create a reverse lookup zone (in-addr.arpa) Azure DNS private zones and links it to multiple virtual networks. 但是,您必須手動管理虛擬機器的反向 DNS 記錄。You'll however have to manually manage the reverse DNS records for the virtual machines.

DNS 用戶端設定DNS client configuration

這一節涵蓋用戶端快取和用戶端重試。This section covers client-side caching and client-side retries.

用戶端快取Client-side caching

並非所有的 DNS 查詢都需要透過網路傳送。Not every DNS query needs to be sent across the network. 用戶端快取可藉由解決本機快取的週期性 DNS 查詢,協助減少延遲以及改善網路標誌的恢復能力。Client-side caching helps reduce latency and improve resilience to network blips, by resolving recurring DNS queries from a local cache. DNS 記錄包含存留時間 (TTL) 機制,可讓快取盡可能長時間儲存記錄而不會影響記錄的有效性。DNS records contain a time-to-live (TTL) mechanism, which allows the cache to store the record for as long as possible without impacting record freshness. 因此,用戶端快取適用於大部分的情況。Thus, client-side caching is suitable for most situations.

預設 Windows DNS 用戶端有內建的 DNS 快取。The default Windows DNS client has a DNS cache built-in. 某些 Linux 發行版本預設不包含快取功能。Some Linux distributions do not include caching by default. 如果您發現還沒有本機快取,請將 DNS 快取新增至每部 Linux 虛擬機器。If you find that there isn't a local cache already, add a DNS cache to each Linux VM.

有許多不同的 DNS 快取套件可用 (例如 dnsmasq)。There are a number of different DNS caching packages available (such as dnsmasq). 以下是在最常見的發行版本上安裝 dnsmasq 的方式:Here's how to install dnsmasq on the most common distributions:

  • **Ubuntu (使用 resolvconf) **:Ubuntu (uses resolvconf):
    • 使用 sudo apt-get install dnsmasq 安裝 dnsmasq 套件。Install the dnsmasq package with sudo apt-get install dnsmasq.
  • **SUSE (使用 netconf) **:SUSE (uses netconf):
    • 使用 sudo zypper install dnsmasq 安裝 dnsmasq 套件。Install the dnsmasq package with sudo zypper install dnsmasq.
    • 使用 systemctl enable dnsmasq.service 啟用 dnsmasq 服務。Enable the dnsmasq service with systemctl enable dnsmasq.service.
    • 使用 systemctl start dnsmasq.service 啟動 dnsmasq 服務。Start the dnsmasq service with systemctl start dnsmasq.service.
    • 編輯 /etc/sysconfig/network/config,並將 NETCONFIG_DNS_FORWARDER = "" 變更為 dnsmasqEdit /etc/sysconfig/network/config, and change NETCONFIG_DNS_FORWARDER="" to dnsmasq.
    • 使用 netconfig update 更新 resolv.conf 來設定快取作為本機 DNS 解析程式。Update resolv.conf with netconfig update, to set the cache as the local DNS resolver.
  • **CentOS (會使用 NetworkManager) **:CentOS (uses NetworkManager):
    • 使用 sudo yum install dnsmasq 安裝 dnsmasq 套件。Install the dnsmasq package with sudo yum install dnsmasq.
    • 使用 systemctl enable dnsmasq.service 啟用 dnsmasq 服務。Enable the dnsmasq service with systemctl enable dnsmasq.service.
    • 使用 systemctl start dnsmasq.service 啟動 dnsmasq 服務。Start the dnsmasq service with systemctl start dnsmasq.service.
    • /etc/dhclient-eth0.conf中新增前置功能變數名稱-伺服器127.0.0.1。Add prepend domain-name-servers 127.0.0.1; to /etc/dhclient-eth0.conf.
    • 使用 service network restart 重新啟動網路服務來設定快取作為本機 DNS 解析程式。Restart the network service with service network restart, to set the cache as the local DNS resolver.

