🌐 Azure VNet DNS Configuration Guide

Overview

Azure Virtual Network (VNet) DNS configuration is crucial for name resolution within your network infrastructure. This guide covers comprehensive DNS settings, traffic flow patterns, and implementation strategies for Azure VNets.

DNS Resolution Types in Azure VNets

1. Azure-Provided DNS vs Custom DNS

graph TB A[Azure VNet] --> B{DNS Type} B -->|Default| C[Azure-Provided DNS
168.63.129.16] B -->|Custom| D[Custom DNS Servers] C --> E[Azure Internal Resolution] C --> F[Internet Resolution] D --> G[On-Premises DNS] D --> H[Custom DNS VM] D --> I[Third-Party DNS] E --> J[VM-to-VM Communication] F --> K[External Domain Resolution] G --> L[Hybrid DNS Resolution] H --> M[Centralized DNS Management] I --> N[Policy-Based DNS] style A fill:#e1f5fe style C fill:#c8e6c9 style D fill:#ffcdd2 style E fill:#fff3e0 style F fill:#f3e5f5

DNS Resolution Flow Explanation:

Azure-Provided DNS (168.63.129.16): Default DNS service that provides name resolution for Azure resources and internet domains
Custom DNS Servers: User-defined DNS servers that can be on-premises, Azure VMs, or third-party services
Internal Resolution: Resolves names within the VNet and connected networks
External Resolution: Resolves internet domain names
Hybrid Resolution: Combines on-premises and cloud DNS for seamless name resolution

2. DNS Traffic Flow Architecture

sequenceDiagram participant VM as Virtual Machine participant VNet as VNet DNS participant Azure as Azure DNS participant OnPrem as On-Premises DNS participant Internet as Internet DNS Note over VM,Internet: DNS Query Resolution Flow VM->>VNet: 1. DNS Query (example.com) VNet->>VNet: 2. Check Custom DNS Settings alt Custom DNS Configured VNet->>OnPrem: 3a. Forward to Custom DNS OnPrem->>OnPrem: 4a. Check Local Zone alt Local Zone Found OnPrem->>VNet: 5a. Return Local Answer else Forward to Azure OnPrem->>Azure: 5b. Forward to Azure DNS Azure->>Internet: 6b. Query Internet DNS Internet->>Azure: 7b. Return Answer Azure->>OnPrem: 8b. Return Answer OnPrem->>VNet: 9b. Return Answer end else Default Azure DNS VNet->>Azure: 3c. Use Azure DNS Azure->>Internet: 4c. Query Internet DNS Internet->>Azure: 5c. Return Answer Azure->>VNet: 6c. Return Answer end VNet->>VM: 7. Return Final Answer

DNS Query Sequence Explanation:

Step 1-2: VM initiates DNS query, VNet checks DNS configuration
Step 3a-9b: Custom DNS path - queries are forwarded to configured DNS servers
Step 3c-6c: Default Azure DNS path - uses Azure's built-in DNS service
Step 7: Final answer returned to the requesting VM

DNS Configuration Commands and Implementation

Command Execution Flow

Implementation Order:

graph TD A[1Create DNS Zone] --> B[2Configure VNet DNS Settings] B --> C[3Create DNS Records] C --> D[4Link Private DNS Zone] D --> E[5Configure Conditional Forwarders] E --> F[6Test DNS Resolution] style A fill:#e8f5e8 style B fill:#fff3cd style C fill:#e1f5fe style D fill:#f3e5f5 style E fill:#ffecb3 style F fill:#c8e6c9

1. Private DNS Zone Creation

az network private-dns zone create \
    --resource-group myResourceGroup \
    --name contoso.local
        

Parameters Explanation:

--resource-group: The resource group where the private DNS zone will be created
--name: The name of the private DNS zone (must be a valid DNS domain name)

Additional Options:

--tags: Space-separated tags in 'key[=value]' format
--registration-enabled: Boolean to enable automatic registration of VMs

Purpose: Creates a private DNS zone that provides name resolution for resources within your VNet. This is the foundation for custom DNS resolution in Azure. Private DNS zones are automatically replicated globally and provide high availability.

2. Configure VNet DNS Settings

az network vnet update \
    --resource-group myResourceGroup \
    --name myVNet \
    --dns-servers 10.0.0.4 10.0.0.5
        

Parameters Explanation:

--dns-servers: Space-separated list of DNS server IP addresses
--name: Name of the VNet to update
--resource-group: Resource group containing the VNet

Additional Options:

--remove: Remove DNS servers by specifying property path
--set: Set DNS servers using property path notation

Purpose: Configures custom DNS servers for the VNet. When specified, all VMs in the VNet will use these DNS servers instead of Azure's default DNS. This command must be executed after creating your DNS infrastructure but before linking private zones.

