Azure Private DNS and VPN Gateway

December 13, 2022 

What is Azure Private DNS?

Azure Private DNS is a DNS service for Azure virtual networks. You can register a private DNS zone to Azure Private DNS and then link that zone with one or more virtual networks. If you enable DNS auto-registration for a virtual network, a new resource (e.g. virtual machines and VPN Gateways) will automatically add its IP address to Azure Private DNS. Resources in the linked virtual networks can use entries in Azure Private DNS to locate each other, instead of relying on IP addresses or the default Azure DNS domain. You can make Azure Private DNS and Azure VPN Gateway work together in several ways, some of which this article will describe.

For example, suppose you register a DNS zone called private.example.org in Azure Private DNS. You then create two virtual machines, server_a and server_b which will automatically add their private IPs to Azure Private DNS as A records. For example:

  • server_a.private.example.org -> 10.129.20.10
  • server_b.private.example.org -> 10.129.20.11

Now both VMs are able to resolve each other's IP address using their private DNS names. As Azure Private DNS uses the default Azure DNS server (168.63.129.16) transparently, you don't need to modify the virtual network's or virtual machine's DNS settings at all.

What is Azure VPN Gateway

Azure VPN Gateway is designed for encrypting traffic between on-premise resources and Azure. It is basically Azure's multi-protocol VPN server with various high-availability options. We outline some other VPN server options in this blog post.

For the purposes of this blog post we assume that Azure VPN Gateway uses a point-to-site ("P2S") configuration to provide remote users with access to Azure resources through a secure VPN connection. We also assume that VPN Gateway uses the OpenVPN protocol.

Azure Private DNS can also work with OpenVPN and Wireguard. The former is able to push DNS settings to VPN clients, but the latter requires manual client configuration.

Limitations in private DNS

Azure Private DNS and Azure VPN Gateway do not, by default, work together. As we mentioned above, Azure Private DNS uses the default Azure DNS transparently. This has the poorly documented side-effect that Azure VPN Gateway can't route DNS requests from VPN clients to Azure.

VPN Gateway that uses the OpenVPN protocol can push DNS server settings as DHCP options down to VPN clients. It gets the DNS server information from its virtual network's DNS server settings. With default DNS settings the VPN Gateway pushes nothing to the VPN clients.

With vanilla Azure Private DNS you don't have any dedicated DNS servers you could add to the virtual network's DNS settings. Due to this reason VPN clients can't resolve any names from Azure Private DNS without extra services.

Allowing VPN clients to use Azure Private DNS

Azure Private DNS resolver

Azure Private DNS and Azure VPN Gateway require additional services to work together. Azure's solution is called Azure Private DNS Resolver - a managed DNS server cluster. You can add the cluster member IP addresses to the virtual network's DNS server settings. VPN Gateway will (in case of OpenVPN) push those DNS servers to VPN clients. While this approach is decent, it has a pretty high price tag, about $173/month at the time of writing this article.

Custom DNS server cluster with DNS records in Azure Private DNS

You can also to set up two custom DNS servers inside the virtual network. You can then configure those as the virtual network's DNS servers. As they are inside the virtual network, they are able to resolve Azure Private DNS zones. This allows the VPN Gateway to push DNS servers to VPN clients. You do not need to host any DNS records on these instances as the backend would be Azure Private DNS. Essentially your DNS server would be a simple DNS forwarder. A decent Linux-based DNS server cluster you would cost you about $30/month, but has a higher up-front and maintenance cost compared to Azure Private DNS resolver.

Setting up Bind as DNS forwarder is rather easy. This tutorial, though written for Ubuntu 14.04, still works at least on Red Hat Enterprise Linux 8.

Custom DNS server cluster with DNS records

Alternatively you could also skip Azure Private DNS altogether and manage private DNS records on your own DNS servers. The up-front cost is probably highest among all these options, but you'd get maximum flexibility. This option costs about $30/month.

Single DNS server

If you want to save more money you can add two private IP addresses to a single DNS server VM. You can then add those two IPs to the virtual network's DNS server settings. With this approach you could squeeze the price to maybe $25/month. You could have the DNS records in Azure Private DNS or stored inside the DNS server itself.

Publishing VPN client IPs in Azure Private DNS

Azure Private DNS does not support static IPs for OpenVPN (P2S) VPN clients. Vanilla OpenVPN 2.x does a pretty good job at maintaining static client IP addresses even if you don't do anything special on the server-side. Azure VPN Gateway is a different beast: it seems very keen on changing the VPN client IPs on reconnect. This means that you can't add VPN client IP addresses into Azure Private DNS and expect them not to break very quickly.

The only way to update Azure Private DNS with VPN client IPs is to run an OpenVPN "up" script (e.g. Bash or Powershell) to push the DNS change to Azure Private DNS. This is actually what we do in our openvpn-update-azure-private-dns up/down script.

Related articles

Samuli Seppänen
Samuli Seppänen
Author archive
menucross-circle