Azure DNS, Private DNS Zones, DNS Resolvers & DNS Rulesets – A Real-World Guide
Introduction
In modern cloud architectures, DNS is no longer just about name resolution.
In Azure, DNS plays a critical role in networking, security, hybrid connectivity, private endpoints, and enterprise traffic control.
This blog provides a complete, real-world understanding of:
Azure DNS Zones (Public)
Azure Private DNS Zones
Azure DNS Private Resolver
DNS Forwarding Rules & Rulesets
Real-time enterprise use cases and architectures
Why DNS Matters in Cloud Architecture
In on-premises environments, DNS was simple:
Server ➝ Active Directory DNS ➝ Internet
In Azure:
Applications are distributed
Services are private
Connectivity spans on-prem, multi-VNet, and multi-cloud
Security requires zero public exposure
DNS becomes the control plane for connectivity.
1️⃣ Azure DNS Zone (Public DNS)
What is Azure DNS Zone?
Azure DNS is a managed, highly available, globally distributed public DNS service used to host public domain records.
It resolves:
Public domain → Public IP
Example
www.mycompany.com → 20.198.45.12
api.mycompany.com → Azure Application Gateway
Key Characteristics
| Feature | Details |
|---|---|
| Scope | Internet (Public) |
| Zone Type | Public |
| Availability | Global |
| SLA | 100% |
| Integration | App Gateway, Front Door, Traffic Manager |
Real-Time Use Case: Public Web Application
Scenario
Company hosts a public web application in Azure
Traffic is routed through Application Gateway
Flow
User Browser
↓
Public DNS (Azure DNS)
↓
Application Gateway
↓
Backend Services
DNS Records
A record → www.mycompany.com → App Gateway IP
CNAME → api.mycompany.com → appgw.azurefd.net
2️⃣ Azure Private DNS Zone
What is Azure Private DNS Zone?
Azure Private DNS allows DNS name resolution inside private networks without exposing resources to the internet.
It resolves:
Private FQDN → Private IP
Why It Exists
Azure services such as:
Private Endpoint
AKS
Azure SQL
Storage Accounts
DO NOT expose public IPs, yet still need DNS resolution.
Example
mydb.database.windows.net → 10.10.2.4
mystorage.blob.core.windows.net → 10.10.3.7
Key Characteristics
| Feature | Details |
|---|---|
| Scope | VNet / Private |
| Internet Exposure | ❌ No |
| VNet Linking | Required |
| Records | Auto-created with Private Endpoints |
| Security | High |
Real-Time Use Case: Secure Database Access
Scenario
Azure SQL Database with Private Endpoint
Accessed from AKS and VM inside VNet
Architecture
AKS / VM
↓
Private DNS Zone
↓
Private Endpoint
↓
Azure SQL Database
DNS Zone
privatelink.database.windows.net
Outcome
No public IP
No firewall rules
Fully private traffic
3️⃣ Azure DNS Private Resolver
Why DNS Resolver is Needed
Private DNS Zones work only inside Azure VNets.
But what if:
On-premises needs to resolve Azure private DNS?
Azure VNets need to resolve on-prem DNS?
Hybrid connectivity exists?
👉 Azure DNS Private Resolver solves this problem
What is Azure DNS Private Resolver?
A managed DNS forwarding service that enables bi-directional DNS resolution between:
Azure VNets
On-premises networks
Other clouds
Components
| Component | Purpose |
|---|---|
| Inbound Endpoint | Accepts DNS queries from on-prem |
| Outbound Endpoint | Sends DNS queries to on-prem |
| Ruleset | Defines how DNS queries are forwarded |
| Rules | Domain-specific forwarding logic |
4️⃣ DNS Forwarding Rules & Rulesets
What is a DNS Ruleset?
A collection of DNS forwarding rules associated with one or more VNets.
What is a DNS Rule?
