Using Azure DNS
Though you might be used to doing DNS via bind
, there's nothing specific about bind
that defines DNS. You can do DNS anywhere; all DNS details are blackboxed.
As such, Azure DNS is perfectly compatible with being a super Linux geek.
You can review the docs for Azure DNS on your own, but I'd like to provide a few "recipes".
Everything that follows assumes that you've done the prerequisite work of getting an active Azure account, creating your resource group (New-AzureRmResourceGroup
) and creating a new DNS zone (New-AzureRmDnsZone
).
New-AzureRmResourceGroup -Name spartan01 New-AzureRmDnsZone -ResourceGroupName spartan01 -Name "example.com"
In moving to Azure DNS, you have a few things that you need to do. These have NOTHING to do with Azure -- they're just facts of DNS.
PowerShell will be used for the most part, but the Azure CLI syntax will be provided where it's particularly interesting.
E-Mail (MX Records)
First, you need to realize that DNS affects your e-mail. This should be obvious since your e-mail has a domain name right in it. So, you need to make sure your MX records are legit.
Here's a block of PowerShell (UpdateAzureDNSMX.ps1) you should keep around:
New-AzureRmDnsRecordSet -ResourceGroupName spartan01 -ZoneName "example.com" -RecordType A -Name "mail" -Ttl 3600 -DnsRecords (New-AzureRmDnsRecordConfig -Ipv4Address '203.0.113.1') New-AzureRmDnsRecordSet -ResourceGroupName spartan01 -ZoneName "example.com" -RecordType MX -Name "mail" -Ttl 3600 -DnsRecords @( (New-AzureRmDnsRecordConfig -Preference 10 -Exchange smtp.example.com), (New-AzureRmDnsRecordConfig -Preference 20 -Exchange mailstore1.example.com) )
This creates a record set, then adds the specific config.
Single IP Address
Let's say you have a bunch of sites and want a single server to handle them all. Let's also assume that you only have one IP address.
You should look into using WebApps, but let's pretend you absolutely need a VM for some wild reason.
What to do?
Simple: CNAME it.
After creating your shiny new VM (perhaps running ./create simple hosting01
from https://linux.azure.david.betz.space), you need to get the systems IP address:
Azure CLI
[dbetz@callisto ~]$ az network public-ip list --query "[?dnsSettings.domainNameLabel!=null]|[?starts_with(dnsSettings.domainNameLabel,'hosting01')].{ dns: dnsSettings.fqdn }"
[
{
"dns": "hosting01figrg-alpha.centralus.cloudapp.azure.com"
}
]
PowerShell
(Get-AzureRmPublicIpAddress -ResourceGroupName hosting01 -Name hosting01-ip-alpha).DnsSettings.Fqdn
Let's use that Azure domain name to create our CNAME records for our domains:
function create { param($name) New-AzureRmDnsRecordSet -ResourceGroupName spartan01 -ZoneName "example.com" -RecordType CNAME -Name $name -Ttl 3600 -DnsRecords (New-AzureRmDnsRecordConfig -Cname "hosting01figrg-alpha.centralus.cloudapp.azure.com") } create "subdomain01" create "subdomain02" create "subdomain03" create "subdomain04"
For the sake of this example, all domains will be as subdomains. Doing full, separate domains is the same, but the examples would be longer... and less fun. It's the same idea, though.
If you already have the records (e.g. you move to another VM later), you update:
function update { param($name) $rs = Get-AzureRmDnsRecordSet -ResourceGroupName spartan01 -ZoneName "example.com" -RecordType CNAME -Name $name $rs.Records[0] = (New-AzureRmDnsRecordConfig -Cname "hosting01figrg-alpha.centralus.cloudapp.azure.com") Set-AzureRmDnsRecordSet -RecordSet $rs } update "subdomain01" update "subdomain02" update "subdomain03" update "subdomain04"
Now you have your domains all pointing to the same place.
Stopping here doesn't help you. You still have to figure out how to get your server to handle the multiple sites! Though it's not directly Azure related, I find partial examples to be distasteful and a sign of extreme ignorance on the part of an author.
So, what do you do on the server?
Let's assume you're reading this after 2016 (I'm writing this in 2017, sooooo...), therefore you're not using Apache. You're using Nginx:
server {
listen 80;
server_name mysubdomain01.example.com;
return 301 https://mysubdomain01.example.com$request_uri;
}
server {
listen 443 ssl http2;
server_name mysubdomain01.example.com;
ssl_certificate /etc/letsencrypt/live/mysubdomain01.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysubdomain01.example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /srv/_cert/dhparam.pem;
location / {
add_header Strict-Transport-Security max-age=15552000;
proxy_pass http://127.0.0.1:8081;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Host mysubdomain01.example.com;
}
}
I'm not into trivial examples, so the full SSL example is provided, with the letsencrypt paths.
The point is this:
- listen on the port without the IP
- server the
server_name
to your full domain name
Done.
Well, no, we're not done to my satisfaction. You still need some ability to test this. So, here's a quick Node.js application you can use to listen on port 80. Just curl
from somewhere else and see if it works.
curl --silent --location https://rpm.nodesource.com/setup_8.x | bash -
yum -y install nodejs
cd
cat > server.js << EOF
http = require('http');
port = parseInt(process.argv[2]);
server = http.createServer( function(req, res) {
res.writeHead(200, {'Content-Type': 'text/html'});
res.end(req.method + ' server ' + port);
});
host = '$PUBLIC_IP';
server.listen(port, host);
EOF
node server.js 8081 &
Azure CDN
When using assets (e.g. png, css) on your website, you'll want to be sure to serve them via an Azure CDN.
I tend to avoid the term "blob" as that's a binary entity -- the moment you start talking about "SVG blobs" or "CSS blobs", you lose any connection to reality. They're assets.
If your CDNS provider (Azure uses both Akamai and Verizon) supports SSL for custom domains, then great. If not, you're stuck with the mycdnendpoint.azurewebsites.net
address. You can consider HTTP obsolete. Use SSL or do not host anything.
Assuming your CDN provider supports SSL for custom domains, you have to tell it about your custom domain.
It requires that you prove ownership by creating a cdnverify
CNAME entry. Most of the docs are deeply cryptic on this (honestly, RTFM means FU; it's rarely helpful), so I'll make it simple:
if you want to use cdn01.mydomain.net
instead of http://mycdnendpoint.azurewebsites.net
, you can do this in two ways (choose one):
- create a
cdn01
CNAME pointing tomycdnendpoint.azurewebsites.net
New-AzureRmDnsRecordSet -ResourceGroupName spartan01 -ZoneName "example.com" -RecordType CNAME -Name 'cd01' -Ttl 3600 -DnsRecords (New-AzureRmDnsRecordConfig -Cname "mycdnendpoint.azureedge.net")
OR
- create a
cdnverify.cdn01
CNAME pointing tocdnverify.mycdnendpoint.azurewebsites.net
.
New-AzureRmDnsRecordSet -ResourceGroupName spartan01 -ZoneName "example.com" -RecordType CNAME -Name 'cdnverify.cd01' -Ttl 3600 -DnsRecords (New-AzureRmDnsRecordConfig -Cname "cdnverify.mycdnendpoint.azureedge.net")
NS Records
Once your DNS is setup and ready for production, you need to tell your registrar about it.
You can't guess what these records are. You just ask Azure about them:
(Get-AzureRmDnsZone -ResourceGroupName spartan01 -Name "example.com").NameServers
Here's a preview of something from namecheap.com (use whatever you want... as long as it's not GoDaddy)