Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Lesson Learned #506:Why Custom DNS Returns Public IP Instead of Private IP Azure Private Endpoints
By
Jose_Manuel_Jurado
Published Jul 06 2024 02:49 AM 1,155 Views
Jose_Manuel_Jurado
Microsoft
‎Jul 06 2024 02:49 AM

Lesson Learned #506:Why Custom DNS Returns Public IP Instead of Private IP Azure Private Endpoints

‎Jul 06 2024 02:49 AM

These days, I was working on a simulation to understand why custom DNS servers resolve the public IP instead of the private IP when using Azure Private Endpoints.

Here, I would like to share some lessons learned about this topic.

 

We have many definitions on how to configure DNS servers, create Forward Zones, Conditional Forwards, Forwarders, etc., for the DNS database.windows.net to resolve the private IP of the Azure SQL Server Private Endpoint.

 

Lessons Learned

During several tests, I found that when we define the Private Endpoint configuration for Azure SQL Server, it is crucial to include the Azure Private DNS Zone.

 

  1. DNS Server Without Forward Zone for database.windows.net:

    • If my DNS server has not defined database.windows.net in its Forward Zone, it will automatically try to query other DNS servers. Depending on the situation, these external DNS servers could reply with the public IP. 

  2. Busy DNS Server or Timeout Issues:

    • If my DNS server has defined database.windows.net in its Forward Zone but is very busy or times out, it might still try to query other DNS servers. Disabling recursion on our custom DNS server could prevent this, but it might impact other necessary resolutions, such as those used for redirection. Again, depending on the situation, these external servers could reply with the public IP.

  3. Using Azure DNS IP (168.63.129.16) as the Last DNS Server:

    • In some scenarios, I included Azure DNS IP 168.63.129.16 as the last DNS server. Depending on how DNS requests are processed, sometimes the client machine uses 168.63.129.16 to resolve the IP. If I do not have the Azure Private DNS Zone defined, it will return the public IP.

 

Recommendations

Given these scenarios, I would like to suggest configuring the Azure Private DNS Zone even when using Conditional Forwards and custom DNS configurations.

 

When the DNS server that processes the request is 168.63.129.16, it will first check if there is an Azure Private DNS Zone. If one is defined, it will return the private IP instead of the public IP. Without the Azure Private DNS Zone, the IP returned will always be the public IP.

Version history
Last update:
‎Jul 06 2024 02:49 AM
Updated by: