Understanding DNS in Azure

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everyone welcome to another video and in this video i want to kind of do a 360 around dns in azure it's a topic a lot of people have kind of asked about i think there's some confusion about custom dns and azure private dns and public dns so i want to really kind of quickly go through those things but first as always this is useful please like subscribe comment and share so we think about dns the whole point of dns is computer systems deal in ip addresses this could be ipv4 10.20.30.4 could be ipv6 much much bigger and as humans we're not really good at that and so we want to give it a friendly kind of name like a host name and the point of dns is dns provides that lookup from a host name to an ip address and there's a whole hierarchy it's not just a dns server there's kind of the root domain servers we have root hints we have top level domains like com and net and then we have authoritative domain servers for parts of the zone for example saviletech.com would be a dns zone there are a set of servers that host the records for that and so when we think about azure it has capabilities around really two key types of dns we want so if i think about dns services we often think about well there's dns services that are public these are hosting records that we want to resolve over the internet if i go to www.saviltech.com or there's a dns server for cybertech.com that has an alias for www that resolves to some server actually hosting that and so for the public type services in azure i'm going to go into more detail on this um we can kind of manually create records within the zones that we create and it supports really kind of the host records the a or the quadruple a for ipv6 um and aliases cname records so i'm going to manually create those things and it's kind of a limited set of records that are actually supported and then we can also think about well there's there's private and we use private a lot because if we think about our internal systems it could be my sql servers my regular computers i don't want those records available to the internet i don't want people maybe to see the servers i have i don't want them to know my internal ip scheme and so when we think about the private dns zone really binding it around virtual networks v-net to utilize those and once again i can manually create records in these private zones that we're going to create but also one of the nice things we can have is kind of this auto registration with auto registration based on the azure resource name it will automatically go and create a record in the private dns zone and we do have kind of a full range of records supported so while it's kind of limited with the public host and aliases here well i can have yes i have the host i have the aliases i have pointers i have start of authority i have mx service text i can have all those different types of records actually available to me so we have two types i'm going to focus on the private first and then at the end i'll quickly talk about the public public's really not that exciting we can create zones or we can put records in it when we think about private we're really focusing around a virtual network so i can think about okay i have a v-net now if we remember a v-net is essentially one or more cider ranges groups of ip address and then what we're going to do is we can kind of break up that v-net into multiple subnets and then i put resources into the subnet so we can have kind of subnet one two three four etc and then what we create inside them are really nicks we create these kind of network interfaces that sure we kind of attach a vm to that as well so we have our virtual network now at the virtual network level i can configure what the dns configuration is remember all resources inside a virtual network use dhcp i never manually set up the ip configuration they're going to use dhcp to go and get their configuration that includes the dns so if i think about at the v-net level what is my dns configuration there's kind of a default and the default is azure dns or i can do custom i'm going to come back to custom a bit later and really that that azure dns is kind of personified as a special ip address and it's one six eight don't i'm gonna double check this 63.129.16.16. that ip address is always the same no matter which v-net it's always that ip address represents using azure dns services it is not routable if i had a virtual network peer to on-premises from on-premises i would not be able to get and use 168.63.129.16. it's also used for sort of guest extension usage health probing things like that but anything within a virtual network can talk to this ip for dns it will use the azure dns services so that's the default but i could change it so i have a dns config at the virtual network level i can also override it if i wanted to at the nic level so i could also do a dns config here by default it's going to use the virtual networks configuration but i could say hey i want to do custom maybe it's a special type of virtual machine maybe it's doing its own kind of services maybe it's a domain controller i need to control how they point to each other i never change the config within the guest if i need to do something special for a particular virtual machine i can set it at the nic level so there are the two places i can configure it at the virtual network and i can configure it at an actual nic itself now if i do nothing else if i just use the default there is actually a special type of private zone actually created for me so it's kind of talked about as this kind of i dns this internal dns and it's always there if i go and do custom dns if i go and add private dns zones doesn't matter what i do this always exists so this is automatic it is free i'm not paying for this thing there is no manual record creation i can't do anything like that and again it's created when the v-net is created and it's a set namespace so what's happening this is kind of an internal dot cloud dot net anything that is created any vm that is created within the virtual network will get registered to this internal dns and get this something.internal.cloudapp.net doesn't matter what i do and that's addressable through that default azure dns that 1686312916 and i can show you this if i jump over to a virtual machine this vm is actually in using custom dns it's not using the azure dns but even though if i force it you can see here i'm doing an ns lookup but i'm specifying one six eight six three nine 129.16 as the dns server to actually go and make this request against i'm looking up the name of the vm.internal.cloudapp.net and it resolves