none
how to troubleshoot assignment of custom DNS to Azure CDN endpoint? RRS feed

  • Question

  • Here is my Twitter conversion with @Azure:

    Me: I deployed an Azure static web site which works. https://findrestaurantsnearme.z13.web.core.windows.net. Created an Azure CDN endpoint for this site, which also works. https://findrestaurantsnearme.azureedge.net. Added a CNAME record directing http://findrestaurantnearme.com to http://findrestaurantsnearme.azureedge.net.

    When I enter http://findrestaurantnearme.com into a browser, it redirects to http://findrestaurantsnearme.azureedge.net so CNAME seems to work. Trying to add a custom domain to the Azure CDN endpoint, so browser shows http://findrestaurantnearme.com and not CDN endpoint URL after redirected. Tried to add custom domain to endpoint with custom hostname http://findrestaurantnearme.com. Error "We couldn't find a DNS record..." How to troubleshoot? Thanks!

    Azure: Hey there! Looking at http://findrestaurantsnearme.com on http://whatsmydns.net, we can see the A and CNAME records are propagated and when we try to reach the public IP associated to the A record we see a 403 Forbidden error for Azure Storage.

    Me: 

    Please correct me if I'm misunderstanding something here. I can ping the ip (184.168.131.241). 
    If I do a "tracert http://findrestaurantnearme.com" (from DOS prompt) it gets there in 3 hops in 10 ms. If I browse to "http://findrestaurantnearme.com" in a web browser, the browser redirects to findrestaurantsnearme.azureedge.net and shows the site correctly. So I'm not sure how you are hitting the site and whether Azure static web sites accept that type of request.


    Adam Leffert http://www.leffert.com

    Thursday, October 31, 2019 12:52 PM

All replies

  • Hi, 

    I don't see any redirection when I browse "http://findrestaurantnearme.com" and I don't see any CNAME as well for this domain. 

    Reference: https://www.digwebinterface.com/?hostnames=findrestaurantnearme.com&type=&ns=resolver&useresolver=8.8.4.4&nameservers= 

    The domain which you are browsing is an apex domain and you will not be able to add CNAME to apex domain. You need to add alias record for the apex domain. 

    You can check the below documentation on how to create alias record for your apex domain. 

    Reference: https://docs.microsoft.com/en-us/azure/dns/dns-alias#point-zone-apex-to-azure-cdn-endpoints

    Also if you would like to go with http://www.findrestaurantnearme.com, then you just need to create www record in your registrar to point to CDN's FQDN with a CNAME. 

    Let me know if you have any further questions. 

    Regards, 

    Msrini

    Thursday, October 31, 2019 1:06 PM
    Moderator
  • Hi, 

    Just checking in if you have had a chance to see the previous response. If this answers your query, do click “Mark as Answer” and Up-Vote for the same.

    Regards, 

    Msrini

    Friday, November 1, 2019 1:18 PM
    Moderator
  • Hi Msrini,

    I have not yet solved my problem.

    I've been taking time to learn more about DNS, watching a Pluralsight video in the topic.

    This way, I hoped to minimize the time you spend working on this question.

    Two things I note on the page you reference:

    1) "Pointing a zone apex to CDN endpoints for Azure CDN from Akamai is currently not supported."\

    My CDN endpoint is an Akamai endpoint, because this is what the MS tutorial on how to add a custom domain to an Azure static website directed me to do.

    Does the quote above mean that what I'm trying to do is impossible?  My original goal was simply to assign a custom domain name to my Azure static web site.  I don't really need a CDN for this.  My site is more than fast enough.

    If I need a different type of Azure CDN to assign a custom domain to my Azure static web site, which type?

    2) The "Next Steps" section mentions two things:

    a) alias record to a public IP

    I don't have a public IP.  I have a CDN FQDN whose IP will change.

    b) Traffic Manager.  Do I need Traffic Manager to simply assign a domain name to a static site?

    Seems like this simple action is getting more and more complex.

    I have access to the DNS records for my domain name on GoDaddy admin.

    It might save time if you could simply tell me which records to add.

    I want to assign the domain names

    findrestaurantnearme.com

    www.findrestaurantnearme.com

    to my Azure static web site.

    Thanks!

    Adam


    Adam Leffert http://www.leffert.com

    Friday, November 1, 2019 1:33 PM
    1. You can go with Verizon or Microsoft Standard as it doesn't have any limitation on having a custom domain with apex record. If you don't want to use apex domain and fine with creating a www record, so your domain looks like "www.domain.com" you can go with akamai itself.