注意

dnsmasq 套件只是許多適用於 Linux 之 DNS 快取的其中一個。The dnsmasq package is only one of many DNS caches available for Linux. 使用它之前,請檢查特定需求的適用性,而且沒有安裝其他快取。Before using it, check its suitability for your particular needs, and check that no other cache is installed.

用戶端重試Client-side retries

DNS 主要是 UDP 通訊協定。DNS is primarily a UDP protocol. 因為 UDP 通訊協定並不保證訊息傳遞,所以重試邏輯會在 DNS 通訊協定本身處理。Because the UDP protocol doesn't guarantee message delivery, retry logic is handled in the DNS protocol itself. 每個 DNS 用戶端 (作業系統) 可以展現不同的重試邏輯,根據建立者喜好設定而定:Each DNS client (operating system) can exhibit different retry logic, depending on the creator's preference:

  • Windows 作業系統會在 1 秒後重試,然後再依序隔 2 秒、4 秒、再過 4 秒後重試。Windows operating systems retry after one second, and then again after another two seconds, four seconds, and another four seconds.
  • 預設 Linux 安裝程式會在 5 秒之後重試。The default Linux setup retries after five seconds. 我們建議您將重試規格變更為 5 次,間隔為 1 秒。We recommend changing the retry specifications to five times, at one-second intervals.

請使用 cat /etc/resolv.conf 檢查 Linux VM 上的目前設定。Check the current settings on a Linux VM with cat /etc/resolv.conf. 查看 [選項]** 行,例如:Look at the options line, for example:

options timeout:1 attempts:5

resolv.conf 檔案通常是自動產生的,且不可編輯。The resolv.conf file is usually auto-generated, and should not be edited. 新增 [選項]** 行的特定步驟會因發行版本而有所不同:The specific steps for adding the options line vary by distribution:

  • Ubuntu (使用 resolvconf) :Ubuntu (uses resolvconf):
    1. 將 options** 行新增至 /etc/resolvconf/resolv.conf.d/tailAdd the options line to /etc/resolvconf/resolv.conf.d/tail.
    2. 執行 resolvconf -u 以更新。Run resolvconf -u to update.
  • SUSE (使用 netconf) :SUSE (uses netconf):
    1. 新增timeout:1嘗試: 5/etc/sysconfig/network/config中的NETCONFIG_DNS_RESOLVER_OPTIONS = "" 參數。Add timeout:1 attempts:5 to the NETCONFIG_DNS_RESOLVER_OPTIONS="" parameter in /etc/sysconfig/network/config.
    2. 執行 netconfig update 以更新。Run netconfig update to update.
  • CentOS (會使用 NetworkManager) :CentOS (uses NetworkManager):
    1. echo "options timeout:1次嘗試: 5" 新增至 /etc/NetworkManager/dispatcher.d/11-dhclientAdd echo "options timeout:1 attempts:5" to /etc/NetworkManager/dispatcher.d/11-dhclient.
    2. 使用 service network restart 進行更新。Update with service network restart.

使用專屬 DNS 伺服器的名稱解析Name resolution that uses your own DNS server

這一節涵蓋虛擬機器、角色執行個體以及 Web 應用程式。This section covers VMs, role instances, and web apps.

VM 和角色執行個體VMs and role instances

您的名稱解析需求可能超過 Azure 所提供的功能。Your name resolution needs might go beyond the features provided by Azure. 例如,您可能需要使用 Microsoft Windows Server Active Directory 網域,在虛擬網路之間解析 DNS 名稱。For example, you might need to use Microsoft Windows Server Active Directory domains, resolve DNS names between virtual networks. 為了涵蓋這些案例,Azure 提供可讓您使用專屬 DNS 伺服器的能力。To cover these scenarios, Azure provides the ability for you to use your own DNS servers.

