Exam AZ-305 topic 4 question 36 discussion

Box 1 is wrong, VNET default configuration is to use azure DNS. The correct answer for box 1 should be "configure vm1 to forward contoso.com to the azure provided dns at 168.63.129.16" to convert VM1 to a DNS forwarder.

For anyone else struggling, I found this helpful: https://learn.microsoft.com/en-us/azure/architecture/example-scenario/networking/azure-dns-private-resolver

WRONG 1. Configure VM1 to forward contoso.com to the Azure-provided DNS at 168.63.129.16 2. Forward contoso.com to VM1

This question appeared in the exam, August 2024. For Box 1 I gave the answer "configure vm1 to forward contoso.com to the azure provided dns at 168.63.129.16". For Box 2 I gave "Forward contoso.com to VM1". I scored 870

Azure Configuration Option: Configure VM1 to forward contoso.com to the Azure-provided DNS at 168.63.129.16 Reasoning: This setup allows the DNS server on VM1 to forward DNS queries for the contoso.com domain to the Azure-provided DNS. The Azure DNS can resolve the private endpoint (PE1) to its private IP address. On-premises DNS Configuration Option: Forward contoso.com to VM1 Reasoning: By configuring the on-premises DNS to forward requests for contoso.com to VM1, DNS queries for this domain will be directed to the DNS server on VM1, which will then forward them to the Azure-provided DNS.

Box 1 is wrong but Box 2 is correct and answer as per below Box1. configure vm1 to forward contoso.com to the azure provided dns at 168.63.129.16 Box2. Forward contoso.com to VM1

Azure configuration: In VNet1, configure a custom DNS server set to the Azure provided DNS at 168.63.129.16: This configuration ensures that all the resources within VNet1, which includes VM1 (configured as a DNS server) and PE1 (Private Endpoint), can resolve names using the Azure-provided DNS which has knowledge of the private endpoints. On-premises DNS configuration: Forward contoso.com to VM1: Since VM1 is configured as a DNS server and it is within VNet1 that has a private DNS zone for contoso.com, forwarding DNS requests for contoso.com to VM1 will allow on-premises systems to resolve the names to the private IP addresses provided by PE1 for SQLDB1. This assumes that VM1 has the necessary DNS forwarders or conditional forwarders set up to resolve queries for contoso.com using the private DNS zone information.

1. configure vm1 to forward contoso.com to the azure provided dns at 168.63.129.16 2. Forward contoso.com to VM1

nothing in the question says that VM1 is connected to VNET1

Azure configuration: In VNet1, configure a custom DNS server set to Azure provided DNS at 168.63.129.16 On-premises DNS configuration: Forward contoso.com to VM1 Here's the flow 1. on-premise client machine queries for SQLDB1 2. on-premise DNS forward to VM1 3. VM1 query for SQLDB1 to public DNS 4. VM1 recieves CNAME for SQLDB1 5. VM1 query for CNAME of SQLDB1, which resided on Private DNS zone (In order to query Private DNS zone, you need to forward to Azure provided internal DNS) 6. VM1 receives A record from Private DNS zone 7. VM1 returns to on-premise client https://learn.microsoft.com/en-us/azure/architecture/example-scenario/networking/azure-dns-private-resolver#use-a-dns-forwarder-vm

Azure configuration: c. In VNet1, configure a custom DNS server set to the Azure provided DNS at 168.63.129.16 On-premises DNS configuration: a. Forward contoso.com to VM1

1. configure vm1 to forward contoso.com to the azure provided dns at 168.63.129.16 2. Forward contoso.com to VM1

Carefully look at the Green arrows in the diagram. Its "configure vm1 to forward contoso.com to the azure provided dns at 168.63.129.16"

Babonamaki is right. The correct answer for box 1 should be "configure vm1 to forward contoso.com to the azure provided dns at 168.63.129.16" to convert VM1 to a DNS forwarder. That's what I am using in our production environment!

I think it should be configure VM1 to forward Contoso.com to Public DNS as that is where the CNAME record exists on premises should forward to VM1 since VM1 has the A record for PE1

Coz they did NOT say VM1(DNS) is in VNET1

Interestingly done this config at work and we use the AFWs as a DNS proxies and conditionally forward DNS requests from on-prem for stuff like Keyvault and Servicebus to the AFWs which then return the privatelink addresses.