i could change this to other records that are within the same virtual network so again it's not going to span virtual networks but here i can go and resolve records so even though i'm using a custom dns in my setup which we'll talk about this always exists so there's always this internal.cloudapp.net that is based on the azure resource name now if in the guest os i change the guest os name it doesn't know that it's registering the azure resource manager resource name that's kind of a key important point there so we have this i can resolve that but what if i want some more flexibility hey i don't want to use internal.cloudapp.net i want to be able to manually create other records as well i need to resolve the different zones i want to resolve across different virtual networks so this is where we come into private dns zones so what i can absolutely do is let's go to orange i can create a private dns zone so i give it a particular zone name could be like saviletech.net doesn't matter and i create that private dns zone now with that private dns zone remember i can create many different types of records i have a full range service text etc etc now the way i use this zone is i connect virtual networks to it in one of two ways remember all of the vms automatically registered to that internal.cloudapp.net i can do that with a private dns zone so i could take my virtual network and i could actually go ahead and link it to this private dns zone and i could link it for registration so that's the type of link i'm going to add now a virtual network can only connect to one private dns zone for registration purposes i.e the resources created in that v-net can only also register to a single dns zone i cannot also register to multiple private dns zones that's a key point now there might be many other dns zones i can create lots and lots of private dns zones these are all other private dns zones well i can also register well connect a v-net to those for resolution purposes so there'd be different dns zones maybe that's savortek.net maybe that's sav tech dot org something widgets dot whatever they're just other zones but they have records in i'm gonna be able to resolve records in that dns zone as well so my virtual network i can connect to one dns zone to create records based on the vms in my vn only one but i can actually connect well actually it's up to a thousand private dns zones as well just for resolution i.e there are other records in there i want to be able to resolve now i will might have other v-nets i have another v-net over here we'll say v-net2 absolutely that could go to the same private dns zone and it could use it for registration as well i can actually have up to a hundred so a certain dns zone can have up to 100 v-nets for registration by their automatically registering and up to a thousand v-nets for just resolution purposes i they just want to go and be able to look up a record and resolve it so i could have many v-nets going to the same zone for registration i can have other v-nets that are connecting to that zone this is v-net three or it's only using it for resolution you you get the point i with what i can do so there might be multiple private dns zones each of them is one dns zone sampletech.net savtec.net widgets.org whatever that may be to one of those i can register the vms in that v-net and let's be super clear when i'm saying it's kind of vms would do a different color so when i'm talking about my vms for that auto registration it's anything that uses vms so i'm saying vm that would also include vms that are in a vm scale set that would include if it's aks worker nodes it would include its sequel managed instance if it is a vm it will get registered into that that's kind of the key point but again only to one if i can use others for resolution purposes that's kind of that that key point so it's it's all or none and i should kind of make that as a big point it's all of them big important stuff i cannot say hey i want these 10 vms to register but not these other 10 it's everything i cannot have some go to one zone one to another it's one private dns zone for the registration of every vm in the v-net that's it cannot do anything else lots of others for resolution purposes so that's how i can use these private dns zones so i'm still configured to just use azure dns i've done nothing else at the v-net or the nic level but then i go and create these dns zones and then it's a configuration on the virtual network to now connect it to these dns zones for either auto registration or for resolution many of them now these private dns zones they are global it can be any region can use it it can be any sub it can be any v-net it can even be any tenant it is not bound to any particular tenant as long as i have the right permissions i can use it so these things are highly resilient they're replicated around regions all throughout the world um i don't have to worry about that and i can have lots of different v-nets from all over the place using the same dns zones they get consistent resolution unlike kind of that idns which is pervina i couldn't resolve things across different virtual networks okay what about custom what do we do here now custom could be many things and i should have pointed out when i said any v-net any tenant i still need permissions on it i have to have the permissions to go and connect that anyone can't just go and bind to my private dns so you have to have rights to actually use that so custom could be many things that there are huge numbers of different types of dns server out there custom could be bind for example linux there's many others it could be active directory domain services dns it could be azure ad domain services dns that's really the same thing it's just it's managed if i use azure ad domain services dns i can go into it i can add records i can add forwarding etc etc however so i'm if i'm going to do custom now it's not using the azure dns it's going to use whatever ip addresses i put in so when i do custom i put in the ip addresses of the dns servers okay that's great but what if what if i want to actually still use azure dns for certain things private link is a great example if i use private link one of the options is it can go and create the special records in the private link dot blob dot core dot windows whatever that is the variant of the dns zone with the ip address it creates rather than me having to ordinarily manually create the zone and then manually add the records in my dns service i want to use azure dns for the private link zones so how would i do that if i'm using a custom dns now remember ordinarily with dns we have authoritative servers for different zones and what i could do on my dns server is well i can imagine if i've got my let's say my dns server let's say it's on premises i've got my dns server i can do forwarding and forwarding says hey look if you're not affirmative for this zone if you don't know the answer rather than doing a recursive lookup where i go and look at the sort of the root domain hints and the root domain servers and the top level domain servers and i i go and i find the right server if you don't know just go and forward it to this other person so maybe i'd say hey i'll go and forward the request if i don't know it to someone else or i can do something called conditional forwarding which is really the same thing except that rather than if i don't know the answer go here if it's for this zone go and ask here so i might say hey conditional forward privately.blob.cor.window.net go to azure dns now remember azure dns is personified as this 168.63.129.16. if this dns service was running in azure in an azure vm i could absolutely just set the forwarding or the conditional forwarding to 168.63.129.16 and again if that was in azure that could be in azure vm that could be azure ad domain services dns because it will be able to get to this ip address and it would then go and resolve and it would everything would be happy in the world but but this is on-prem remember i said this is an ip address only available within the virtual network so it has no way to forward to that so i can't do that so what i would have to do is i would kind of have to stand up within a virtual network i would stand up a dns resolver it could be a linux vm windows vm whatever it would forward to this and because this is inside the virtual network it can forward to the 16863129.16 which is azure dns so that's how i could do it if i wanted to be able to forward to azure dns like those private zones via private link or just any anything else from an on-premises dns i would stand up a little kind of resolver within a virtual network that would take the request it can then go and query the azure dns because it's in the virtual network in a virtual network and it would resolve so that's how i can think about forwarding again because ordinarily this is not routable i cannot just get to that from an on-premises i can only get to it from a v-net again if my domain controllers were just sitting in azure v-net for example i hear they could absolutely just forward straight to the azure dns or would be happy and well in the world so i can absolutely do that then so i can think about joining those things together this is very common pattern if i want to be able to get to those like private lit records or other azure private dns zones i just stand up a box that can do that resolution it was hosting azure i can just go to it directly so this was all private this is all within my virtual network now of course there's public as well so i can have public dns zones so i just go and create these public dns zones again i manually create the records if i do this i have to actually set azure as the authoritative server for that zone just creating a zone doesn't mean the internet will use it i can create whatever zone i want but i have to be the owner of that domain and go to the registration body and say hey the authoritative dns servers for this zone are now azure and when you create a public dns zone it will show you in the properties what the actual dns servers are that you should configure as authority for the zone so requests on the internet will get recursively forwarded to here so they can get resolved so that exists and they these are separate i cannot auto register the public dns they're completely different now you may have split brain dns split brain dns is where i have the same zone existing in a private and a public like i have a savvytech.net public and i have a sampletech.net private because it may be hey i want a public presence for that zone hosting up here that resolves on the internet then i also use that zone for internal things but i don't want to expose those records to the internet if you have the same zone public and private and i'm on a virtual network that is linked to that private version well private trump's public uh it's like the old card game you play top chunks trump means it wins so if there is a zone for private amazon for public and the record exists in private that's the one that's going to get used so private will always trump public it's kind of just a key point to understand something i should as well point out is as a completely separate service of course there is azure traffic manager and i talked about this in other videos but think of azure traffic managers kind of a global balancer i can have this name in the traffic manager namespace that i could aliase to in a validity domain it can have multiple endpoints i.e different services around the world and then based on the client doing the request it can resolve maybe to one that's closest to me maybe around robin this is a completely separate service but it gives me that ability to have services distributed around the world and based on dns will resolve to different possible targets um based on information about the requesting dns server so that's it most of you are probably going to be doing things in the private dns zones just kind of really important point to realize that hey i can only also register to one and it is everything anything that's a vm will register to it but i can link to many many others just for resolution purposes the great thing about these zones i can link to multiple v-nets so they can have a common set of resolution across them one of the things i can't do today from azure private dns is forward to other dns servers um that's something that's been worked on so the whole idea about forwarding from azure private dns and conditional forwarding those things are being worked on by microsoft we expect to see that kind of functionality in the future so today if i need a mix of kind of custom dns and azure private dns zones i have to use custom dns as the kind of primary and then from the custom dns from within a resource within azure it can then forward or conditionally forward to the 16863.129.16 that personifies azure dns within the v-net to go and then use the private dns zones so that was it um there's our kind of some picture i hope this was useful until next time take care you

Info

Channel: John Savill's Technical Training

Views: 84,951

Rating: undefined out of 5

Keywords: azure, azure dns, azure private dns, dns, networking, azure networking, virtual network

Id: Hiohn35DIqA

Channel Id: undefined

Length: 26min 59sec (1619 seconds)

Published: Wed Sep 02 2020