Managing DNS in the cloud is critical for ensuring reliable name resolution and secure connectivity. Azure DNS is Microsoft's managed DNS service that lets you host your DNS domains in Azure, providing high availability, scalability, and integration with Azure resources.

    ___                             ____  _   ______    ____  ___  __ 
   /   |____  __  __________       / __ \/ | / / ___/   <  / / _ \<  /
  / /| /_  / / / / / ___/ _ \     / / / /  |/ /\__ \    / / / / / / / 
 / ___ |/ /_/ /_/ / /  /  __/    / /_/ / /|  /___/ /   / / / /_/ / /  
/_/  |_/___/\__,_/_/   \___/    /_____/_/ |_//____/   /_/  \____/_/   
                                                                       

What is Azure DNS?

Azure DNS is a Domain Name System (DNS) hosting service that runs on Microsoft Azure's global infrastructure. It allows you to:

• Host DNS zones and records for your domains
• Resolve names for Azure resources and external domains
• Integrate DNS management into your DevOps workflows using APIs, CLI, and ARM templates

Key Components

DNS Zones

A DNS zone is a container for DNS records for a domain (e.g., contoso.com). Azure supports Public DNS Zones (for internet-facing domains) and Private DNS Zones (for internal name resolution within Azure VNETs).

Create a DNS Zone:

az network dns zone create --resource-group MyResourceGroup --name contoso.com

DNS Records

Common record types:

• A Record: Maps a domain to an IPv4 address
• AAAA Record: Maps a domain to an IPv6 address
• CNAME: Alias for another domain
• TXT: Stores text data (often for verification)
• SRV: Service location records

Add DNS Records:

az network dns record-set a add-record --resource-group MyResourceGroup --zone-name contoso.com --record-set-name www --ipv4-address 10.0.0.4

Private DNS:

az network private-dns zone create --resource-group MyResourceGroup --name corp.contoso.local
az network private-dns link vnet create --resource-group MyResourceGroup --zone-name corp.contoso.local --name MyLink --virtual-network MyVNet --registration-enabled true

Name Servers

Azure provides authoritative name servers for your zones. For public zones, you update your registrar to point to Azure's name servers.

Types of Azure DNS

• Public DNS: For internet-facing domains
• Private DNS: For internal name resolution within Azure VNETs
  • Supports VNET linking for seamless resolution across multiple networks

Azure DNS Private Resolver

Azure DNS Private Resolver enables hybrid DNS scenarios by bridging on-premises and Azure networks. It provides inbound and outbound endpoints for conditional forwarding without requiring a VM-based DNS solution.

Key Features

• Inbound Endpoint: Allows on-premises DNS servers to resolve Azure Private DNS zones by forwarding queries to a virtual IP (VIP) within your VNET
• Outbound Endpoint: Enables Azure resources to conditionally forward queries to on-premises or external DNS servers using forwarding rulesets
• No Infrastructure Management: Fully managed service that eliminates the need for DNS VMs

Create a DNS Resolver:

az dns-resolver create --name MyResolver --resource-group MyResourceGroup --location eastus --vnet MyVNet
az dns-resolver inbound-endpoint create --dns-resolver-name MyResolver --name InboundEndpoint --resource-group MyResourceGroup --location eastus --subnet InboundSubnet
az dns-resolver outbound-endpoint create --dns-resolver-name MyResolver --name OutboundEndpoint --resource-group MyResourceGroup --location eastus --subnet OutboundSubnet

Hybrid DNS Flow

1. On-premises servers forward queries for Azure zones (e.g., *.azure.local) to the inbound endpoint VIP
2. Azure resources use outbound endpoints with forwarding rules to query on-premises DNS for corporate domains (e.g., *.corp.contoso.com)
3. Conditional forwarding rulesets map domain names to target DNS servers

Important Considerations and Limitations

VNET Linking for Private DNS Zones

When working with Azure Private DNS Zones, understanding VNET linking is crucial:

Registration vs Resolution Links:

• Registration Link: Automatically creates DNS records for VMs in the linked VNET (auto-registration). Only one VNET can have registration enabled per private DNS zone
• Resolution Link: Allows resources in the linked VNET to resolve names from the private DNS zone. Multiple VNETs can have resolution-only links

Common Gotchas:

• Single Registration VNET: You cannot enable auto-registration for multiple VNETs to the same private zone. If you need multiple VNETs to register records, you must manually manage DNS records or use separate zones
• Cross-Subscription Limitations: VNETs and Private DNS zones must be in the same Azure AD tenant for auto-registration to work
• Peered VNETs: VNET peering alone does not enable DNS resolution. Each peered VNET needs its own link to the private DNS zone
• Record Cleanup: When auto-registration is enabled, DNS records are automatically deleted when VMs are stopped (deallocated) or deleted
• 100 VNET Link Limit: Each private DNS zone supports up to 100 VNET links (with only 1 registration-enabled)

Example:

# VNET1 with registration enabled (auto-creates DNS records)
az network private-dns link vnet create --resource-group MyRG --zone-name contoso.local --name Link1 --virtual-network VNET1 --registration-enabled true

# VNET2 with resolution only (can query, but doesn't auto-register)
az network private-dns link vnet create --resource-group MyRG --zone-name contoso.local --name Link2 --virtual-network VNET2 --registration-enabled false

Other Limitations

• Public DNS Zone Delegation: When delegating a domain to Azure DNS, NS record updates at your registrar can take time to propagate (TTL-dependent)
• Alias Records: ALIAS record support is limited to specific Azure resource types (Traffic Manager, CDN, Public IP, Front Door)
• DNSSEC: Not currently supported for Azure DNS zones

Why Use Azure DNS?

• High Availability: Built on Azure's global network
• Security: Integrated with Azure RBAC for access control
• Automation: Manage DNS via CLI, PowerShell, ARM templates, or Terraform
• Hybrid Support: Combine with DNS Resolver for conditional forwarding to on-premises DNS

Common Scenarios

• Hosting your company's domain in Azure
• Internal name resolution for VMs and services using Private DNS Zones
• Hybrid DNS setups with on-premises DNS servers and Azure DNS Resolver