DNS Private Zones

🎯 Lab Objective

In this hands-on lab, you will learn how to:

Create and configure Azure Private DNS Zones for internal name resolution
Link Private DNS Zones to Virtual Networks with auto-registration
Add custom DNS records (A and CNAME) for application access
Validate DNS resolution from client VMs within the network
Troubleshoot common DNS issues and implement fixes

Goal: Make http://app.corp.local and http://www.corp.local accessible from the Client VM using Azure Private DNS.

🏗️ Pre-Provisioned Environment

The following Azure resources have been pre-deployed in your environment:

Resource Overview

Resource Type	Resource Name	Configuration	Purpose
Resource Group	`rg-privdns-lab`	Contains all lab resources	Logical container
Virtual Network	`privdns-lab-vnet`	Private network segment	Network foundation
VM-App	Ubuntu Server	NGINX on port 80 (internal)	Web application server
VM-Client	Ubuntu Server	`dnsutils` & `curl` installed	DNS testing client

Network Architecture

privdns-lab-vnet
├── VM-App (Ubuntu + NGINX)
│   └── Internal web server on port 80
└── VM-Client (Ubuntu + DNS tools)
    └── DNS resolution testing

Platform Outputs

The deployment provides these values for your use:

vmAppPrivateIp - Private IP of the app server
vmClientPrivateIp - Private IP of the client VM
vmAppPublicIp - Public IP for SSH access (if enabled)
vmClientPublicIp - Public IP for SSH access (if enabled)
vmAppName - Application VM hostname
vmClientName - Client VM hostname

🚀 Lab Exercises

Task 1: Create a Private DNS Zone

Create a private DNS zone named corp.local for internal name resolution.

Using Azure CLI (Recommended)

# Set variables (replace with your actual values)
RG="rg-privdns-lab"
ZONE="corp.local"

# Create the private DNS zone
az network private-dns zone create \
  --resource-group "$RG" \
  --name "$ZONE"

Verification

# List private DNS zones to confirm creation
az network private-dns zone list \
  --resource-group "$RG" \
  --output table

💡 Key Learning: Private DNS zones are not resolvable from the internet—they only work within linked virtual networks.

Task 2: Link the Zone to Virtual Network

Link the private DNS zone to your VNet and enable auto-registration for VM hostnames.

Configure VNet Link

VNET_NAME="privdns-lab-vnet"
LINK_NAME="corp-local-link"
SUB_ID="<your-subscription-id>"

# Create VNet link with auto-registration enabled
az network private-dns link vnet create \
  --resource-group "$RG" \
  --zone-name "$ZONE" \
  --name "$LINK_NAME" \
  --virtual-network "/subscriptions/$SUB_ID/resourceGroups/$RG/providers/Microsoft.Network/virtualNetworks/$VNET_NAME" \
  --registration-enabled true

Auto-Registration Check

After approximately 1-2 minutes, verify that VM hostnames are automatically registered:

# List all A records in the zone
az network private-dns record-set a list \
  --resource-group "$RG" \
  --zone-name "$ZONE" \
  --output table

Expected Result: You should see A records for your VMs (e.g., privdns-lab-vm-app.corp.local)

🔍 What Happened: Auto-registration automatically creates DNS records for VMs in the linked VNet.

Task 3: Add Custom DNS Records

Create user-friendly DNS records for easier application access.

Create A Record for Application

APP_NAME="app"
APP_IP="<vmAppPrivateIp>"  # Use the value from deployment outputs

# Create A record: app.corp.local -> VM-App private IP
az network private-dns record-set a add-record \
  --resource-group "$RG" \
  --zone-name "$ZONE" \
  --record-set-name "$APP_NAME" \
  --ipv4-address "$APP_IP"

Create CNAME Alias

WWW_NAME="www"

# Create CNAME record: www.corp.local -> app.corp.local
az network private-dns record-set cname set-record \
  --resource-group "$RG" \
  --zone-name "$ZONE" \
  --record-set-name "$WWW_NAME" \
  --cname "${APP_NAME}.${ZONE}"

Verify Record Creation

# List A records
az network private-dns record-set a show \
  --resource-group "$RG" \
  --zone-name "$ZONE" \
  --name "$APP_NAME"

# List CNAME records
az network private-dns record-set cname show \
  --resource-group "$RG" \
  --zone-name "$ZONE" \
  --name "$WWW_NAME"

Task 4: Validate DNS Resolution

Test DNS resolution and connectivity from the client VM.

Connect to Client VM

# SSH to client VM (use appropriate method based on your setup)
ssh azureuser@<vmClientPublicIp>

# If no public IP is available, use Azure Bastion from the portal

Test DNS Resolution

# Test A record resolution
nslookup app.corp.local

# Test CNAME resolution
nslookup www.corp.local

# Alternative using dig (more detailed output)
dig +short app.corp.local
dig +short www.corp.local

Expected Results:

app.corp.local → resolves to VM-App’s private IP
www.corp.local → resolves to app.corp.local (CNAME)

Test HTTP Connectivity

# Test application access via custom DNS names
curl -s http://app.corp.local | head -n 10
curl -s http://www.corp.local | head -n 10

# Test with verbose output for troubleshooting
curl -v http://app.corp.local

Expected Result: You should see the “Welcome to the Internal App” HTML content from NGINX.

Task 5: Troubleshooting Exercise

Practice diagnosing and fixing common DNS issues.

Scenario A: VNet Link Issues

Simulate the Problem:

# Disable auto-registration
az network private-dns link vnet update \
  --resource-group "$RG" \
  --zone-name "$ZONE" \
  --name "$LINK_NAME" \
  --registration-enabled false

# OR completely remove the VNet link
az network private-dns link vnet delete \
  --resource-group "$RG" \
  --zone-name "$ZONE" \
  --name "$LINK_NAME" \
  --yes

Test the Impact:

# From Client VM - these should fail
nslookup app.corp.local
curl http://app.corp.local

Expected Symptoms:

DNS resolution fails
curl returns “could not resolve host” error

Fix the Issue:

# Recreate the VNet link with auto-registration
az network private-dns link vnet create \
  --resource-group "$RG" \
  --zone-name "$ZONE" \
  --name "$LINK_NAME" \
  --virtual-network "/subscriptions/$SUB_ID/resourceGroups/$RG/providers/Microsoft.Network/virtualNetworks/$VNET_NAME" \
  --registration-enabled true

Scenario B: Incorrect A Record