虛擬網路中的 DNS 伺服器可以將 DNS 查詢轉送給 Azure 中的遞迴解析程式。DNS servers within a virtual network can forward DNS queries to the recursive resolvers in Azure. 這可讓您解析該虛擬網路內的主機名稱。This enables you to resolve host names within that virtual network. 例如,在 Azure 中執行的網域控制站 (DC) 可以回應其網域的 DNS 查詢,並將所有其他查詢轉送到 Azure。For example, a domain controller (DC) running in Azure can respond to DNS queries for its domains, and forward all other queries to Azure. 轉送查詢可讓虛擬機器查看您的內部部署資源 (透過 DC) 以及 Azure 提供的主機名稱 (透過轉送工具)。Forwarding queries allows VMs to see both your on-premises resources (via the DC) and Azure-provided host names (via the forwarder). 在 Azure 中遞迴解析程式的存取是透過虛擬 IP 168.63.129.16 所提供。Access to the recursive resolvers in Azure is provided via the virtual IP 168.63.129.16.

DNS 轉送也會實現虛擬網路之間的 DNS 解析,並使內部部署電腦能夠解析 Azure 提供的主機名稱。DNS forwarding also enables DNS resolution between virtual networks, and allows your on-premises machines to resolve Azure-provided host names. 為了解析虛擬機器的主機名稱,DNS 伺服器虛擬機器必須位於同一個虛擬網路中,且設定為將主機名稱查詢轉送到 Azure。In order to resolve a VM's host name, the DNS server VM must reside in the same virtual network, and be configured to forward host name queries to Azure. 因為每個虛擬網路的 DNS 尾碼都不同,所以您可以使用條件性轉送規則來將 DNS 查詢傳送到正確的虛擬網路進行解析。Because the DNS suffix is different in each virtual network, you can use conditional forwarding rules to send DNS queries to the correct virtual network for resolution. 下圖顯示使用此方法進行虛擬網路間 DNS 解析的兩個虛擬網路及一個內部部署網路。The following image shows two virtual networks and an on-premises network doing DNS resolution between virtual networks, by using this method. 如需 DNS 轉寄站的範例,請參閱 Azure 快速入門範本庫GitHubAn example DNS forwarder is available in the Azure Quickstart Templates gallery and GitHub.

注意

角色執行個體可以對相同虛擬網路內的虛擬機器執行名稱解析。A role instance can perform name resolution of VMs within the same virtual network. 這個操作是藉由使用 FQDN (由虛擬機器的主機名稱和 internal.cloudapp.net DNS 尾碼所組成) 來完成。It does so by using the FQDN, which consists of the VM's host name and internal.cloudapp.net DNS suffix. 不過,在此情況下,名稱解析只有在角色執行個體具有角色結構描述 (.cscfg 檔案) 中定義的 VM 名稱時才會成功。However, in this case, name resolution is only successful if the role instance has the VM name defined in the Role Schema (.cscfg file). <Role name="<role-name>" vmName="<vm-name>">

必須對其他虛擬網路 (使用 internal.cloudapp.net 尾碼的 FQDN) 中的虛擬機器執行名稱解析的角色執行個體,必須使用本節中所述的方法來執行這項操作 (在兩個虛擬網路之間轉送的自訂 DNS 伺服器)。Role instances that need to perform name resolution of VMs in another virtual network (FQDN by using the internal.cloudapp.net suffix) have to do so by using the method described in this section (custom DNS servers forwarding between the two virtual networks).

虛擬網路之間 DNS 的圖表

當您使用 Azure 提供的名稱解析時,Azure 動態主機設定通訊協定 (DHCP) 會將內部 DNS 尾碼 (.internal.cloudapp.net) 提供給每部虛擬機器。When you are using Azure-provided name resolution, Azure Dynamic Host Configuration Protocol (DHCP) provides an internal DNS suffix (.internal.cloudapp.net) to each VM. 此尾碼會啟用主機名稱解析,因為主機名稱記錄是在 internal.cloudapp.net 區域中。This suffix enables host name resolution because the host name records are in the internal.cloudapp.net zone. 當您使用自己的名稱解析解決方案時,則不會提供此尾碼給虛擬機器,因為它會干擾其他 DNS 架構 (例如在已加入網域的案例中)。When you are using your own name resolution solution, this suffix is not supplied to VMs because it interferes with other DNS architectures (like domain-joined scenarios). 而是 Azure 會提供一個沒有作用的預留位置 (reddog.microsoft.com**)。Instead, Azure provides a non-functioning placeholder (reddog.microsoft.com).

