search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.25k stars 21.42k forks source link

Uncoverd corner case of potential VPN GW malfunction due to custom DNS configuration #124667

Open juyamagu opened 2 days ago

juyamagu commented 2 days ago

Issue

As stated below, VPN Gateway needs to be able to resolve certain domains for its control-plane traffic, and to avoid related issues, it's required to make sure VPN Gateway can send DNS queries to the default DNS infrastructure hosted as 168.63.129.16.

vpn-gateway-vpn-faq.md [public doc]

When you're implementing a custom DNS within a VNet, it's crucial to configure a DNS forwarder that points to Azure DNS (168.63.129.16). This configuration helps maintain uninterrupted communication between the VPN gateway and the control plane. Failure to set up a DNS forwarder to Azure DNS can prevent Microsoft from performing operations and maintenance on the VPN gateway, which poses a security risk.

To help ensure proper functionality and healthy state for your VPN gateway, consider one of the following DNS configurations in the VNet:

  • Revert to the Azure DNS default by removing the custom DNS within the VNet settings (recommended configuration).
  • Add in your custom DNS configuration a DNS forwarder that points to Azure DNS (168.63.129.16). Depending on the specific rules and nature of your custom DNS, this setup might not resolve the issue as expected.

However, there's an edge case that the doc doesn't point out, which may lead to DNS resolution failures. It's the case involving DNS Private Resolver where 1) the resolver is linked to the VPNGW VNet and 2) has a forwarding rule with the wildcard domain (i.e. zero labels). In this scenario, even if the gateway sets 168.63.129.16 as its DNS server, the query traffic will be trapped by the Private Resolver ruleset and forwarded to custom DNS servers, potentially resulting in lookup errors.

Solution

I'd suggest adding enlightening messages at the end of this section, something along the lines of:

If you configure the DNS Private Resolver’s forwarding rule on your gateway VNet, ensure that no wildcard domain rules are applied. Such configurations may result in unintended lookup errors for control plane traffic.

author: @cherylmc ms.service: azure-vpn-gateway ms.topic: conceptual ms.author: @cherylmc

TPavanBalaji commented 1 day ago

@juyamagu Thanks for your feedback! We will investigate and update as appropriate.