    You can create a CNAME record "www" which points to Azure CDN. Then you can add www.findrestaurantnearme.com as the custom domain to your CDN. It will work for Akamain as well. Once the validation is done, you are all set. 

    Regards, 

    Msrini

    Friday, November 1, 2019 1:49 PM
    Moderator
  • Let's stick with Akamai CDN for now.

    Let's assume I want both

    findrestaurantnearme.com

    www.findrestaurantnearme.com

    to work.

    I am OK with the DNS resolution process using an extra iteration to resolve the www.

    Could you please list the (two?) CNAME records I need to create?

    I've tried all the possibilities I can think of and none have worked.

    My Akamai CDN endpoint is

    findrestaurantsnearme.azureedge.net

    Thanks!

    Adam


    Adam Leffert http://www.leffert.com

    Friday, November 1, 2019 1:56 PM
  • According to RFC standards, you will not be able to create CNAME for apex domain and hence you need to create alias record. 

    If you want both apex domain and www record, then Akamai is not the provider that you need to choose. 

    When you choose Alias record in your DNS Zone, you need to select the Azure CDN endpoint to which you need to map the apex domain to. You don't need to worry about the IP changes as it is handled by Azure. 

    Regards, 

    Msrini

    Saturday, November 2, 2019 5:10 AM
    Moderator
  • Msrini,

    Thank you for your reply.

    GoDaddy is the registrar for my domain.  GoDaddy does not currently support ALIAS records.

    I am working through what you wrote above and trying the various options.  I will write back once I have the results.

    Until then, I'm going to include some of the things I've figured out along the way in this reply, in case someone else goes down a similar road and finds this thread.  I've spent a lot of time on this and would like to spare the next person.  Feel free to skip the next section of this post.

    What’s an ALIAS record?

    https://support.dnsimple.com/articles/alias-record/

    An ALIAS record is a virtual record type we created to provide CNAME-like behavior on apex domains.
    For example, if your domain is example.com and you want it to point to a host name like myapp.herokuapp.com, you can’t use a CNAME record, but you can use an ALIAS record. The ALIAS record will automatically resolve your domain to one or more A records at resolution time, and resolvers see your domain simply as if it had A records.

    GoDaddy does not support ALIAS records in its DNS UI.

    To handle forwarding from apex domains, GoDaddy offers  a GUI which allows the admin to specify the details of the redirect.

    When the admin user specifies these details, GoDaddy adds two A records to your DNS data, one for @ and one for www.  Both point to the fixed IP address of a server that GoDaddy maintains.

    When a request hits this GoDaddy server, it examines the request header, figures out the redirect and redirects the request to its specified destination.

    This works, in most cases.

    In my specific case, it does not work, because of the following sequence:

    User navigates to http://findrestaurantnearme.com in a browser.

    DNS A record points the request to the GoDaddy server at the fixed IP.

    GoDaddy server redirects the request to https://findrestaurantsnearme.azureedge.com, my Akamai CDN endpoint.

    The JavaScript code in my index.htm page reads the protocol and sees "https".  If it had seen "http", it would have done a redirect, to https, but seeing https, it continues executing code.

    The JS code then tries to read the user's current GPS location.

    The protocol is https, but the CDN endpoint does not have an SSL certificate, so the function call fails.  Code to read location in JS requires an SSL cert.  This is a security feature of browsers.

    I try to add an SSL cert to the Akamai CDN endpoint via the Azure portal, but the Azure portal refuses.  The Azure feature looks for a CNAME record, but doesn't find one, because that's not how the GoDaddy redirect works.

    Thanks,

    Adam



    Adam Leffert http://www.leffert.com

    Saturday, November 2, 2019 10:47 AM
  • Msrini,

    I deleted the old (Akamai) CDN endpoint.

    I created a new Microsoft Standard CDN endpoint.

    Custom endpoint.

    Origin hostname

    https://findrestaurantsnearme.z13.web.core.windows.net

    Endpoint hostname

    https://findrestaurantsnearme.z13.web.core.windows.net

    Browse to the endpoint in a web browser.  Works.

    Opened an account at dnsimple.com, because GoDaddy does not support ALIAS records.

    Pointed the name servers for the domain findrestaurantnearme.com to dnsimple.

    Added two ALIAS records in dnsimple.  Filled in the rest of the records automatically.

    Here is the zone file export from dnsimple

    $ORIGIN findrestaurantnearme.com.
    $TTL 1h
    findrestaurantnearme.com. 3600 IN SOA axfr.dnsimple.com. admin.dnsimple.com. 1572701519 86400 7200 604800 300
    findrestaurantnearme.com. 3600 IN NS ns1.dnsimple.com.
    findrestaurantnearme.com. 3600 IN NS ns2.dnsimple.com.
    findrestaurantnearme.com. 3600 IN NS ns3.dnsimple.com.
    findrestaurantnearme.com. 3600 IN NS ns4.dnsimple.com.
    findrestaurantnearme.com. 3600 IN NS ns5.dnsmadeeasy.com.
    findrestaurantnearme.com. 3600 IN NS ns6.dnsmadeeasy.com.
    findrestaurantnearme.com. 3600 IN NS ns7.dnsmadeeasy.com.
    ; findrestaurantnearme.com. 3600 IN ALIAS findrestaurantnearme.azureedge.net.
    findrestaurantnearme.com. 3600 IN TXT "ALIAS for findrestaurantnearme.azureedge.net"
    ; www.findrestaurantnearme.com. 3600 IN ALIAS findrestaurantnearme.azureedge.net.
    www.findrestaurantnearme.com. 3600 IN TXT "ALIAS for findrestaurantnearme.azureedge.net"

    Opened an account at dnscheck.co, to verify that the dns info was correct and propagated.

    Imported zone file exported from dnsimple unto dnscheck.co.

    All dns records pass.

    Log in to Azure portal.

    Navigate to new CDN endpoint.

    Add custom domain.

    Endpoint hostname

    findrestaurantnearme.azureedge.net

    Custom hostname

    findrestaurantnearme.com

    Fails.  "We couldn't find a DNS record..."

    What am I doing wrong here?

    Thanks!

    Adam

    Adam Leffert http://www.leffert.com

    Sunday, November 3, 2019 11:06 AM
  • Hi, 

    Alias record is present in Azure DNS. You need to delegate your DNS to Azure DNS and you can create a Alias record as shown in the below screenshot:

    Select Alias record and choose the CDN which you have created. 

    Regards, 

    Msrini

    Sunday, November 3, 2019 11:34 AM
    Moderator
  • I pointed to the DNS servers for the domain name to Azure, using the values I got from the Azure portal.

    For anyone following along, this web site

    https://www.whatsmydns.net/

    can show you when your name server changed have propagated (search for SOA for your domain).

    It can show you when your A records have propagated.  Mine got to some of the servers.

    The CNAME records created by the Azure portal never showed up on this site, but I don't think that mattered.

    OTOH, if your SOA is pointing to your old name servers, don't expect your DNS changes to work yet.

    Anyhow, I was finally able to add findrestaurantnearme.com as a custom domain in the portal.  The portal feature found the CNAME record, even thouth whatsmydns.net never did.

    However, I hit another road block.

    All this being done doesn't give me an SSL cert, but I saw a feature in the Azure portal that offered to create a free cert (or use one) for me, but when I chose that option, I got this error:

    Failed to update custom domain properties
    Enabling Https with CDN Managed Certificate is not supported anymore for apex (root) domains.

    It then suggested I upload an SSL to KeyVault, and provide the feature with the info to access the cert from Key Vault.

    This is way too much trouble when the whole point of using static web sites was to make the process simpler and save money.

    So, to recap, my understanding is:

    1) Akamai CDN for use with a custom domain name and Azure Storage static web site is not possible if you want both www and apex domain.

    2) Microsoft CDN with custom domain and Azure static site and SSL is only possible if you buy an SSL cert and store it in Key Vault.

    I started with Akamai CDN because the MS article I found said it was the quickest.  Someone should revise this article to tell readers they won't get www and apex domain if they go down this road.

    Good news is that I found another article, which says it can all (www, SSL, custom domain) be done using the Verizon CDN.


    Adam Leffert http://www.leffert.com

    Monday, November 4, 2019 3:11 PM
  • Thank you for posting your observations. 

    Enabling HTTPS with Azure managed CDN, is not supported with any providers as of today. You need to upload the certificate to Key Vault and then you can enable HTTPS. 

    Regards, 

    Msrini

    Monday, November 4, 2019 5:10 PM
    Moderator
  • Hi, 

    Just checking in if you have had a chance to see the previous response. If this answers your query, do click “Mark as Answer” and "Up-Vote" for the same which will help the community.

    Regards, 
    Subhash
    Tuesday, November 26, 2019 1:55 PM
    Moderator
  • Thanks for checking in.

    I haven't been back to this yet.

    I will do so and reply back.

    Thanks!

    Adam


    Adam Leffert http://www.leffert.com

    Tuesday, November 26, 2019 2:10 PM