Understanding Azure DNS Private Resolver

Another new service introduced this year so far by Microsoft, Azure DNS (Domain Name System) Private Resolver is a cloud-native, DevOps-friendly, and highly available service. 

The purpose of this new service is to allow the querying of Azure DNS private zones from an on-premises environment and vice versa, removing the need to deploy virtual machine (VM) based DNS servers. 

Supporting hybrid networking  

Normally, if you wanted to query a DNS private zone, a custom DNS solution needs to be created and supported. Azure DNS Private Resolver offers a simple and secure service to conditionally forward and resolve DNS queries from an on-premises environment or a virtual network to any target DNS server. The result is the enabling of crucial hybrid networking setups. 

The processes behind DNS Private Resolver

To use Azure DNS Private Resolver, you first need an Azure Virtual Network that you can use to contain the resolver. This then creates inbound endpoints, which are used as destination points for DNS queries. The resolver also has an outbound endpoint that processes DNS queries based on a configurable DNS forwarding ruleset.  

The resolver’s inbound and outbound endpoints each need a subnet within the virtual network they’re handled in. These subnets must have no other services running within it, and they can only be delegated to Microsoft.Network/dnsResolvers. It’s also important to note that DNS resolution between on-premises networks and virtual networks requires a VPN or Azure ExpressRoute. 

The DNS query process looks something like this: 

  • A DNS query is issued by a client in a virtual network  
  • If you’ve specified custom DNS servers for this virtual network, the query will be forwarded to the specified IP addresses. 
  • If you’re using Azure’s default DNS servers for this virtual network and you’ve linked Private DNS Zones to the network, these zones are checked. 
  • If your query doesn’t match any of the virtual network’s private DNS zones, virtual network links for DNS forwarding rulesets are accessed. 
  • If you have no ruleset links, then the query is resolved by Azure DNS. 
  • If you have ruleset links, then the DNS forwarding rules are assessed. 
  • The query is forwarded to the allocated address if a suffix match is found. 
  • In a situation where there are multiple suffixes matched, the longest suffix is selected. 
  • If there are no matches, Azure DNS resolves the query and no DNS forwarding takes place. 

Benefits of Azure DNS Private Resolver

Azure DNS Private Resolver is highly available and zone redundant, and it runs at the fraction of the cost associated with typical IaaS (Infrastructure as a Service) solutions. You’ll also be able to conditionally forward to and from on-premises environments privately and securely. This is great for hybrid cloud setups. 

Some other benefits include: 

  • High scalability with its endpoints offering high performance. 
  • Support for DevOps, where you can create pipelines using Terraform, Bicep, or Azure Resource Manager (ARM)  

The current limitations of DNS Private Resolver 

Currently, Azure DNS Private Resolver is in public preview, which brings along restrictions that might otherwise not be present in a generally available release. Regarding rulesets, there can be no more than 25 rules, and these rulesets can’t be linked across multiple subscriptions. You also won’t be able to use any IPv6-enabled subnets. 

Nonetheless, this is a very beneficial new service, especially for hybrid companies. Getting your organisation familiar with the processes associated with using this new service can help prepare for when it’s generally available.