Azure CLI not resolving custom DNS Server properly

[A7exSchin]

Describe the bug

For a client I have set up a VPN Gateway, Private DNS Zone and a Keyvault with a Private Endpoint plus a DNS entry in the private DNS Zone.

When using the Azure cli command to list secrets in the private keyvault

az keyvault secret list --vault-name <keyvault-name> it gives me the error below.

When adding the debug and verbose arguments to the command I can see that the azure cli is trying to resolve the public IP of the keyvault. So this error makes total sense as the keyvault is no longer public, but set to private.

However, I know that the VPN configuration works, as when using the Azure Portal to access the secrets, it properly resolves the private IP and successfully displays the secrets contained in the keyvault. Disconnecting the VPN then shows an error.

I think there is a bug here where the Azure CLI or the underlying python structure does not properly use the correct private DNS Server.

What I have tried else?

• I debugged the DNS connection with nslookup and dig. Both showing the private IP of they keyvault when connected to the VPN.
• I have tried flushing the MacOS DNS and killing all mDNSResponder instances
• I have tried using the native MacOS VPN Client, Tunnelblick and OpenVPN. The first does not work at all, the latter work as described: Portal works, az cli does not
• I have tried to debug the VPN connection, I do not think this is the culprit, as all other private DNS Zones and entries work flawlessly, only the azure CLI is not working. Additionally, as I stated before, the browser works too (Chrome/Brave)
• Updating az cli and python (first turned up with 2.68.0, still happening at 2.70.0)

Related command

az keyvault secret list

Errors

cli.azure.cli.core.azclierror: (Forbidden) Public network access is disabled and request is not from a trusted service nor via an approved private link.
Caller: appid=<removed>;oid=<removed>;iss=https://sts.windows.net/e0a885c5-a02c-4390-9958-60be6791bdeb/
Vault: mgis-common-external;location=westeurope
Code: Forbidden
Message: Public network access is disabled and request is not from a trusted service nor via an approved private link.
Caller: appid=<removed>;oid=<removed>;iss=https://sts.windows.net/e0a885c5-a02c-4390-9958-60be6791bdeb/
Vault: mgis-common-external;location=westeurope
Inner error: {
    "code": "ForbiddenByConnection"
}
az_command_data_logger: (Forbidden) Public network access is disabled and request is not from a trusted service nor via an approved private link.
Caller: appid=<removed>;oid=<removed>;iss=https://sts.windows.net/e0a885c5-a02c-4390-9958-60be6791bdeb/
Vault: mgis-common-external;location=westeurope
Code: Forbidden
Message: Public network access is disabled and request is not from a trusted service nor via an approved private link.
Caller: appid=<removed>;oid=<removed>;iss=https://sts.windows.net/e0a885c5-a02c-4390-9958-60be6791bdeb/
Vault: mgis-common-external;location=westeurope
Inner error: {
    "code": "ForbiddenByConnection"
}

Issue script & Debug output

Output with debug flag showing it resolves the public IP

cli.azure.cli.core.sdk.policies: Response headers:
cli.azure.cli.core.sdk.policies:     'Cache-Control': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Pragma': 'no-cache'
cli.azure.cli.core.sdk.policies:     'Content-Type': 'application/json; charset=utf-8'
cli.azure.cli.core.sdk.policies:     'Expires': '-1'
cli.azure.cli.core.sdk.policies:     'x-ms-keyvault-region': 'westeurope'
cli.azure.cli.core.sdk.policies:     'x-ms-client-request-id': ''
cli.azure.cli.core.sdk.policies:     'x-ms-request-id': ''
cli.azure.cli.core.sdk.policies:     'x-ms-keyvault-service-version': '1.9.2203.1'
cli.azure.cli.core.sdk.policies:     'x-ms-keyvault-network-info': 'conn_type=Ipv4;addr=217.111.66.34;act_addr_fam=InterNetwork;'
cli.azure.cli.core.sdk.policies:     'X-Content-Type-Options': 'nosniff'
cli.azure.cli.core.sdk.policies:     'Strict-Transport-Security': 'max-age=31536000;includeSubDomains'
cli.azure.cli.core.sdk.policies:     'Date': 'Tue, 11 Mar 2025 10:37:40 GMT'
cli.azure.cli.core.sdk.policies:     'Content-Length': '410'

Picture of the browser resolving the correct private IP

Expected behavior

The azure cli should respect the DNS settings from the host machine, as specified in /etc/resolv.conf

Environment Summary

azure-cli 2.70.0

core 2.70.0
telemetry 1.1.0

Dependencies:
msal 1.31.2b1
azure-mgmt-resource 23.1.1

Python location '/usr/local/Cellar/azure-cli/2.70.0/libexec/bin/python'
Config directory '/Users/aschin/.azure'
Extensions directory '/Users/aschin/.azure/cliextensions'

Python (Darwin) 3.12.9 (main, Feb 4 2025, 14:38:38) [Clang 16.0.0 (clang-1600.0.26.6)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[evelyn-ys]

Not sure if this is what you looking for https://learn.microsoft.com/en-us/azure/developer/python/sdk/azure-sdk-configure-proxy?tabs=bash

[A7exSchin]

Not sure if this is what you looking for https://learn.microsoft.com/en-us/azure/developer/python/sdk/azure-sdk-configure-proxy?tabs=bash

Thanks for the answer! However, this does not help as I am not trying to configure a proxy. With our infrastructure we host a DNS Server as a Private DNS Resolver, which resolves Private DNS Zones inside our Azure infrastructure and makes them available to be resolved if the resolver is used as a DNS Server.

This means that the goal here would be that the azure CLI resolves DNS names from the server configured in /etc/resolv.conf as that is how our VPN solution configures the host system. Almost every other application I tested except does use the /etc/resolv.conf file to query new DNS names, but the azure cli does not.

So ultimately I want to be able to use the azure cli to access keyvaults over VPN. A solution similar to the proxy solution, where one could configure the DNS Server used by the azure cli via an environmental variable would be sufficient for me.

[evelyn-ys]

Not sure if it's something CLI needs to support. cc @jiasli @bebound

Add @msyyc from SDK team. It seems some ask form SDK as the requests are actually sent by SDK

[bebound]

What's the output of python3.12 -c "import socket;print(socket.gethostbyname('your kv domain'))"?
Is it a public ip or private ip?

[A7exSchin]

python3.12 -c "import socket;print(socket.gethostbyname('your kv domain'))"

It is the public IP. That would indicate it is a python issue and not related to azure cli?

python3.12 -c "import socket;print(socket.gethostbyname('<my-kv>.vault.azure.net'))"
13.69.111.192