Can't resolve external DNS record for domain in Azure Private DNS Zone

---EDITED TO REFLECT THE FACT I'M RUNNING MULTIPE COPIES OF THE APLCIATION ON THE ONE DOMAIN----

Having an issue that I can't quite work out, wondered if some fine person here had any experience!

I'm running multiple web based .NET applications on a Azure VM (Windows Server 2019) on various sub-domains of a single domain. lets say app.clientdomain.com, app-test.clientdomain.com, app-dev.clientdomain.com. I don't control the public DNS for this domain as the client owns the domain (they have a CNAME record in place that points app.clientdomain.com at the FQDN of the Azure Application gateway that sits in front of the VM).

The application requires a local DNS loopback for certain things to work correctly, and I've used an Azure Private DNS zone with clientdomain.com as the main domain, and an A records for app.clientdomain.com, app-test.clientdomain.com and app-dev.clientdomain.com all pointed to the Private IP address of the VM. This works quite nicely for the local DNS loopback.

I now also need to be able to access an FTP server on the same domain, say ftp.clientdomain.com. The particular sFTP server in question is external to my Azure subscription and not controlled by me.

However the issue I have is that the DNS resolves fine for ftp.clientdomain.com in the outside world, but wont resolve from within the VNet (NSLookup reports 'Non-existent domain').

I ideally don't want to put an A record for ftp.clientdomain.com in my private zone, as the IP address may be changed by the client without notice, which would break my applications ability to reach the sFTP server.

Am I unreasonable to expect that if a matching DNS record is not found in the private zone that it should reach outside to public DNS? Am I doing something wrong, or is something broken?

Thanks in advance for any input!


Solution 1:

You have created a private zone that matches a public zone. If a name does not resolve in the private zone, NXDOMAIN is returned. The DNS client or resolver will not try the public zone.

Solution: choose a different zone name for the private zone so that both private and public names can be resolved.

Solution 2:

So what you could do is just create the Azure Private DNS Zone specifically for app.clientdomain.com. We had the exact same requirement - a public zone that also has records that exist internally. We overcame it with this setup.

The Private DNS Zone would be authoritative to that subdomain only and everything else will resolve outside. Just point the root record (of the subdomain, i.e. @ to the IP address as required). See example below, where I've set up in my environment. I just noticed the typo!

enter image description here