In this series of posts I’m going to talk about a technology, that while old, still provides a critical foundational service. Yes folks, we’re going to cover Domain Naming System (DNS). Specifically, we’re going to look at the options for private DNS in Microsoft Azure and what the positives and negatives are of each pattern. I’m going to go into this assuming you have a basic knowledge of DNS and understand the namespaces, various record types, forward and reverse lookup zones, recursive and iterative queries, DNS forwarding and conditional forwarding, and other core DNS concepts. If any of those are unfamiliar to you, take some time to review the basics then come back to this post.
Before we jump into the DNS options in Azure, I first want to cover the 22.214.171.124 address. If you’ve ever done anything even basic in Azure, you’ve probably run into this address or used it without knowing it. This public IP address is owned by Microsoft and is presented as a virtual IP address serving as a communication channel to the host node for a number of platform resources. It provides functionality such as virtual machine (VM) agent communication of the VM’s ready state, health state, enables the VM to obtain an IP address via DHCP, and you guessed it, enables the VM to leverage Azure DNS services. The address is static and is the same for any VNet you create in every Azure region. Fun fact, some geolocation services will report this IP as being based out of Hong Kong and I’m sure you can imagine how that works when something like a WAF is in place with regional IP restrictions. Fun times. 🙂
Traffic is routed to and from this virtual IP address through the subnet gateway. If you run a route print on a Windows machine, you can see this route defined in the routing table of the VM.
The IP address is also defined in the VirtualNetwork service tag meaning the default rules within a network security group (NSG) allow this traffic to and from the VM. Given the criticality of the functions the IP plays, Microsoft recommends you allow inbound and outbound communication with it (it’s a requirement for using any of the Azure DNS services we’ll discuss in these posts).
Now that you understand what the 126.96.36.199 virtual IP address is, let’s first cover the very basics of DNS in Azure. You can configure Azure’s DHCP service to push a custom set of DNS servers to Azure VMs or optionally leave the default which is for VMs to use Azure’s DNS services (through the 188.8.131.52 virtual IP address). This can be configured at the VNet level and then inherited by all virtual network interfaces (VNIs) associated with the VNet, or optionally configured directly on the VNI associated with the VM.
This brings us to the first option for DNS resolution in Azure, Azure-provided name resolution. Each time you spin up a virtual network Azure assigns it a unique private DNS namespace using the format <randomly generated>.internal.cloudapp.net. This namespace is pushed to the machine via DHCP Option 15 thus each VM has an fully qualified domain name of <vm_host_name>.<randomly generated>.internal.cloudapp.net and each VM in the VNet can resolve IP addresses of one another.
Let’s look at an example with a single VNet. I’ve created a single VNet named vnet1. I’ve assigned the CIDR block of 10.101.0.0/16 and created a single subnet assigned the 10.101.0.0/24 block. Two Windows Server 2016 VMs have been created named azuredns and azuredns1 with the IP addresses 10.101.0.4 and 10.101.0.5. Azure has assigned the a namespace of r0b5mqxog0hu5nbrf150v3iuuh.bx.internal.cloudapp.net to the VNet. Notes the DHCP Server and DNS Server settings in the ipconfig output of the azuredns vm shown below.
If we ping azuredns1 from azuredns we can see the in below Wireshark capture that prior to executing the ping, azuredns performs a DNS query to the 184.108.40.206 VIP and gets back a query response with the IP address of azuredns1.
The resolution process is very simple as seen in the diagram below.
Well that’s all well and good for very basic DNS resolution, but who the heck has a single VNet in anything but a test environment? So can we expand Azure-provided DNS to multiple VNets? The answer is yes, but it’s ugly. Recall that each VNet has its own private DNS namespace. The only way to resolve names contained within that namespace is for a VM in that VNet to send the query to the 220.127.116.11 address. Yes folks, this means you would need to drop a DNS server in each VNet in order to resolve the Azure-provided DNS host names assigned to VMs within that VNet by another VMs in another VNet as illustrated in the diagram below.
You can see as the number of VNets increases the scalability of this solution quickly breaks down. Take note that if you wanted to resolve these host names from on-premises you could use a similar conditional forwarder pattern.
Let’s sum up the positives and negatives of Azure-provided DNS.
- No need to provision your own DNS servers and worry about high availability or scalability
- DNS service provided by Azure automatically scales
- VMs within a VNet can resolve each other’s IP addresses out of the box
- Solution doesn’t scale with multiple VNets
- You’re stuck with the namespace assigned to the VNet
- WINS and NetBIOS are not supported
- Only A records that are automatically registered by the service are supported (no manual registration of records)
- No reverse DNS support
- No query logging
As you can see from the above the negatives far outweigh the positives. Personally, I see Azure-provided DNS only being useful for bare bones test environments with a single VNet. If anyone has any other scenarios where it comes in handy, I’d love to hear them.
In the next post l cover Azure’s new offering in the DNS space, Azure Private DNS Zones. I’ll walk through how it works and how we can combine it with BYO DNS to create some pretty neat patterns.
See you then!
thanks …this just saved my life literally after domain transfer
Ha! Glad it helped!
Is there a reason not to let the P2S clients to have access to the 18.104.22.168 address once they are connected to the VNet?
The only risk I can think of off the top of my head is users could potentially use it to resolve DNS queries and bypass your existing DNS query logging.