Troubleshoot hybrid Azure DNS private resolver with on prem Windows server

Two methods to resolve private dns between Azure VMs and on prem is through a dedicated VM for DNS resolution, Azure firewall with DNS proxy, or through Azure private resolver. This also requires a dedicated connection from on prem/azure via VPN or expressroute.

Private DNS zones on prem and in Azure cannot match domain names. As a work around, Azure private DNS zone can be a subdomain of the on prem private DNS zone. By default Azure resources use Azure DNS. you may see ‘internal.cloudapp.net’ as DNS suffix.

Create a DNS private zone. Make sure to choose private DNS zone and not DNS zone. Create a unique subdomain different from on prem DNS zone.

Link the virtual network being used for DNS resolution. I’ve enabled auto registration so any VMs connected to this Vnet will show dns records automatically in the private DNS zone.

Create a DNS private resolver. Make sure for the inbound and outbound subnets they are at least a /28 and no larger than a /24. These subnets are dedicated to the inbound and outbound subnets. Other resources cannot be deployed in these subnets.

*** For inbound and outbound subnets, the third octet MUST be greater than .16. Inbound for on prem to forward queries to Azure and outbound for Azure to forward queries to on prem.

Add a ruleset. Configure for outbound endpoint and the vnet private resolver resources are deployed in. This will act as the Azure equivalent of a conditional forwarder. Give the ruleset names, add the domain as the on prem domain name. Add the private IP of the DNS server for on prem

On prem it cannot be configured for azure.dnszone.com as a conditional forwarder since the dnszone.com is authoritative.

Since I do not have an Active Directory and DNS configured within the Azure VM, but DNS throug Azure private dns zone, the dns suffix will still show the azure dns suffix. To change go to IPv4 advanced network settings and change dns suffix. With Azure private resolver no necessary to change since resolution is not going through the VM, it is going through the resolver service.