Design name resolution for your virtual network
Depending on how you use Azure to host IaaS, PaaS, and hybrid solutions, you might need to allow the virtual machines (VMs), and other resources deployed in a virtual network to communicate with each other. Although you can enable communication by using IP addresses, it is much simpler to use names that can be easily remembered, and do not change.
DNS is split into two areas: Public, and Private DNS for resources accessible from your own internal networks.
Public DNS services
Public DNS services resolve names and IP addresses for resources and services accessible over the internet such as web servers. Azure DNS is a hosting service for DNS domain that provides name resolution by using Microsoft Azure infrastructure.
DNS domains in Azure DNS are hosted on Azure's global network of DNS name servers. Azure DNS uses anycast
networking. Each DNS query is answered by the closest available DNS server to provide fast performance and high availability for your domain.
In Azure DNS, you can create address records manually within relevant zones. The records most frequently used will be:
- Host records: A/AAAA (IPv4/IPv6)
- Alias records: CNAME
Azure DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without needing to add a custom DNS solution.
A DNS zone hosts the DNS records for a domain. So, to start hosting your domain in Azure DNS, you need to create a DNS zone for that domain name. Each DNS record for your domain is then created inside this DNS zone.
Considerations
- The name of the zone must be unique within the resource group, and the zone must not exist already.
- The same zone name can be reused in a different resource group or a different Azure subscription.
- Where multiple zones share the same name, each instance is assigned different name server addresses.
- Root/Parent domain is registered at the registrar and pointed to Azure NS.
- Child domains are registered in AzureDNS directly.
Delegate DNS Domains
To delegate your domain to Azure DNS, you first need to know the name server names for your zone. Each time a DNS zone is created Azure DNS allocates name servers from a pool. Once the Name Servers are assigned, Azure DNS automatically creates authoritative NS records in your zone.
Once the DNS zone is created, and you have the name servers, you need to update the parent domain. Each registrar has their own DNS management tools to change the name server records for a domain. In the registrar’s DNS management page, edit the NS records and replace the NS records with the ones Azure DNS created.
Child Domains
If you want to set up a separate child zone, you can delegate a subdomain in Azure DNS. For example, after configuring contoso.com in Azure DNS, you could configure a separate child zone for partners.contoso.com.
TIP
The parent and child zones can be in the same or different resource group. Notice that the record set name in the parent zone matches the child zone name, in this case partners.
Setting up a subdomain follows the same process as typical delegation. The only difference is that NS records must be created in the parent zone contoso.com in Azure DNS, rather than in the domain registrar.
It's important to understand the difference between DNS record sets and individual DNS records. A record set is a collection of records in a zone that have the same name and are the same type.
The Add record set page will change depending on the type of record you select. For an A record, you will need the TTL (Time to Live) and IP address. The time to live, or TTL
, specifies how long each record is cached by clients
before being requeried
.
Private DNS services
Private DNS services resolve names and IP addresses for resources and services
When resources deployed in virtual networks need to resolve domain names to internal IP addresses, they can use one the three methods:
- Azure DNS Private Zones
- Azure-provided name resolution
- Name resolution that uses your own DNS server
Your name resolution needs might go beyond the features provided by Azure. For example, you might need to use Microsoft Windows Server Active Directory domains, resolve DNS names between virtual networks. To cover these scenarios, Azure provides the ability for you to use your own DNS servers.
DNS servers within a virtual network can forward DNS queries to the recursive resolvers in Azure
. This enables you to resolve host names within that virtual network
. For example, a domain controller (DC) running in Azure can respond to DNS queries for its domains and forward all other queries to Azure. Forwarding queries allows VMs to see both your on-premises resources (via the DC) and Azure-provided host names (via the forwarder). Access to the recursive resolvers in Azure is provided via the virtual IP 168.63.129.16
.
DNS forwarding
also enables DNS resolution between virtual networks
and allows your on-premises machines to resolve Azure-provided host names. In order to resolve a VM's host name, the DNS server
VM must reside in the same virtual network
and be configured to forward host name queries to Azure
. Because the DNS suffix is different in each virtual network, you can use conditional forwarding
rules to send DNS queries to the correct virtual network
for resolution.
