I've set up a simple Azure Virtual Network (VN) consisting of a single domain controller and a few clients. Now I need to know how to configure the VN's DNS Server List. Here are the two options I've tried:
Make the DC the only IP in the list of DNS servers. Initially this seems like the most obvious way to configure the VN, but it appears to block outbound DNS, making the Internet basically inaccessible. From the command line of any VM in the VN, nslookup works against the DC but fails against any other DNS server, including Azure's built-in DNS. For all intents and purposes outgoing DNS appears to be blocked in this configuration.
Set the DC's IP first in the list, then Azure's built-in DNS. This approach allows outgoing DNS to Azure's built-in DNS from any VM in my VN, but it feels strange to set up my clients with two DNS servers, one of which is my DC and one of which is external to my network. Is this the way a domain should be configured?
Ideally, I'd like all the VMs in my VN to use my DC for DNS, and for the DC to forward unknown domains to Azure's built-in DNS server, but I can't seem to find a way to do that.
As of 5/8/2014 Azure Virtual Network is no longer blocking outgoing DNS, so you can set up your DNS forwarders normally.
I selected public DNS servers from this list: http://theos.in/windows-xp/free-fast-public-dns-server-list/
Good Question! From what I can see, the Virtual Network is basically an isolation overlay. Unless you create a Site to Site VPN tunnel or define accessible DNS servers in the virtual network, there isn't a connection to the outside. In our environment, we tunnel to local DCs that forward queries to external DNS servers. Without that, I would say adding the Azure DNS to your VN DNS Server List is your solution.
Microsoft recommends using root hints with recursion (the default settings for recent Windows Server DNS versions) instead of explicit forwarder configuration for Azure-based DNS servers.
If you configured your DCs to also serve DNS (the dcpromo default), set your virtual network DNS servers to the appropriate DCs for clients on that subnet.
Don't set a non-DC DNS address on AD clients. Failing over to that address will break domain services (logon and authentication, among others).
The beauty of root hints and recursion is that you don't have to do anything but ensure that your clients can use the DC's DNS.