3. Create DNS Records

A Record Creation

az network private-dns record-set a create \
    --resource-group myResourceGroup \
    --zone-name contoso.local \
    --name webapp
        

az network private-dns record-set a add-record \
    --resource-group myResourceGroup \
    --zone-name contoso.local \
    --record-set-name webapp \
    --ipv4-address 10.0.1.10
        

A Record Parameters:

--zone-name: The private DNS zone name
--name/--record-set-name: The name of the record set
--ipv4-address: The IPv4 address for the A record

Additional Options:

--ttl: Time-to-live in seconds (default: 3600)
--metadata: Metadata tags for the record set

CNAME Record Creation

az network private-dns record-set cname create \
    --resource-group myResourceGroup \
    --zone-name contoso.local \
    --name www
        

az network private-dns record-set cname set-record \
    --resource-group myResourceGroup \
    --zone-name contoso.local \
    --record-set-name www \
    --cname webapp.contoso.local
        

CNAME Record Parameters:

--cname: The canonical name (target) for the CNAME record
--record-set-name: The name of the CNAME record set

Purpose: Creates DNS records within the private DNS zone. A records map hostnames to IP addresses, while CNAME records create aliases. These records are created after the DNS zone and before linking to VNets to ensure proper resolution.

4. Link Private DNS Zone to VNet

az network private-dns link vnet create \
    --resource-group myResourceGroup \
    --zone-name contoso.local \
    --name myVNetLink \
    --virtual-network myVNet \
    --registration-enabled true
        

VNet Link Parameters:

--zone-name: The private DNS zone to link
--name: Name for the VNet link
--virtual-network: Name or ID of the VNet to link
--registration-enabled: Enable automatic registration of VMs

Additional Options:

--tags: Space-separated tags in 'key[=value]' format
--resolution-policy: Resolution policy for the link

Purpose: Links the private DNS zone to the VNet, enabling name resolution for resources within the VNet. When registration is enabled, VMs are automatically registered in the DNS zone. This step comes after DNS zone creation and record configuration.

5. Configure DNS Forwarding Rules

az network dns forwarding-rule create \
    --resource-group myResourceGroup \
    --ruleset-name myDnsRuleset \
    --name forwardToOnPrem \
    --domain-name onprem.contoso.com \
    --forwarding-rule-state Enabled \
    --target-dns-servers 192.168.1.10 192.168.1.11
        

Forwarding Rule Parameters:

--ruleset-name: Name of the DNS forwarding ruleset
--name: Name of the forwarding rule
--domain-name: Domain name pattern to forward
--forwarding-rule-state: Enable or disable the rule
--target-dns-servers: DNS servers to forward queries to

Purpose: Creates conditional forwarding rules that direct DNS queries for specific domains to designated DNS servers. This is typically used for hybrid scenarios where certain domains should be resolved by on-premises DNS servers.

6. Advanced DNS Configuration

DNS Resolver Creation

az dns-resolver create \
    --resource-group myResourceGroup \
    --name myDnsResolver \
    --virtual-network myVNet \
    --location eastus
        

DNS Resolver Parameters:

--name: Name of the DNS resolver
--virtual-network: VNet where the resolver will be deployed
--location: Azure region for the resolver

Inbound Endpoint Configuration

az dns-resolver inbound-endpoint create \
    --resource-group myResourceGroup \
    --dns-resolver-name myDnsResolver \
    --name inbound-endpoint \
    --subnet "/subscriptions/{subscription-id}/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet/subnets/dns-inbound-subnet" \
    --private-ip-address 10.0.2.10 \
    --private-ip-allocation-method Static
        

Inbound Endpoint Parameters:

--dns-resolver-name: Name of the parent DNS resolver
--subnet: Full resource ID of the subnet for the endpoint
--private-ip-address: Static IP address for the endpoint
--private-ip-allocation-method: IP allocation method (Static/Dynamic)

Purpose: Creates inbound endpoints that allow on-premises networks to resolve Azure private DNS zones. The resolver acts as a bridge between on-premises DNS infrastructure and Azure DNS services.

DNS Resolution Patterns

Hybrid DNS Architecture

graph TB subgraph "On-Premises" OnPremDNS[On-Premises DNS
192.168.1.10] OnPremVM[On-Premises VM] end subgraph "Azure VNet" AzureDNS[Azure DNS Resolver
10.0.2.10] AzureVM[Azure VM] PrivateDNS[Private DNS Zone
contoso.local] end subgraph "Internet" PublicDNS[Public DNS
8.8.8.8] end OnPremVM -->|Query: webapp.contoso.local| OnPremDNS OnPremDNS -->|Forward Azure queries| AzureDNS AzureDNS -->|Resolve| PrivateDNS AzureVM -->|Query: server.onprem.com| AzureDNS AzureDNS -->|Forward on-prem queries| OnPremDNS OnPremDNS -->|Internet queries| PublicDNS AzureDNS -->|Internet queries| PublicDNS style OnPremDNS fill:#ffcdd2 style AzureDNS fill:#c8e6c9 style PrivateDNS fill:#e1f5fe style PublicDNS fill:#fff3e0

