Notes from MS Learn AZ-700 Module 1: Introduction to Azure Virtual Networks – Unit 5: Design Name Resolution for your Virtual Network
DNS Services accessible from your own internal networks:
- Public DNS resolve names and IP’s for resources and services accessible over the internet E.g. Web Servers.
- Azure DNS is a hosting service for DNS domain that provides name resolution using Azure infrastructure.
- Host on Azure global network of DNS servers.
- Utilizes Anycast Networking where each query is sent to closest DNS Server
- Create address records manually in relevant zones. Examples:
- Host record – A/AAAA (IPv4/IPv6)
- Alias record – CNAME
- Azure DNS provides resolution in a VNet without need for custom DNS solution
- DNS zone hosts DNS records for domain. Need to create a DNS zone for domain. Records for that domain then created inside the zone
- Considerations:
- Zone name must be unique within the resource group and must not already exist
- Same zone name can be reused in different resource group or subscription
- When multiple zones share same name, each is assigned different name server address
- Root/Parent domain is registered at registrar and point to Azure NS
- Child domains registered in AzureDNS directly
- Delegate DNS Domains:
- To delegate domain to Azure DNS must know name server name for your zone
- Each DNS zone created is allocated an Azure DNS name server from pool
- Once Name Server assigned, Azure DNS creates authoritative NS records in zone
- Once DNS zone created, and have name servers, update the parent domain
- Each registrar has own DNS management tools to change name server records – edit NS records and replaces with Azure DNS created ones
- Always use all four name servers when delegating
- Child Domains E.g. partners.contoso.com (taken from MS Learn):
- Same process as typical delegations
- Can be in same or different resource group as parent domain
- Record set is collection of records in a zone that have same name and type
- Record set can’t contain two identical records.
- Empty record sets can be created but don’t appear on Azure DNS name servers
- CNAME Record sets can only have one record
- A records require TTL and IP address
- Private DNS services resolve names and IP address for resources and services
- When resource deployed in VNet and need to resolve to internal IP they use:
- Azure DNS Private Zones
- Azure-provided name resolution
- Your own DNS server
- When resource deployed in VNet and need to resolve to internal IP they use:
- Can use recursive where a DC in Azure can respond to DNS for its domain and forward other queries to Azure
- VMs can see both private DC and Azure forwarder
- Access to recursive resolvers in Azure via 168.63.129.16
- Forwarding also enables DNS resolution between VNets and allows on prem machines to resolved Azure host names
- DNS server VM must reside in the same VNet and configured to forward host name queries to Azure
- DNS suffix different in each VNet use conditional forwarding rules to send DNS query to correct VNet for resolution.
- Azure provided DNS
- Azure provides free default internal DNS
- Only basic authoritative DNS capabilities
- If used, DNS zone names and records automatically managed by Azure. No control over zone names or life cycle of records
- Internal DNS namespace: .internal.cloudapp.net
- VM created in VNet registered in internal DNS zone get name similar to myVM.internal.cloudapp.net (taken from MS Learn)
- Is Azure Resource name registered not guest OS name on VM
- Limitations of Internal DNS
- No resolution across VNets
- Resource names no guest OS names registered
- No manual records
- Azure Private DNS Zones
- Available only to internal resources
- Global in scope = access from any region, subscription, VNet, tenant
- If permission to read zone, can use for DNS resolution
- Highly resilient, replicated to regions all throught world
- Not available to internet resources
- Custom Private DNS Zones can:
- Configure specific DNS name for zone
- Create records manually
- Resolve names and IPs across zones
- Resolve names and IPs across VNets
- Can also use autoregistration which creates record based on Azure resource name
- Link VNets to Private DNS Zone
- At VNet level default DNS is part of DHCP assignments by Azure specifying 168.63.129.16 for Azure DNS
- Override at VM NIC
- Linking VNets options:
- Registration – Each can link 1 private DNS zone, up to 100 VNets. Linkable to same zone
- Resolution – Other private DNS zones for different namespaces
- Link VNet to each for name resolution
- VNet can link up to 1000 private Zones for resolution
- Integration to on-prem DNS with VNets
- External DNS (On-prem) can run any DNS Server e.g. BIND, AD DNS
- Often use Azure private DNS zone for auto registration and custom config to forward queries to external zones to external DNS Server
- Forwarding:
- Forwarding specifies another DNS server (SOA for zone) to resolve query initial server can’t
- Conditional forwarding specifies DNS server for a named zone so all queries for that zone sent to specific DNS Server