Advertisement
I’m having an issue with a conditional forwarder to Azure that has me tearing my hair out… Any ideas appreciated.<\/p>\n
I have a site-to-site VPN set up from Site A to Azure. Within Azure I have a private DNS resolver and a private DNS zone; the zone is linked to the vnet that is routable over the VPN.<\/p>\n
On Domain A’s DNS server at Site A, I have a conditional forwarder set up for the Azure private DNS zone, pointing to the DNS resolver’s inbound endpoint, and DNS resolves correctly. Everything here seems fine.<\/p>\n
I also have a site-to-site VPN set up from Site B to the same vnet in Azure. Within Domain B at Site B, I have a conditional forwarder set up for the Azure private DNS zone, pointing to the DNS resolver’s inbound endpoint, and DNS does not resolve.<\/p>\n
The conditional forwarders are identical at both locations.<\/p>\n
Site A and Site B are also connected via VPN, and I can set up conditional forwarders to work across that link, so the functionality of conditional forwarders generally seems fine.<\/p>\n
The odd thing is, occasionally DNS will resolve for Site B, either if I do a nslookup and specify the Azure DNS endpoint IP explicitly or just sometimes normally.<\/p>\n
I thought maybe it was a VPN issue, but we have no filters on any of the site-to-site connections, and if it was DNS inspection (Cisco ASA) I would expect it to affect both site-to-site links.<\/p>\n
I’ve tried restarting the DNS service, clearing cache, restarting the servers, recreating the conditional forwarder, making it replicated or standalone on each DNS server.<\/p>\n
It feels<\/em> like something is sporadically blocking or incorrectly routing the connection, but I can’t figure out what would be doing that. The fact that it works fine from the other location suggests everything in Azure is configured correctly.<\/p>\n I have run dcdiag /test:dns and see no issues there. I have also tried using DNS logging but can’t see anything too helpful; although it looks like there is no entry for the forwarding on the times it fails.<\/p>\n has anyone come across a situation like this before, or have any instant “ah, maybe it’s this…” thoughts?<\/p>\n Thanks!<\/p>","upvoteCount":6,"answerCount":4,"datePublished":"2023-06-08T14:37:40.000Z","author":{"@type":"Person","name":"matt0883","url":"https://community.spiceworks.com/u/matt0883"},"suggestedAnswer":[{"@type":"Answer","text":" I’m having an issue with a conditional forwarder to Azure that has me tearing my hair out… Any ideas appreciated.<\/p>\n I have a site-to-site VPN set up from Site A to Azure. Within Azure I have a private DNS resolver and a private DNS zone; the zone is linked to the vnet that is routable over the VPN.<\/p>\n On Domain A’s DNS server at Site A, I have a conditional forwarder set up for the Azure private DNS zone, pointing to the DNS resolver’s inbound endpoint, and DNS resolves correctly. Everything here seems fine.<\/p>\n I also have a site-to-site VPN set up from Site B to the same vnet in Azure. Within Domain B at Site B, I have a conditional forwarder set up for the Azure private DNS zone, pointing to the DNS resolver’s inbound endpoint, and DNS does not resolve.<\/p>\n The conditional forwarders are identical at both locations.<\/p>\n Site A and Site B are also connected via VPN, and I can set up conditional forwarders to work across that link, so the functionality of conditional forwarders generally seems fine.<\/p>\n The odd thing is, occasionally DNS will resolve for Site B, either if I do a nslookup and specify the Azure DNS endpoint IP explicitly or just sometimes normally.<\/p>\n I thought maybe it was a VPN issue, but we have no filters on any of the site-to-site connections, and if it was DNS inspection (Cisco ASA) I would expect it to affect both site-to-site links.<\/p>\n I’ve tried restarting the DNS service, clearing cache, restarting the servers, recreating the conditional forwarder, making it replicated or standalone on each DNS server.<\/p>\n It feels<\/em> like something is sporadically blocking or incorrectly routing the connection, but I can’t figure out what would be doing that. The fact that it works fine from the other location suggests everything in Azure is configured correctly.