如有需要,您可以使用 PowerShell 或 API 來判斷內部 DNS 尾碼︰If necessary, you can determine the internal DNS suffix by using PowerShell or the API:

如果將查詢轉送到 Azure 不符合您的需求,您應提供專屬的 DNS 解決方案。If forwarding queries to Azure doesn't suit your needs, you should provide your own DNS solution. 您的 DNS 解決方案需要:Your DNS solution needs to:

  • 提供適當的主機名稱解析,例如透過 DDNSProvide appropriate host name resolution, via DDNS, for example. 如果您使用 DDNS,則可能需要停用 DNS 記錄清除。If you are using DDNS, you might need to disable DNS record scavenging. Azure DHCP 租用期很長,而清除可能會提前移除 DNS 記錄。Azure DHCP leases are long, and scavenging might remove DNS records prematurely.
  • 提供適當的遞迴解析來允許外部網域名稱的解析。Provide appropriate recursive resolution to allow resolution of external domain names.
  • 可從其服務的用戶端存取 (連接埠 53 上的 TCP 和 UDP),且能夠存取網際網路。Be accessible (TCP and UDP on port 53) from the clients it serves, and be able to access the internet.
  • 受保護以防止來自網際網路的存取,降低外部代理程式的威脅。Be secured against access from the internet, to mitigate threats posed by external agents.

注意

為了達到最佳效能,當您使用 Azure 虛擬機器作為 DNS 伺服器時,應該停用 IPv6。For best performance, when you are using Azure VMs as DNS servers, IPv6 should be disabled.

Web 應用程式Web apps

假設您需要從使用 App Service 建置之 Web 應用程式執行名稱解析,請連結至虛擬網路以及相同虛擬網路中的虛擬機器。Suppose you need to perform name resolution from your web app built by using App Service, linked to a virtual network, to VMs in the same virtual network. 除了設定自訂 DNS 伺服器 (它具有可將查詢轉送至 Azure (虛擬 IP 168.63.129.16) 的 DNS 轉送工具) 以外,請執行下列步驟:In addition to setting up a custom DNS server that has a DNS forwarder that forwards queries to Azure (virtual IP 168.63.129.16), perform the following steps:

  1. 如果您的 Web 應用程式尚未與虛擬網路整合,則透過將您的應用程式與虛擬網路整合中所述加以整合。Enable virtual network integration for your web app, if not done already, as described in Integrate your app with a virtual network.

  2. 在 Azure 入口網站中,針對裝載 Web 應用程式的 AppService 方案,選取 [網路]****、[虛擬網路整合]**** 底下的 [同步網路]****。In the Azure portal, for the App Service plan hosting the web app, select Sync Network under Networking, Virtual Network Integration.

    虛擬網路名稱解析的螢幕擷取畫面

如果您需要從使用 App Service 所建置的 Web 應用程式 (連結到虛擬網路) 將名稱解析到不同虛擬網路中的 VM,則必須在這兩個虛擬網路上使用自訂 DNS 伺服器,如下所示:If you need to perform name resolution from your web app built by using App Service, linked to a virtual network, to VMs in a different virtual network, you have to use custom DNS servers on both virtual networks, as follows:

  • 在也可以將查詢轉送至 Azure 遞迴解析程式 (虛擬 IP 168.63.129.16) 之虛擬機器上的目標虛擬網路中設定 DNS 伺服器。Set up a DNS server in your target virtual network, on a VM that can also forward queries to the recursive resolver in Azure (virtual IP 168.63.129.16). 如需 DNS 轉寄站的範例,請參閱 Azure 快速入門範本庫GitHubAn example DNS forwarder is available in the Azure Quickstart Templates gallery and GitHub.
  • 在 VM 上的來源虛擬網路中設定 DNS 轉送工具。Set up a DNS forwarder in the source virtual network on a VM. 設定此 DNS 轉送工具以將查詢轉送至目標虛擬網路中的 DNS 伺服器。Configure this DNS forwarder to forward queries to the DNS server in your target virtual network.
  • 在來源虛擬網路的設定中設定來源 DNS 伺服器。Configure your source DNS server in your source virtual network's settings.
  • 遵循將您的應用程式與虛擬網路整合中的指示,針對您的 Web 應用程式啟用虛擬網路整合,以連結至來源虛擬網路。Enable virtual network integration for your web app to link to the source virtual network, following the instructions in Integrate your app with a virtual network.
  • 在 Azure 入口網站中,針對裝載 Web 應用程式的 AppService 方案,選取 [網路]****、[虛擬網路整合]**** 底下的 [同步網路]****。In the Azure portal, for the App Service plan hosting the web app, select Sync Network under Networking, Virtual Network Integration.