Defines:
If domain = X → forward to DNS server Y
Example Ruleset
| Domain | Forward To |
|---|---|
| corp.local | On-prem DNS (10.0.0.10) |
| azure.mycorp.com | Azure Private DNS |
| aws.internal | AWS Route53 Resolver |
Real-Time Hybrid Use Case
Scenario
On-prem Active Directory DNS
Azure VNets hosting Private Endpoints
VPN / ExpressRoute connected
DNS Flow
On-prem Server
↓
Azure DNS Private Resolver (Inbound)
↓
Private DNS Zone
↓
Private Endpoint
Reverse Flow
Azure VM
↓
DNS Resolver (Outbound)
↓
On-prem AD DNS
5️⃣ Enterprise-Grade Real-World Architecture
Full Architecture
On-Prem Network
|
| (VPN / ExpressRoute)
|
Azure DNS Private Resolver
| |
Inbound Outbound
| |
Private DNS Zones
|
Private Endpoints
|
Azure PaaS (SQL, Storage, AKS)
6️⃣ Common Enterprise Scenarios
Scenario 1: AKS + Private Endpoints
AKS nodes resolve:
Azure SQL
Storage
Container Registry
Using Private DNS Zones linked to AKS VNet
Scenario 2: Multi-VNet DNS
Hub-and-Spoke architecture
Central DNS Resolver in Hub
Ruleset shared across Spokes
Scenario 3: Zero Trust Architecture
No public endpoints
DNS resolution only via private zones
Firewall + Private Resolver enforced
7️⃣ Best Practices
Public DNS
✔ Use Traffic Manager / Front Door
✔ Use CNAMEs instead of A records where possible
Private DNS
✔ One Private DNS Zone per service
✔ Avoid overlapping DNS zones
✔ Use auto-registration only for VMs when required
DNS Resolver
✔ Deploy in Hub VNet
✔ Use rulesets instead of custom DNS servers
✔ Monitor DNS logs using Azure Monitor
8️⃣ Comparison Summary
| Feature | Public DNS | Private DNS | DNS Resolver |
|---|---|---|---|
| Internet Resolution | ✅ | ❌ | ❌ |
| Private Endpoints | ❌ | ✅ | ✅ |
| Hybrid DNS | ❌ | ❌ | ✅ |
| Managed | ✅ | ✅ | ✅ |
✅ Complete List of Azure DNS-Related Services & Features
Azure DNS isn’t just zones — it’s a suite of DNS and traffic routing capabilities spanning public, private, hybrid, and security-centric scenarios: (Microsoft Learn)
1. Azure Public DNS
Hosts public DNS zones and records (A, CNAME, TXT, MX, etc.) for internet-facing applications.
Uses Anycast for high availability and global performance.
Supports alias record sets (useful for Traffic Manager / CDN endpoints). (Microsoft Azure)
🔗 Docs: Azure Public DNS overview — Microsoft Learn (Microsoft Learn)
2. Azure Private DNS Zones
Authoritative private DNS service within VNets.
Automatically integrates with Private Endpoints (e.g., Azure SQL, Storage, Key Vault).
Supports split-horizon DNS (same domain with different answers for public/private).
Auto-registration of VM names possible. (Microsoft Learn)
🔗 Docs: Azure Private DNS overview — Microsoft Learn (Microsoft Learn)
3. Azure DNS Private Resolver
Managed service to bridge DNS resolution between Azure VNets, on-prem, and external DNS.
Eliminates the need for VM-based custom DNS servers for hybrid scenarios.
Includes Inbound and Outbound endpoints + Rulesets for conditional forwarding. (Microsoft Learn)
🔗 Docs: Azure DNS Private Resolver overview — Microsoft Learn (Microsoft Learn)
🔗 Docs: Resolver endpoints & rulesets — Microsoft Learn (Microsoft Learn)
4. Azure Traffic Manager (DNS-Based Routing)
DNS-level traffic load balancer.
Provides performance, priority, geographic, weighted, and subnet routing methods.
Ideal for multi-region high availability of public services. (Microsoft Azure)
🔗 Docs: Azure Traffic Manager overview — Microsoft official site (Microsoft Azure)
5. Azure Firewall DNS Features
Not a DNS service by itself, but critical in enterprise DNS flows:
✔ DNS Proxy — lets Azure Firewall act as a DNS forwarder within VNets
✔ Custom DNS — override default Azure DNS with on-prem / third-party DNS
✔ Logging & Threat Intelligence — record and block malicious DNS queries (Microsoft Tech Community)
6. Azure App Service DNS Integration
App Service (Web Apps/Containers) exposes a DNS endpoint for hosted apps (automatically DNS-resolvable).
Not a standalone service but vital when publishing SaaS apps.
