private endpoint for backup service doesn't work with custom dns

[Herman5006]

[Enter feedback here] I set up private endpoint for azure Recovery Services vault, then I followed below link to set up my owner DNS server, but I can't resolve private endpoint FQDN in VM in same VNET. Link: https://docs.microsoft.com/en-us/azure/backup/private-endpoints#dns-changes-for-custom-dns-servers

Setup: client VM, DNS Server VM(windows server 2016) are in same VNET with private endpoint. For backup service, the DNS zone created in DNS server is: privatelink.krc.backup.windowsazure.com

DNS records are also added under this zone.

But when I attempted to nslookup the private endpoint FQDN, it told me domain doesn't exist.

It looks to me maybe there's some config missed in the doc, please help on this issue(can be reproduced easily). Thanks. (I also tried endpoint for blob and queue with same DNS server, it works fine).

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 85efae36-7371-4b13-4caf-c1532685380e
• Version Independent ID: d56c1100-2081-f42d-ecf2-16037434306b
• Content: Private Endpoints - Azure Backup
• Content Source: articles/backup/private-endpoints.md
• Service: backup
• GitHub Login: @dcurwin
• Microsoft Alias: dacurwin

[SwathiDhanwada-MSFT]

@Herman5006 Thanks for your comment. We will review the issue and get back to you shortly.

[dcurwin]

reassign:utraghuv

[utraghuv]

@Herman5006 Can you confirm if the nslookup is hitting your DNS server and not the global DNS?

[dcurwin]

@herman5006 - We haven't heard back from you, so we will now close this issue. If this remains an issue, please reply and we will gladly continue the discussion.

please-close

[computingbee]

I have same issue. Just created a new RSV w/ private endpoint with custom DNS. None of the below CNAMEs were created in eus.backup.windowsazure.com zone as described in https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns#azure-services-dns-zone-configuration

3299XXXXXXXXXXXXXXX-ab-pod01-prot1i.eus.backup.windowsazure.com,10.1xx.1xx.5 3299XXXXXXXXXXXXXXX-ab-pod01-prot1h.eus.backup.windowsazure.com,10.1xx.1xx.6 3299XXXXXXXXXXXXXXX-ab-pod01-prot1g.eus.backup.windowsazure.com,10.1xx.1xx.7 3299XXXXXXXXXXXXXXX-ab-pod01-prot1f.eus.backup.windowsazure.com,10.1xx.1xx.8 3299XXXXXXXXXXXXXXX-ab-pod01-id1.eus.backup.windowsazure.com,10.1xx.1xx.9 3299XXXXXXXXXXXXXXX-ab-pod01-prot1.eus.backup.windowsazure.com,10.1xx.1xx.10 3299XXXXXXXXXXXXXXX-ab-pod01-wbcm1.eus.backup.windowsazure.com,10.1xx.1xx.11 3299XXXXXXXXXXXXXXX-ab-pod01-tel1.eus.backup.windowsazure.com,10.1xx.1xx.12 3299XXXXXXXXXXXXXXX-ab-pod01-ecs1.eus.backup.windowsazure.com,10.1xx.1xx.13 3299XXXXXXXXXXXXXXX-ab-pod01-fab1.eus.backup.windowsazure.com,10.1xx.1xx.14 3299XXXXXXXXXXXXXXX-ab-pod01-prot1j.eus.backup.windowsazure.com,10.1xx.1xx.15 3299XXXXXXXXXXXXXXX-ab-pod01-fc1.eus.backup.windowsazure.com,10.1xx.1xx.16 3299XXXXXXXXXXXXXXX-ab-pod01-prot1d.eus.backup.windowsazure.com,10.1xx.1xx.17 3299XXXXXXXXXXXXXXX-ab-pod01-rec2.eus.backup.windowsazure.com,10.1xx.1xx.18 3299XXXXXXXXXXXXXXX-ab-pod01-prot1e.eus.backup.windowsazure.com,10.1xx.1xx.19 3299XXXXXXXXXXXXXXX-ab-pod01-prot1b.eus.backup.windowsazure.com,10.1xx.1xx.20

