Microsoft AZ-700: Design Name Resolution for your Virtual Network

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 1: Introduction to Azure Virtual Networks – Unit 5: Design Name Resolution for your Virtual Network

DNS Services accessible from your own internal networks:

  • Public DNS resolve names and IP’s for resources and services accessible over the internet E.g. Web Servers.
    • Azure DNS is a hosting service for DNS domain that provides name resolution using Azure infrastructure.
    • Host on Azure global network of DNS servers.
    • Utilizes Anycast Networking where each query is sent to closest DNS Server
  • Create address records manually in relevant zones. Examples:
    • Host record – A/AAAA (IPv4/IPv6)
    • Alias record – CNAME
  • Azure DNS provides resolution in a VNet without need for custom DNS solution
  • DNS zone hosts DNS records for domain. Need to create a DNS zone for domain. Records for that domain then created inside the zone
  • Considerations:
    • Zone name must be unique within the resource group and must not already exist
    • Same zone name can be reused in different resource group or subscription
    • When multiple zones share same name, each is assigned different name server address
    • Root/Parent domain is registered at registrar and point to Azure NS
    • Child domains registered in AzureDNS directly
  • Delegate DNS Domains:
    • To delegate domain to Azure DNS must know name server name for your zone
    • Each DNS zone created is allocated an Azure DNS name server from pool
    • Once Name Server assigned, Azure DNS creates authoritative NS records in zone
    • Once DNS zone created, and have name servers, update the parent domain
    • Each registrar has own DNS management tools to change name server records – edit NS records and replaces with Azure DNS created ones
    • Always use all four name servers when delegating
  • Child Domains E.g. partners.contoso.com (taken from MS Learn):
    • Same process as typical delegations
    • Can be in same or different resource group as parent domain
    • Record set is collection of records in a zone that have same name and type
    • Record set can’t contain two identical records.
    • Empty record sets can be created but don’t appear on Azure DNS name servers
    • CNAME Record sets can only have one record
    • A records require TTL and IP address
  • Private DNS services resolve names and IP address for resources and services
    • When resource deployed in VNet and need to resolve to internal IP they use:
      • Azure DNS Private Zones
      • Azure-provided name resolution
      • Your own DNS server
  • Can use recursive where a DC in Azure can respond to DNS for its domain and forward other queries to Azure
    • VMs can see both private DC and Azure forwarder
    • Access to recursive resolvers in Azure via 168.63.129.16
  • Forwarding also enables DNS resolution between VNets and allows on prem machines to resolved Azure host names
    • DNS server VM must reside in the same VNet and configured to forward host name queries to Azure
    • DNS suffix different in each VNet use conditional forwarding rules to send DNS query to correct VNet for resolution.
  • Azure provided DNS
    • Azure provides free default internal DNS
    • Only basic authoritative DNS capabilities
    • If used, DNS zone names and records automatically managed by Azure. No control over zone names or life cycle of records
    • Internal DNS namespace: .internal.cloudapp.net
    • VM created in VNet registered in internal DNS zone get name similar to myVM.internal.cloudapp.net (taken from MS Learn)
    • Is Azure Resource name registered not guest OS name on VM
    • Limitations of Internal DNS
      • No resolution across VNets
      • Resource names no guest OS names registered
      • No manual records
  • Azure Private DNS Zones
    • Available only to internal resources
    • Global in scope = access from any region, subscription, VNet, tenant
    • If permission to read zone, can use for DNS resolution
    • Highly resilient, replicated to regions all throught world
    • Not available to internet resources
  • Custom Private DNS Zones can:
    • Configure specific DNS name for zone
    • Create records manually
    • Resolve names and IPs across zones
    • Resolve names and IPs across VNets
    • Can also use autoregistration which creates record based on Azure resource name
  • Link VNets to Private DNS Zone
    • At VNet level default DNS is part of DHCP assignments by Azure specifying 168.63.129.16 for Azure DNS
    • Override at VM NIC
    • Linking VNets options:
      • Registration – Each can link 1 private DNS zone, up to 100 VNets. Linkable to same zone
      • Resolution – Other private DNS zones for different namespaces
        • Link VNet to each for name resolution
        • VNet can link up to 1000 private Zones for resolution
  • Integration to on-prem DNS with VNets
    • External DNS (On-prem) can run any DNS Server e.g. BIND, AD DNS
    • Often use Azure private DNS zone for auto registration and custom config to forward queries to external zones to external DNS Server
    • Forwarding:
      • Forwarding specifies another DNS server (SOA for zone) to resolve query initial server can’t
      • Conditional forwarding specifies DNS server for a named zone so all queries for that zone sent to specific DNS Server
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-design-name-resolution-for-your-virtual-network/

Leave a Reply

Your email address will not be published.