Azure DNS Private Resolver vs Ubuntu VM with dnsdist

by

In this post we will take a look at two hybrid solutions to forward DNS requests from your on-premises Windows environment to Azure. I’m using Azure DNS Private Resolver and 1 Ubuntu VM with dnsdist for this test setup. The goal is to disable public network access for Azure Arc and start using internal DNS forwarders.

Existing setup for this test (required):

  • On-prem Windows Server 2022 Lab
  • VPN Gateway (VpnGw1)
  • VPN IPsec connection between your on-premises and Azure environment
  • Virtual Network (10.0.0.0/16), Frontend Subnet (10.0.0.0/24)
  • On-premises Network (192.168.1.0/24)
  • Azure Arc Private Link Scope

Ubuntu VM with dnsdist

It is sufficient to create a small VM with Ubuntu 20.04 or 22.04 minimal to test the functionality. I used the following parameters in the template:

  • VM Size: Standard_B1s
  • Disk type: Standard_LRS
  • publicIpAddressSku: Basic

I used the following commands (Replace MyVnet, RGname and CW-DNS-01 with your values):

## Place virtual network configuration into a variable. ##
$net = @{
    Name = 'MyVnet'
    ResourceGroupName = 'RGname'
}
$vnet = Get-AzVirtualNetwork @net

## Place subnet configuration into a variable. ##
$sub = @{
    Name = 'Frontend'
    VirtualNetwork = $vnet
}
$subnet = Get-AzVirtualNetworkSubnetConfig @sub

## Get name of network interface and place into a variable ##
$int1 = @{
    Name = 'CW-DNS-01'
    ResourceGroupName = 'RGname'
}
$vm = Get-AzVM @int1

## Place network interface configuration into a variable. ##
$nic = Get-AzNetworkInterface -ResourceId $vm.NetworkProfile.NetworkInterfaces.Id

## Set interface configuration. ##
$config =@{
    Name = 'ipconfig1'
    PrivateIpAddress = '10.0.0.10'
    Subnet = $subnet
}
$nic | Set-AzNetworkInterfaceIpConfig @config -Primary

## Save interface configuration. ##
$nic | Set-AzNetworkInterface

Copy the following config and paste it in a new text file: C:/Azure-VM/config.sh

#!/bin/sh 
echo "setACL('10.0.0.0/16')
setACL('192.168.1.0/24')
setLocal('10.0.0.10:53')
newServer('168.63.129.16')" >> /etc/dnsdist/dnsdist.conf

service dnsdist restart

Run the following commands (replace RGname and CW-DNS-01 with your values):

Start-AzVM -Name 'CW-DNS-01' -ResourceGroupName RGname

Invoke-AzVMRunCommand `
   -ResourceGroupName 'RGname' `
   -Name 'CW-DNS-01' `
   -CommandId 'RunShellScript' `
   -ScriptString 'sudo apt-get update && sudo apt-get upgrade -y'
   
Invoke-AzVMRunCommand `
   -ResourceGroupName 'RGname' `
   -Name 'CW-DNS-01' `
   -CommandId 'RunShellScript' `
   -ScriptString 'apt-get install -y dnsdist && systemctl enable dnsdist'

Invoke-AzVMRunCommand `
   -ResourceGroupName 'RGname' `
   -Name 'CW-DNS-01' `
   -CommandId 'RunShellScript' `
   -ScriptPath 'C:/Azure-VM/config.sh'

   Invoke-AzVMRunCommand `
   -ResourceGroupName 'RGname' `
   -Name 'CW-DNS-01' `
   -CommandId 'RunShellScript' `
   -ScriptString 'cat /etc/dnsdist/dnsdist.conf && reboot'

Go to your on-premises DNS server and point the forwarder to 10.0.0.10.

Test the following records from your on-premises Windows server:

  • gbl.his.arc.azure.com
  • weu.his.arc.azure.com
  • agentserviceapi.guestconfiguration.azure.com
  • westeurope-gas.guestconfiguration.azure.com
  • westeurope.dp.kubernetesconfiguration.azure.com

Output:

PS C:\Windows\system32> nslookup gbl.his.arc.azure.com
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
Name: gbl.privatelink.his.arc.azure.com
Address: 10.0.0.4
Aliases: gbl.his.arc.azure.com

If you don’t have a Private DNS Zone yet, you can create one by creating a Private Link Scope:

Azure DNS Private Resolver

Go to portal.azure.com and open your vnet (10.0.0.0/16 in my case). Go to subnets & add 2 subnets.
Note: Endpoint creation with subnet of address space overlapping 10.0.0.0/24 through 10.0.16.0/24 might fail.

Subnets:
10.0.20.0/24 Name: InboundEndpointPrivateDnsResolver
10.0.21.0/24 Name: OutboundEndpointPrivateDnsResolver

Open DNS private resolvers > Create a DNS private resolver.

Select your subscription, resource group and virtual network.

Click next and select your subnets for inbound and outbound. Add a ruleset and select your endpoint.

Add your first rule. Enter your domainname and point the destination to the PrivateEndpoint.nic IP address.

Go to the network interface to check the IP address and confirm that it is correct.

Click Review + Create and apply the configuration. Once created, open the Private DNS Resolver.

Go to inbound endpoints and copy the IP address.

Go to your on-premises DNS server and point the forwarder to 10.0.20.4.

Test the following records from your on-premises Windows server:

  • gbl.his.arc.azure.com
  • weu.his.arc.azure.com
  • agentserviceapi.guestconfiguration.azure.com
  • westeurope-gas.guestconfiguration.azure.com
  • westeurope.dp.kubernetesconfiguration.azure.com

Output:

PS C:\Windows\system32> nslookup gbl.his.arc.azure.com
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
Name: gbl.privatelink.his.arc.azure.com
Address: 10.0.0.4
Aliases: gbl.his.arc.azure.com

You can now test both DNS resolvers.

Links:
Azure DNS Private Resolver:
https://learn.microsoft.com/en-us/azure/dns/dns-private-resolver-overview
Azure DNS Pricing:
https://azure.microsoft.com/en-us/pricing/details/dns/
Azure Pricing Calculator:
https://azure.microsoft.com/en-us/pricing/calculator/

FacebookXRedditLinkedInWhatsAppEmail

Leave a Comment