<\/p>\n I have run dcdiag /test:dns and see no issues there. I have also tried using DNS logging but can’t see anything too helpful; although it looks like there is no entry for the forwarding on the times it fails.<\/p>\n has anyone come across a situation like this before, or have any instant “ah, maybe it’s this…” thoughts?<\/p>\n Thanks!<\/p>","upvoteCount":6,"datePublished":"2023-06-08T14:37:40.000Z","url":"https://community.spiceworks.com/t/conditional-forwarder-to-azure-failing/953367/1","author":{"@type":"Person","name":"matt0883","url":"https://community.spiceworks.com/u/matt0883"}},{"@type":"Answer","text":" I just realized I never actually stated the errors.<\/p>\n When it fails—either a regular client nslookup or stating the IP of the Azure DNS resolver—it gives a timeout error, or a non-existent domain error.<\/p>\n Sometimes it will work first time, other times it will show a 2 second timeout then work, and yet others will just timeout multiple times and error.<\/p>\n This was an identical request made a few seconds apart:<\/p>\n I’ve done some testing using dig on Linux to try and get more details, and I get the following:<\/p>\n From this it looks like the conditional forwarder isn’t being used, and instead it is going out to the public DNS for the root domain. Ok, one more update for those following along at home…<\/p>\n To summarize: nslookup from a Site A client direct to Azure over VPN works fine. nslookup from a Site B direct to Azure over VPN is sporadic at best, and regularly times out.<\/p>\n In my most recent test: nslookup from a Site B client to the Site A DNS server works consistently.<\/p>\n So a) it looks like there is a workaround for now, if I set the conditional forwarder at Site B to point to Site A’s DNS server, and b) it looks like the issue is related to the connection between Site B and Azure.<\/p>\n As I mentioned before, all connections at Site B use the same DNS inspection, and the group policies for the VPNs look almost identical, so I am lost for now as to why one site-to-site seems to be causing problems.<\/p>","upvoteCount":0,"datePublished":"2023-06-09T11:26:48.000Z","url":"https://community.spiceworks.com/t/conditional-forwarder-to-azure-failing/953367/4","author":{"@type":"Person","name":"matt0883","url":"https://community.spiceworks.com/u/matt0883"}}]}}
C:\\WINDOWS\\system32>nslookup <<domain>> 192.168.150.148\nServer: UnKnown\nAddress: 192.168.150.148\n\nNon-authoritative answer:\nName: <<domain>>\nAddress: 192.168.150.101\n\nC:\\WINDOWS\\system32>nslookup <<domain>> 192.168.150.148\nDNS request timed out.\n timeout was 2 seconds.\nServer: UnKnown\nAddress: 192.168.150.148\n\nDNS request timed out.\n timeout was 2 seconds.\nDNS request timed out.\n timeout was 2 seconds.\nDNS request timed out.\n timeout was 2 seconds.\nDNS request timed out.\n timeout was 2 seconds.\n*** Request to UnKnown timed-out\n<\/code><\/pre>","upvoteCount":0,"datePublished":"2023-06-08T16:58:14.000Z","url":"https://community.spiceworks.com/t/conditional-forwarder-to-azure-failing/953367/2","author":{"@type":"Person","name":"matt0883","url":"https://community.spiceworks.com/u/matt0883"}},{"@type":"Answer","text":"; <<>> DiG 9.18.12-0ubuntu0.22.04.1-Ubuntu <<>> @<<local DNS>> <<subdomain.domain.com>>\n; (1 server found)\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58266\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 4000\n;; QUESTION SECTION:\n;<<subdomain.domain.com>>. IN A\n\n;; AUTHORITY SECTION:\n<<domain.com>>. 594 IN SOA <<nameserver>>. 1686152437 3600 600 604800 600\n\n;; Query time: 132 msec\n;; SERVER: 192.168.2.150#53(192.168.2.150) (UDP)\n;; WHEN: Thu Jun 08 19:36:22 UTC 2023\n;; MSG SIZE rcvd: 106\n\n<\/code><\/pre>\n
\nThe conditional forwarder is for subdomain.domain.com<\/a>, and we have a public DNS zone for domain.com<\/a>. I assumed this was supported, and works in the other location. Has anyone had—or do you see—issues with this?<\/p>","upvoteCount":0,"datePublished":"2023-06-08T17:40:54.000Z","url":"https://community.spiceworks.com/t/conditional-forwarder-to-azure-failing/953367/3","author":{"@type":"Person","name":"matt0883","url":"https://community.spiceworks.com/u/matt0883"}},{"@type":"Answer","text":"