I have created private zone for the following: 3299XXXXXXXXXXXXXXX-ab-pod01-prot1i.privatelink.eus.backup.windowsazure.com,10.1xx.1xx.5 3299XXXXXXXXXXXXXXX-ab-pod01-prot1h.privatelink.eus.backup.windowsazure.com,10.1xx.1xx.6 3299XXXXXXXXXXXXXXX-ab-pod01-prot1g.privatelink.eus.backup.windowsazure.com,10.1xx.1xx.7 3299XXXXXXXXXXXXXXX-ab-pod01-prot1f.privatelink.eus.backup.windowsazure.com,10.1xx.1xx.8 3299XXXXXXXXXXXXXXX-ab-pod01-id1.privatelink.eus.backup.windowsazure.com,10.1xx.1xx.9 3299XXXXXXXXXXXXXXX-ab-pod01-prot1.privatelink.eus.backup.windowsazure.com,10.1xx.1xx.10 3299XXXXXXXXXXXXXXX-ab-pod01-wbcm1.privatelink.eus.backup.windowsazure.com,10.1xx.1xx.11 3299XXXXXXXXXXXXXXX-ab-pod01-tel1.privatelink.eus.backup.windowsazure.com,10.1xx.1xx.12 3299XXXXXXXXXXXXXXX-ab-pod01-ecs1.privatelink.eus.backup.windowsazure.com,10.1xx.1xx.13 3299XXXXXXXXXXXXXXX-ab-pod01-fab1.privatelink.eus.backup.windowsazure.com,10.1xx.1xx.14 3299XXXXXXXXXXXXXXX-ab-pod01-prot1j.privatelink.eus.backup.windowsazure.com,10.1xx.1xx.15 3299XXXXXXXXXXXXXXX-ab-pod01-fc1.privatelink.eus.backup.windowsazure.com,10.1xx.1xx.16 3299XXXXXXXXXXXXXXX-ab-pod01-prot1d.privatelink.eus.backup.windowsazure.com,10.1xx.1xx.17 3299XXXXXXXXXXXXXXX-ab-pod01-rec2.privatelink.eus.backup.windowsazure.com,10.1xx.1xx.18 3299XXXXXXXXXXXXXXX-ab-pod01-prot1e.privatelink.eus.backup.windowsazure.com,10.1xx.1xx.19 3299XXXXXXXXXXXXXXX-ab-pod01-prot1b.privatelink.eus.backup.windowsazure.com,10.1xx.1xx.20

DNS forwarder for public zones points to 168.63.129.16 as described in https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns#virtual-network-and-on-premises-workloads-using-a-dns-forwarder

Alternative is to use hosts file or create public zone on private DNS server which is not desirable.

Other private endpoints for Azure storage accounts work w/o any issues.

[computingbee]

Here is the result from nslookup.

nslookup Default Server: dns.google Address: 8.8.8.8

set debug set type=cname 3299XXXXXXXXXXXXXXX-ab-pod01-prot1i.eus.backup.windowsazure.com. Server: dns.google Address: 8.8.8.8

---

Got answer: HEADER: opcode = QUERY, id = 2, rcode = NXDOMAIN header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:
    3299XXXXXXXXXXXXXXX-ab-pod01-prot1i.eus.backup.windowsazure.com, type = CNAME, class = IN
AUTHORITY RECORDS:a
->  windowsazure.com
    ttl = 299 (4 mins 59 secs)
    primary name server = ns1-205.azure-dns.com
    responsible mail addr = azuredns-hostmaster.microsoft.com
    serial  = 1
    refresh = 3600 (1 hour)
    retry   = 300 (5 mins)
    expire  = 2419200 (28 days)
    default TTL = 300 (5 mins)

---

*** dns.google can't find 3299XXXXXXXXXXXXXXX-ab-pod01-prot1i.eus.backup.windowsazure.com.: Non-existent domain

[computingbee]

So I guess for Azure Backup it won't create public DNS records per https://docs.microsoft.com/en-us/azure/backup/private-endpoints#create-dns-zones-for-custom-dns-servers.

However, the screenshot here https://docs.microsoft.com/en-us/azure/backup/private-endpoints#create-dns-zones-for-custom-dns-servers is referencing .privatelink. in dns A record. But DNS records do not match the new A records created in the portal. See attached.

Please fix the documentation and/or portal. I will test MARS tomorrow and see if it works as advertised :-)

[utraghuv]

Yes, Backup won't create entries if you are using custom DNS servers. The entries for the Backup service should indeed contain '.privatelink.' and the region code. The documentation was updated last week. Can you please recheck if you still seeing unexpected entries. Thanks!