指定 DNS 伺服器Specify DNS servers

當您使用自己的 DNS 伺服器時,Azure 會提供對每個虛擬網路指定多個 DNS 伺服器的能力。When you are using your own DNS servers, Azure provides the ability to specify multiple DNS servers per virtual network. 您也可以對每個網路介面 (適用於 Azure Resource Manager) 或對每個雲端服務 (適用於傳統部署模型) 指定多個 DNS 伺服器。You can also specify multiple DNS servers per network interface (for Azure Resource Manager), or per cloud service (for the classic deployment model). 針對網路介面或雲端服務所指定的 DNS 伺服器,優先順序高於針對虛擬網路所指定的 DNS 伺服器。DNS servers specified for a network interface or cloud service get precedence over DNS servers specified for the virtual network.

注意

網路連接屬性(例如 DNS 伺服器 Ip)不應該直接在 Vm 內編輯。Network connection properties, such as DNS server IPs, should not be edited directly within VMs. 這是因為當替換虛擬網路介面卡時,它們可能會在服務修復期間遭到清除。This is because they might get erased during service heal when the virtual network adaptor gets replaced. 這適用于 Windows 和 Linux Vm。This applies to both Windows and Linux VMs.

當您使用 Azure Resource Manager 部署模型時,您可以針對虛擬網路和網路介面指定 DNS 伺服器。When you are using the Azure Resource Manager deployment model, you can specify DNS servers for a virtual network and a network interface. 如需詳細資訊,請參閱管理虛擬網路管理網路介面For details, see Manage a virtual network and Manage a network interface.

注意

如果您選擇使用虛擬網路的自訂 DNS 伺服器,則必須指定至少一個 DNS 伺服器 IP 位址;否則,虛擬網路會忽略組態並改為使用 Azure 提供的 DNS。If you opt for custom DNS server for your virtual network, you must specify at least one DNS server IP address; otherwise, virtual network will ignore the configuration and use Azure-provided DNS instead.

當您使用傳統部署模型時,可以在 Azure 入口網站或網路組態檔中指定虛擬網路的 DNS 伺服器。When you are using the classic deployment model, you can specify DNS servers for the virtual network in the Azure portal or the Network Configuration file. 針對雲端服務,您可以透過服務組態檔或使用 PowerShell (New-AzureVM) 指定 DNS 伺服器。For cloud services, you can specify DNS servers via the Service Configuration file or by using PowerShell, with New-AzureVM.

注意

如果您變更已部署之虛擬網路或虛擬機器的 DNS 設定,讓新的 DNS 設定生效,您必須在虛擬網路中所有受影響的 Vm 上執行 DHCP 租用更新。If you change the DNS settings for a virtual network or virtual machine that is already deployed, for the new DNS settings to take effect, you must perform a DHCP lease renewal on all affected VMs in the virtual network. 若為執行 Windows OS 的 Vm,您可以 ipconfig /renew 直接在 VM 中輸入來執行此動作。For VMs running the Windows OS, you can do this by typing ipconfig /renew directly in the VM. 這些步驟會隨著作業系統而有所不同。The steps vary depending on the OS. 請參閱您作業系統類型的相關檔。See the relevant documentation for your OS type.

後續步驟Next steps

Azure Resource Manager 部署模型:Azure Resource Manager deployment model:

傳統部署模型:Classic deployment model: