It was hard to find an explicit title for that issue...
We got a DNS server hosted in Azure which serves as a relay/conditional forwarder for the private DNS zones we have in our Azure tenant. Following the Microsoft documentation for private endpoints DNS resolution, the conditional forwarding for these private DNS zones is sent to the Azure DNS 168.63.129.16. Among these private zones we got this privatelink.blob.core.windows.net, which is used by the private endpoints you can create for your storage accounts.
At this point, everything works and we can resolve DNS names for our personalized private zones and privatelink... zones in Azure.
When you create a private endpoint on a publicly-accessible blob in storage endpoint, Azure adds a CNAME from the original "public" name mystorageaccount.blob.core.windows.net. to mystorageaccount.privatelink.blob.core.net. So when you request your storage account DNS name, it is translated to this privatelink FQDN and your private IP is returned.
The problem is that there are other people in the world which use Azure blobs & private endpoints. So when we try to resolve an external blob name which has a private link from our internal network , like someexternalstgaccount.blob.core.windows.net this is resolved as a CNAME of someexternalstgaccount.privatelink.blob.core.windows.net. So the DNS request is transfered to our own Azure DNS server/relay, which claims to handle the zone in its conditional forwarder privatelink.blob.core.windows.net. Finally, the name someexternalstgaccount is not found in our own tenant private DNS zone privatelink.blob.core.windows.net, and the request fails...
What am i missing, how do you manage this ? You create conditional forwarding for all your FQDNs ?