Hybrid DNS Resolution Flow:

On-Premises to Azure: Queries for Azure resources are forwarded to Azure DNS resolver
Azure to On-Premises: Queries for on-premises resources are forwarded to on-premises DNS
Internet Resolution: Both environments can resolve internet domains
Private Zone Resolution: Azure private DNS zones are resolved within the Azure environment

DNS Failover and Redundancy

graph TD VM[Virtual Machine] --> Primary[Primary DNS
10.0.0.4] VM --> Secondary[Secondary DNS
10.0.0.5] Primary -->|Available| Resolution1[DNS Resolution] Primary -->|Unavailable| Failover[Failover to Secondary] Secondary -->|Available| Resolution2[DNS Resolution] Secondary -->|Unavailable| AzureDNS[Azure Default DNS
168.63.129.16] Failover --> Secondary style Primary fill:#c8e6c9 style Secondary fill:#ffcdd2 style AzureDNS fill:#e1f5fe style Failover fill:#fff3e0

DNS Failover Mechanism:

Primary DNS: First DNS server in the list, handles all queries when available
Secondary DNS: Backup server that takes over when primary fails
Azure Default: Final fallback to Azure's built-in DNS service
Automatic Failover: Client automatically switches to next available DNS server

DNS Testing and Validation

DNS Resolution Testing Commands

# Test DNS resolution from Azure VM
nslookup webapp.contoso.local

# Test reverse DNS lookup
nslookup 10.0.1.10

# Test specific DNS server
nslookup webapp.contoso.local 10.0.0.4
        

# Test DNS connectivity
az network dns query \
    --name webapp.contoso.local \
    --type A \
    --zone-name contoso.local \
    --resource-group myResourceGroup
        

DNS Monitoring and Troubleshooting

graph LR A[DNS Query Issue] --> B{Query Type} B -->|Internal| C[Check Private DNS Zone] B -->|External| D[Check Internet Connectivity] B -->|Hybrid| E[Check Forwarding Rules] C --> F[Verify Zone Link] C --> G[Check DNS Records] D --> H[Test Public DNS] D --> I[Check NSG Rules] E --> J[Verify Conditional Forwarders] E --> K[Check DNS Resolver Status] F --> L[Resolution] G --> L H --> L I --> L J --> L K --> L style A fill:#ffcdd2 style L fill:#c8e6c9

DNS Troubleshooting Flow:

Internal Queries: Check private DNS zone configuration and VNet links
External Queries: Verify internet connectivity and security rules
Hybrid Queries: Examine forwarding rules and DNS resolver status
Common Issues: Missing zone links, incorrect forwarding rules, NSG blocking

DNS Performance Optimization

DNS Caching Strategy

graph TB subgraph "DNS Caching Layers" A[Application Cache] --> B[OS DNS Cache] B --> C[Local DNS Resolver] C --> D[Recursive DNS Server] D --> E[Authoritative DNS Server] end subgraph "TTL Values" F[Short TTL
300 seconds
Dynamic Records] G[Medium TTL
3600 seconds
Standard Records] H[Long TTL
86400 seconds
Static Records] end A -.->|Configure| F B -.->|Configure| G C -.->|Configure| H style A fill:#e8f5e8 style B fill:#fff3cd style C fill:#e1f5fe style D fill:#f3e5f5 style E fill:#ffecb3

DNS Caching Strategy:

Application Cache: In-memory caching for frequently accessed domains
OS DNS Cache: Operating system level caching for all DNS queries
TTL Configuration: Time-to-live values determine cache duration
Performance Impact: Proper caching reduces query latency and server load

Security Considerations

Security Best Practices:

Use private DNS zones for internal resources to prevent DNS leakage
Implement DNS filtering to block malicious domains
Monitor DNS query logs for suspicious activity
Use DNS over HTTPS (DoH) where possible
Regularly update DNS server software and configurations

Common DNS Scenarios

Scenario	Configuration	Use Case
Azure-only DNS	Azure-provided DNS with private zones	Cloud-native applications
Hybrid DNS	Custom DNS with conditional forwarding	On-premises integration
Multi-cloud DNS	DNS resolver with multiple forwarders	Multi-cloud environments
DNS filtering	Custom DNS with security policies	Security-focused deployments

Summary

Key Takeaways:

DNS configuration is fundamental to VNet communication and hybrid connectivity
Private DNS zones provide secure, internal name resolution
DNS resolvers enable seamless hybrid DNS integration
Proper testing and monitoring ensure reliable DNS operations
Security considerations should be implemented from the start

Quick Reference - Command Execution Order:

Create Private DNS Zone: Foundation for custom DNS
Configure VNet DNS Settings: Point VNet to custom DNS servers
Create DNS Records: Define name-to-IP mappings
Link Private DNS Zone: Connect DNS zone to VNet
Configure Forwarding Rules: Set up hybrid DNS resolution
Test and Validate: Ensure proper DNS resolution