Azure private DNS zones provide name resolution for virtual machines (VMs) within a virtual network or between virtual networks. One of the limitations that Azure DNS has is that it does not support conditional forwarding. This means that you cannot send DNS queries from an on-premise network for resolution within Azure virtual networks.
Since a private zone is only accessible from within a virtual network or from virtual networks to which this zone is shared between, the DNS queries from on-premise clients cannot resolve to applications hosted in Azure.
This blog explains how customers can leverage an Infoblox appliance running in Azure to conditionally forward the DNS queries that are originating from on-premise networks to an Azure DNS resolver for query resolution.
Scenario: Conditionally forward on-prem DNS queries for resolution in Azure DNS private zones
Consider that for any application deployed in Azure, the DNS records for these applications are created in an Azure private zone that is linked to a virtual network.
To handle the DNS queries from the on-premise clients for resolution within the Azure private zone, Infoblox appliances can be deployed as a forwarder in the Azure virtual network. The Infoblox appliance will receive the DNS queries for the application and then with conditional forwarding, send these to the Azure DNS servers for resolution before providing the response back to the on-premise client.
Let’s assume that you have the Azure DNS private zone named contoso.com and multiple applications are hosted in it (vm1.contoso.com, vm2.contoso.com etc.).These are the applications that your on-premise clients need to access.
1. You have an Infoblox appliance running in the on-premise network (IP: 10.34.34.115)
To enable conditional forwarding between Azure and on-prem networks, perform the below steps:
1. Create a private zone and deploy an Infoblox appliance in an Azure virtual network
a. Log on to the Azure portal. Create a resource group (infoblox-resgrp1) and a virtual network (infoblox- vnet1).
b. Next, create a private zone (com) linked to the virtual network (infoblox-vnet1) by running the below command from the CLI:
az network dns zone create -g infoblox-resgrp1 -n contoso.com –zone-type Private –registration-vnets infoblox-vnet1
Note: The Azure private DNS zones feature is in public preview and Azure currently does not provide an option to create private zones from the UI. You will need to create the private zone using the Azure the CLI and in an empty virtual network.
c. Create a few DNS records. For example: contoso.com (IP: 172.29.140.55) and vm2.contoso.com (IP: 172.29.140.56)
d. Deploy an Infoblox vNIOS appliance on Azure in the same virtual network. Let’s say the IP address of it is 29.140.21. Please refer to the Infoblox deployment guide for Azure for instructions.
Note: This appliance does not need to be a member of an Infoblox Grid.
2. Configure a Forward-Mapping Zone in the on-premise Infoblox appliance
a. Log on to the on-premise vNIOS appliance (IP: 10.34.34.115) and create a forward-mapping zone (contosocom).
b. Add the forwarder IP as 29.140.21 (this should match with the IP address of the vNIOS appliance on Azure). The detailed steps on how to configure a forward zone and add a forwarder can be found here.
3. Add Azure Recursive/DNS Resolver as the Forwarder in the Azure Infoblox Appliance
a. Now log on to the vNIOS appliance in Azure.
b. Navigate to Data Management-> Grid DNS Properties -> Forwarders and add the forwarder IP as 188.8.131.52. This is the static IP address of the Azure Recursive Resolver and is not routable from on-prem networks.
c. Restart services on each Infoblox appliance (if not already done).
You are set now. From an on-prem client, if you query against the on-prem Infoblox appliance (IP: 10.34.34.115) for the records that are hosted in Azure, the queries are forwarded to the Azure recursive/DNS resolver (IP: 184.108.40.206) for resolution.