Azure Private DNS is a cloud service that manages domain names within an Azure VNet, eliminating the need for custom DNS configuration. This service allows users to use any custom domain names through private DNS zones that are not accessible on the Internet.
DNS resolution works only within virtual networks connected via Virtual Network Links. You can link several virtual networks to a private DNS zone and turn on auto-registration to automatically manage DNS records for virtual machines in those networks.
Understanding DNS Resolution in Azure Private DNS
In Azure Private DNS, DNS resolution depends on Virtual Network Links. These links connect a private DNS zone to one or more virtual networks (VNets).
There are two main types of VNet links:
Registration Virtual Network: This type has auto-registration turned on.
- It automatically creates DNS records for virtual machines that are deployed in the VNet.
- When virtual machines are removed, their DNS records are deleted as well.
- Each VNet can have auto-registration enabled for only one private DNS zone.
Resolution Virtual Network: This type does not use auto-registration.
- It allows name resolution but does not automatically create DNS records.
- This setup is useful for spoke VNets or shared service VNets.
By default, Azure uses its built-in DNS service (168.63.129.16) to resolve names within the VNet, unless you set up a custom DNS server.
The image below gives an example of what an Azure Private DNS Zone looks like alongside Azure resources.
Examples
Example 1.
Using Microsoft Azure, a company can create multiple virtual machines within one virtual network and set up a Private DNS zone, such as cloudopszone.internal, with auto-registration enabled. When new VMs are added, Azure updates the zone with their hostnames and IP addresses, and removes them when the VMs are deleted. This allows users to communicate internally with simple names instead of IP addresses, so there is no need to update DNS records manually and network management is easier.
Example 2.
In hybrid environments, organizations often set up a Private DNS zone in Azure, like cloudopszone.local, and configure their on-premises DNS servers to forward queries there. Azure Private DNS Resolver lets both on-premises systems and Azure workloads resolve names easily. This approach allows users to access internal resources with the same domain name from any location. It also simplifies DNS management and keeps communication secure between datacenter and cloud systems.
Example 3.
In a hub-and-spoke network, an organization keeps a Private DNS zone such as cloudopszone.local in a central hub virtual network and connects several spoke VNets for name resolution. Typically, only the hub has auto-registration enabled, while the spokes use links only to resolve names. This approach makes DNS management easier, avoids duplicate records, and keeps name resolution consistent across different regions or subscriptions. It works well for large companies that need a scalable network.
Security Considerations
- Azure Private DNS makes your environment more secure in a few key ways:
- It keeps DNS zones private, which means the public cannot access them.
- It manages permissions by using role-based access control (RBAC) to assign user roles.
- It separates responsibilities by giving different tasks to DNS administrators and network administrators.
- It supports secure connections by offering private access with Private Link.
Limitations
When you use Azure Private DNS in your Azure workloads, remember to consider its limitations and restrictions.
The main limitations are 1000 private DNS zones per subscription, 1000 VNet links per private DNS zone, and 25,000 record sets per private DNS zone. These limits are usually hard to reach. Other limits are listed in the matrix below.
| Resource | Limit |
| Private DNS zones per subscription | 1000 |
| Record sets per private DNS zone | 25000 |
| Records per record set for private DNS zones | 20 |
| Virtual Network Links per private DNS zone | 1000 |
| Virtual Networks Links per private DNS zones with autoregistration enabled | 100 |
| Number of private DNS zones a virtual network can get linked to with autoregistration enabled | 1 |
| Number of private DNS zones a virtual network can get linked | 1000 |
Reference: Azure Private DNS zone (Limits)
Design Recommendations
- Take time to plan your DNS zone architecture when working in large environments.
- Only use auto-registration when needed to prevent creating unnecessary records.
- Keep an eye on record set usage when you deploy many services.
- Think about using a hub-and-spoke network design to make DNS management more centralized.
- Be sure to document how your VNets link to DNS zones to avoid making configurations too complex.