Azure DNS Private Resolver
Azure DNS Private Resolver is a feature within Azure DNS that allows you to host and resolve domain names privately within your virtual network. By creating a private DNS zone and associating it with your virtual network, you can manage DNS records and use fully qualified domain names (FQDNs) to access resources within the network. The Azure DNS Private Resolver ensures secure and internal name resolution without relying on the public internet, providing privacy and security for your virtual network resources.

Have you ever created a network in Azure? Have you ever gone so far that you need to connect to your resources from your on-premises network? You have probably created a VPN connection (for example using a Point-to-Site connection) to your VNet and ran into some trouble because you are not able to resolve the hostnames of resources in your network.

To overcome this problem, you have to create your own DNS that resolves name hostnames in your VNet, or else forward the DNS request to Azure’s default DNS. And now you have yet another VM and service (the VM for the DNS, and the DNS Service itself) to maintain. Luckily, there is a new service called the Azure DNS Private Resolver.

What is the Azure DNS Private Resolver

Well, in fact, this private resolver does exactly what’s described above. It tries to resolve hostnames in networks it is attached to, and forwards the DNS request to a different DNS Service when it could not resolve the hostname. You create inbound endpoints as properties of your DNS resolver. These inbound endpoints are deployed in a subnet of your VNet and act as ‘tentacles’ of the DNS Private Resolver to reach into your network.

Let’s assume you have already deployed a VNet in Azure, and this VNet contains a subnet dedicated to the inbound endpoint:

resource VNet 'Microsoft.Network/virtualNetworks@2021-05-01' existing = {
  name: vnetName
  scope: resourceGroup(vnetResourceGroup)
  resource inboundEndpointSubnet 'subnets' existing = {
    name: subnetName
  }
}

An inbound endpoint must be assigned to a subnet that is reserved specifically for that inbound endpoint. No other resource can exist in the same subnet with the inbound endpoint.

Now let’s create the DNS Private resolver:

resource dnsResolver 'Microsoft.Network/dnsResolvers@2022-07-01' = {
  name: 'my-dns-private-resolver'
  location: location
  properties: {
    virtualNetwork: {
      id: VNet.id
    }
  }
}

Once the resolver is in place, you can now go ahead and deploy the inbound endpoint:

resource dnsResolverInbound 'Microsoft.Network/dnsResolvers/inboundEndpoints@2022-07-01' = {
  name: 'my-dns-private-resolver-inb001'
  location: location
  parent: dnsResolver
  properties: {
    ipConfigurations: [
      {
        subnet: {
          id: VNet::inboundEndpointSubnet.id
        }
        privateIpAllocationMethod: 'Dynamic'
      }
    ]
  }
}

That’s all there is to it. The inbound endpoint can now resolve names in your VNet. The inbound endpoint will be assigned an IP Address. If you configure your VNet to use that IP address as DNS Server and then create the Point-to-Site connection using an Azure Virtual Network Gateway, you will see that the clients are configured to also use the same IP Address as a DNS Server. This makes that you can now resolve resources to internal network IP Addresses through your VPN connection.


Last modified on 2023-05-22

Hi, my name is Eduard Keilholz. I'm a Microsoft developer working at 4DotNet in The Netherlands. I like to speak at conferences about all and nothing, mostly Azure (or other cloud) related topics.