Azure Private DNS

This little fella can get quite confusing when looking at all the posts and articles, but it really doesn't have to be that difficult.

The private DNS thing in Azure is just basically the same as a DNS zone just like you have in your normal DNS servers.  You create the zone with a specific name, tell your azure resource to use this as their private DNS zone and then tell your other DNS servers to ask Microsoft for name resolutions for that domain.  A good point to note here is that the Azure resources you tell to use the private DNS zone just register their addresses to it.  They don't do lookups against it. It is not their DNS lookup server.

Now as with almost everything there are caveats.  The big one here is that to do lookups against these zones and return the private IP address of each resource, the lookup has to come from a DNS server that is connected to an Azure VNET.  If you try and get an on-premise DNS server to lookup the name it will always return the public IP address. So how do we put this into practice.


Create the Azure DNS Servers.

Prerequisites

  • A VNET that is routable from your on-premises environment.
  • A resource group.

Tasks

  1. Build out at least one server in Azure and connect it to the vnet. Preferably build two for redundancy. They do not need to be domain joined but I recommend they are so they maintain the same management and settings as the rest of the environment.
  2. Add the DNS role.
  3. Create DNS forwarders for each zone you plan on doing lookups for. The destination of the forwarder should be 168.63.129.16.

It should look something like this when complete.


Create the Private DNS Zones.

Prerequisites

  • A VNET that is routable from your on-premises environment.
  • A resource group to house all the Private DNS Zones.

Tasks

  1. https://portal.azure.com and search for Private DNS Zones.
  2. Click ‘Create’.
  3. Enter the details.
    1. Pick your subscription.
    2. Pick the resource group.
    3. Enter the name of the zone.  This should be domain suffix.
      1. Example: privatelink.file.core.windows.net.
      2. The above example will host any private IP addresses for Azure Files instances.
    4. The region will default to the resource group location.
  4. Add any tags. I recommend at least three.
    1. App – What it is. Useful for cost analysis grouping.
    2. Owner – Person responsible for it.
    3. Env – Prod\Dev\Test\QA
  5. Click ‘Create’.
  6. Open up the zone.
  7. On the left pane menu, select ‘Virtual network links’.
  8. Click ‘Add’.
  9. Enter the details.
    1. Link name – Can be anything. Stick with something like the name of the Azure network.
    2. Subscription – The subscription that has the VNET in it.
    3. Virtual network – The VNET from the prerequisites.
  10. Click ‘OK’.
  11. You can now link any private links to this DNS zone and they will register their addresses. The Azure based DNS servers will be able to resolve any addresses added to this zone.

Forward the on-premise queries.

Prerequisites

  • Access to the on-premise DNS server(s)
  • Port 53 open between on-premise DNS servers and Azure DNS servers.

Tasks

  1. Access the DNS management console on your on-premise servers.
  2. Create forwarders for each zone you want to resolve.
    1. This should be a one to one match for the zones created in the Azure DNS servers.
  3. Set the forwarder for each zone to the IP addresses of the Azure DNS servers you created.
  4. You should now be able to nslookup the name of a resource and the private IP should be returned.


Comments

Post a Comment

Popular posts from this blog

Local Administrator Password Solution(LAPS)

Image
We have all come across it.  It's a problem as old as the computer itself.  Ever since those first few engineers sat around the PC and said, "Hey Frank, I can'y log in.  What's the password?"  I am of course talking about local admin passwords.  For what ever reason your local admin password will eventually leak out and when it does, it spreads quicker than rumors of free donuts in the break room. You may have combated this with a script that you run once a year that changes the local admin password.  The problem with this solution is that if a machine is turned off or remote then it won't get the script run against it.  You could put the script into a logon script but then your sticking a clear text version of the script onto your network somewhere. "Well, I just use GPO to deploy my passwords using Group Policy Preferences." I hear you say.  This I will agree was an excellent solution until https://technet.microsoft.com/en-us/library/se...
Read more

Error Connecting to Hyper-V Host

Image
Got yourself a Hyper-V host on a nice HP server and can't connect to it remotely from the Hyper-V manager?  You are not alone.  Assuming your error is something like the error below then I may be able to help. The WS-Management service cannot process the request.  The class Msvm_RegisteredProfile does not exist in the root/interop namespace. This has something to do with the HP tools messing with the registration of the MOF's.  All we need to do to fix it is register the MOF files.  To do this, open an administrative command prompt on the server and run the following command. MOFCOMP %SYSTEMROOT%\System32\WindowsVirtualization.V2.mof That will parse through the MOF file and register it on the system leaving you with the nice screenshot below. You should now be able to use your local Hyper-V console to connect to the server and manage away. As with anything you find on the Internet use this at your own risk.  Just because it...
Read more

MBAM Not BitLocking

Image
MBAM is installed,  group policies are set.  You install the MBAM client and nothing happens. First place to start is the Eventlog.  Open eventvwr.msc and browse through to ' Applications and Services Logs\Microsoft\Windows\MBAM' .  In my case I had 'TPM hardware is missing error' This was an easy one to sort out.  Just reboot, enter the BIOS and enable the TPM module.  Some manufacturers do offer tools to do this remotely so might be worth checking with your vendors on this one if you have a bunch of machines to do. Once the machine came back up it still wasn't encrypting the disk so back to the eventlog we go. This time I was presented with 'Unable to connect to the MBAM Recovery and Hardware service.  Access was denied by the remote endpoint.' For this one I started with checking access to the endpoint.  To do this open up regedit and browse to 'HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement' .  Copy...
Read more