7. Azure Provided Name Resolution (168.63.129.16)
This is Azure’s internal recursive resolver IP that all VNets use unless custom DNS is set.
Critical for basic internal name resolution and service health checks. (Microsoft Tech Community)
8. Third-Party DNS Appliances & Security
Azure Marketplace offers DNS firewalls/secure DNS appliances (Cisco, Infoblox, etc.).
Used for advanced security filtering and enterprise compliance. (Microsoft Azure)
📌 DNS Features Not to Miss in Enterprise Designs
| Feature | Purpose |
|---|---|
| DNSSEC (Public DNS) | Secure DNS with origin authenticity. (Microsoft Learn) |
| Alias Records | Map apex domains to Azure services. (Microsoft Learn) |
| Split-horizon DNS | Public vs private answers for same domain. (Microsoft Learn) |
| Conditional Forwarders | Hybrid DNS resolution through rulesets / resolver. (Microsoft Learn) |
| DNS Logging / Analytics | Monitor query patterns for security & operations |
| Custom DNS Servers & Peering | For deep on-prem integration |
🔁 Holistic DNS Flow Diagrams (Text / ASCII)
🔹 1. Public DNS Resolution & Traffic Manager
End Users
↓
Azure Public DNS (DNS Resolve)
↓
Azure Traffic Manager (Guided by DNS routing method)
↓
Regional App Gateway / Front Door / App Service
Use Case: Global customers routed to nearest Azure region. (Microsoft Azure)
🔹 2. Intra-Azure Private DNS + Private Endpoint
Azure VM/AKS Pod
↓
Azure Private DNS Zone
↓
Private Endpoint
↓
Azure SQL / Storage / Key Vault
Use Case: App services and workloads access private Azure PaaS endpoints securely. (Microsoft Learn)
🔹 3. Hybrid DNS with Azure DNS Private Resolver
┌───────────── On-Premises DNS ─────────────┐
| |
Azure VNet → Private DNS Resolver ←─ Conditional Forwarder ── On-Prem DNS
| (Inbound & Outbound Endpoints) |
Private DNS Zone Resolved ←————————————— Ruleset ———————————————|
Use Case: Name resolution works both ways without managing custom DNS servers. (Microsoft Learn)
🔹 4. Hub-&-Spoke DNS Architecture (Enterprise)
┌──────────── On-Prem DNS ─────────────┐
| |
Spoke VNet1 → Hub VNet DNS Resolver ← Spoke VNet2 |
| |
Private DNS Zones Linked ---------------- Public DNS Resolve
Benefits: Centralized rulesets + consistent resolution across spokes. (Microsoft Learn)
🧠 DNS in Hybrid & Secure Architectures
Enterprise DNS isn’t just about “resolving names” — it’s about secure, performant access across cloud and on-prem resources at scale:
✔ Hybrid DNS resolution with Private Resolver
✔ On-prem conditional forwarders pointing to Azure inbound endpoints
✔ Outbound rulesets forwarding Azure requests to internal corporate DNS
✔ DNS security with Azure Firewall DNS proxy & telemetry (Microsoft Learn)
📌 Official Azure Blog & Documentation Links to Include
Azure DNS (Public & Private) overview — azure.microsoft.com (Microsoft Azure)
Azure DNS documentation (zones, records, how-tos) — Microsoft Learn (Microsoft Learn)
Azure DNS Private Resolver — Microsoft Learn (Microsoft Learn)
DNS Private Resolver endpoints & rulesets — Microsoft Learn (Microsoft Learn)
Azure Traffic Manager for DNS load balancing — azure.microsoft.com (Microsoft Azure)
Azure DNS Private Resolver blog announcement — azure.microsoft.com (Microsoft Azure)
DNS in Azure is not just hosting domains — it’s a strategic networking pillar that enables:
✅ Secure private PaaS access
✅ Global traffic performance routing
✅ Hybrid DNS bridging with on-prem
✅ Centralized enterprise DNS control
✅ DNS threat protection & observability
4. Hub-&-Spoke DNS Architecture (Enterprise)
## 4️⃣ Hub-and-Spoke DNS Architecture (Enterprise)
### Overview
In large enterprises, multiple workloads are deployed across **multiple VNets (spokes)** such as:
- Application VNets
- AKS VNets
- Shared services VNets
- Landing zone VNets
Managing DNS separately in each VNet leads to:
- Inconsistent name resolution
- Operational overhead
- Security gaps
The **Hub-and-Spoke DNS architecture** centralizes DNS resolution by using a **Hub VNet** that hosts the **Azure DNS Private Resolver**, while all **Spoke VNets forward DNS queries to the Hub**.