Azure provided DNS
Azure provides its own default internal DNS. It provides an internal DNS zone that always exists, supports automatic registration
, requires no manual record
creation, and is created when the VNet is created
. And it's a free service. Azure provided name resolution provides only basic authoritative DNS capabilities
. If you use this option, the DNS zone names and records will be automatically managed by Azure
, and you will not be able
to control the DNS zone names
or the life cycle
of DNS records.
Internal DNS defines a namespace
as follows: .internal.cloudapp.net
.
Any VM created in the VNet
is registered in the internal DNS zone and gets a DNS domain name
like myVM.internal.cloudapp.net
. It's important to recognize that it's the Azure Resource name
that is registered, not
the name of the guest OS
on the VM.
Limitations of Internal DNS
- Can't resolve across different VNets.
- Registers resource names, not guest OS names.
- Does not allow manual record creation.
Azure Private DNS Zones
Private DNS zones
in Azure are available to internal resources only
. They are global in scope
, so you can access them from any region, any subscription, any VNet, and any tenant. If you have permission to read the zone, you can use it for name resolution. Private DNS zones are highly resilient, being replicated to regions all throughout the world. They are not
available to resources on the internet
.
For scenarios which require more flexibility than Internal DNS allows, you can create your own private DNS zones
. These zones enable you to:
- Configure a specific DNS name for a zone.
- Create records manually when necessary.
- Resolve names and IP addresses across different zones.
- Resolve names and IP addresses across different VNets.
Create a private DNS zone by using the portal
You can create a private DNS zone using the Azure portal, Azure PowerShell, or Azure CLI. Search for Private DNS zone
When the new DNS zone is deployed, you can manually
create resource records, or use auto-registration
, which will create resource records based on the Azure resource name
.
Private DNS zones
support the full range of records including pointers
, MX
, SOA
, service
, and text records
.
Link VNets to private DNS zones
In Azure, a VNet
represents a group
of 1 or more subnets
, as defined by a CIDR range
. Resources such as VMs are added to subnets
.
At the VNet level, default DNS configuration
is part of the DHCP assignments made by Azure, specifying the special address 168.63.129.16
to use Azure DNS services
.
If necessary, you can override the default configuration
by configuring an alternate DNS server at the VM NIC
.
Two ways to link VNets to a private zone:
Registration
: Each VNet can link to one private DNS zone for registration. However, up to100 VNets
can link to the sameprivate DNS zone
for registration.Resolution
: There may be many other private DNS zones for different namespaces. You can link aVNet
to each of those zones for name resolution.Each VNet
can link to up to1000 private DNS Zones
for name resolution.
Integrating on-premises DNS with Azure VNets
If you have an external DNS server, for example an on-premises server, you can use custom DNS
configuration on your VNet
to integrate the two.
Your external DNS can run on any DNS server
: BIND on UNIX, Active Directory Domain Services DNS, and so on. If you want to use an external DNS server and not the default Azure DNS service, you must configure the desired DNS servers.
Organizations often use an internal Azure private DNS zone for auto registration
, and then use a custom configuration to forward
queries external zones from an external DNS server.
Forwarding takes two forms:
Forwarding
- specifies another DNS server (SOA for a zone) to resolve the query if the initial server cannot.Conditional forwarding
- specifies a DNS server for a named zone, so thatall queries
for that zone are routed to thespecified DNS server
.
WARNING
If the DNS server is outside Azure, it doesn't have access to Azure DNS on 168.63.129.16. In this scenario, setup a DNS resolver inside your VNet, forward queries for to it, and then have it forward queries to 168.63.129.16 (Azure DNS). Essentially, you're using forwarding because 168.63.129.16 is not routable, and therefore not accessible to external clients.
Example:
DNS server outside Azure
forward to
DNS resolver inside your VNet
forward to
168.63.129.16 (Azure DNS)