Using DNS in Azure IaaS
/September has come so it’s time for Azure Back to School. I want to take this opportunity to talk a little bit about DNS in Azure. The Domain Name System is a system which is used a lot in the public cloud and has a lot of possibilities but often it’s seen as a black box or something not to touch because it will break if you look at it for to long.
To get a bit better idea of how the Azure DNS works let’s create a simple lab in Azure. This lab will consist of the following things:
One Virtual Machine running Windows 11
One Virtual Machine running Windows Server 2022 azure edition
These two Virtual Machines are both connected to the same subnet.
The next step is to make the server a domain controller and join the windows 11 machine to the domain. When trying to join the windows 11 machines to the domain our first issue will arise. The windows 11 machine can’t find the name of the domain.
We made the Server also a DNS server when we made it a domain controller. This is needed because AD DS is build to use the DNS protocol. To fix this problem we will need to set the DNS server on the Windows 11 machine to the IP address of the server (in the network properties). After this is done we should be able to join the machine to the domain.
Now that we’ve set this up let’s dive a bit deeper into the Azure DNS. To really see what is happening let’s install the tool WireShark on both machines. After the installation is done you can open the tool and it will give a overview of the current available network adapters.
On both machines open the tool and select the ethernet adapter. You will now start to see screens where all the network packages are shown in real time. This can go quite fast and be overwhelming. Luckily there are filters to limit the amount of traffic we see. In the top bar enter the word “dns” and press enter. now you should only see the DNS traffic.
It’s quite possible that there still is some DNS traffic going on. Windows does a lot of things on the background and many of these things require DNS to be used.
Now let’s see how this DNS actually works. You can press the red square in WireShark to stop capturing and then press the sharkfin to start again, this will empty your captures. After we’ve done this on both machines let’s run a powershell command on the windows 11 machine.
Resolve-DnsName <Name of your domain>
This will trigger a DNS query to your domain DNS server.
In the screenshot above you see two DNS requests and two responses. There is a response for an A and AAAA record. We can limit this by also requesting a specific type when doing the request. When looking at the server we see the following:
Here we see also four captures. The requests are received on the server and the server responds back.
Now this is all well and good but we haven’t really used the Azure DNS yet. When a normal Virtual Machines is connected to a vnet it will use the Azure DNS servers but when we joined the VM to the domain we changed the DNS server. So until now we haven’t used any of the Azure DNS yet.
We can start by seeing what will happen if we query something outside the zones set in the DNS server.
From the client side nothing really seems different. This time I’ve queried only for the A record to reduce the amount of queries being done. We see a request and response back. But if we look at the server something else is happening:
Here now we see four DNS queries while at the client we only saw two. This is because our DNS server doesn’t know anything about example.com so it has to forward these queries. The IP address it forwards it too looks to be a normal public IP address but here is the catch.
The IP address 168.63.129.16 is a very special IP address in Azure. This address is where you can find the Azure DNS. But if you look at the network settings for the server you won’t find this IP address listed there. This is why I used the “azure edition” of the windows server installation. One of the special features of the “azure edition” is that they preconfigured a couple of things to make the server work better in Azure. One of these things is the configuration of the DNS forwarders.
In the properties of the DNS server you can see this value being set already. This allows the server to forward the queries. Once the query reaches the Azure DNS it can be resolved there and if needed be send to the internet to resolve the query.
For example if you create a storage account and use the private link a private DNS zone will be created. If your queries are send to the Azure DNS it will be able to resolve the values in the private DNS zone (if this zone is linked to the VNET where the DNS server is a part of). This way you can connect to a private link resource.
Often when working with infrastructure in Azure the solution I see being used it as described here above. In Azure there are one or several DNS servers which have forwarders setup to make sure the DNS queries end up at the right places. Especially in a hybrid environment this can become quite complex very soon. So in a future blog post I will explain how you can utilize tools like a private DNS resolver in Azure to simplify your environment. For now I hope the DNS in Azure is a little bit more clear. This is still only the top of the iceberg of DNS in Azure but by understanding how this works in my experience 90% of the DNS problems can be fixed already when concerning Azure.
Thanks for reading this and enjoy the rest of September with all these wonderful contributions from the community!