---
### Why Hub-and-Spoke for DNS?
✔ Centralized DNS governance
✔ Single point for DNS forwarding rules
✔ Easy hybrid integration (on-prem ↔ Azure)
✔ No custom DNS VMs required
✔ Enterprise-scale, secure, and manageable
---
### Architecture Components
| Component | Purpose |
|---------|--------|
| Hub VNet | Central networking and DNS control |
| Azure DNS Private Resolver | Handles inbound & outbound DNS queries |
| Inbound Endpoint | Receives DNS queries from on-prem or spokes |
| Outbound Endpoint | Forwards DNS queries to external DNS servers |
| DNS Ruleset | Defines conditional DNS forwarding logic |
| Spoke VNets | Application and workload VNets |
| Private DNS Zones | Resolve private endpoints inside Azure |
---
### High-Level DNS Flow Diagram
┌──────────────────────────┐
│ On-Prem DNS │
│ (Active Directory) │
└────────────┬─────────────┘
│
VPN / ExpressRoute
│
┌──────────────▼──────────────┐
│ Hub VNet │
│ │
│ Azure DNS Private Resolver │
│ ├─ Inbound Endpoint │
│ ├─ Outbound Endpoint │
│ └─ DNS Ruleset │
│ │
└───────────┬───────┬─────────┘
│ │
VNet Peering VNet Peering
│ │
┌──────────────────▼───┐ ┌─▼──────────────────┐
│ Spoke VNet 1 │ │ Spoke VNet 2 │
│ (AKS / App VMs) │ │ (App Services) │
│ │ │ │
│ Private Endpoints │ │ Private Endpoints │
│ Private DNS Zones │ │ Private DNS Zones │
└───────────────────────┘ └─────────────────────┘
---
### DNS Resolution Flow (Step-by-Step)
#### 1. Azure Workload → On-Prem Resource
Spoke VM / AKS Pod
↓
Hub DNS Resolver (Outbound Endpoint)
↓
On-Prem Active Directory DNS
Used when Azure workloads need to resolve:
- `corp.local`
- `internal.company.com`
---
#### 2. On-Prem → Azure Private Endpoint
On-Prem Server
↓
DNS Resolver Inbound Endpoint (Hub)
↓
Azure Private DNS Zone
↓
Private Endpoint (SQL / Storage / Key Vault)
Used when on-prem systems access Azure PaaS privately.
---
### Example DNS Ruleset
| Domain Name | Forward To |
|-----------|-----------|
| corp.local | 10.0.0.10 (On-Prem DNS) |
| privatelink.database.windows.net | Azure Private DNS |
| privatelink.blob.core.windows.net | Azure Private DNS |
| aws.internal | AWS Route 53 Resolver |
---
### Real-Time Enterprise Use Case
**Scenario**
- Organization uses:
- On-prem Active Directory DNS
- Azure Landing Zone with multiple VNets
- Private Endpoints for SQL, Storage, Key Vault
- Connectivity via ExpressRoute
**Solution**
- Deploy Azure DNS Private Resolver in Hub VNet
- Link Private DNS Zones to Hub & Spokes
- Configure DNS Rulesets for conditional forwarding
**Outcome**
✔ Single DNS control plane
✔ Zero public exposure
✔ Seamless hybrid DNS resolution
✔ Simplified operations
---
### Best Practices
✔ Deploy DNS Resolver only in Hub VNet
✔ Share DNS Rulesets across Spokes
✔ Avoid deploying custom DNS VMs
✔ Use Private DNS Zones for all Private Endpoints
✔ Monitor DNS logs using Azure Monitor
---
### When to Use Hub-and-Spoke DNS
✔ Enterprise landing zones
✔ Large AKS and microservices platforms
✔ Hybrid or multi-cloud architectures
✔ Zero-Trust networking models
---
### Summary
The **Hub-and-Spoke DNS architecture** is the **recommended enterprise pattern** for Azure because it provides:
- Centralized DNS resolution
- Scalable hybrid connectivity
- Secure private name resolution
- Reduced operational complexity
0 Comments