Mastering Azure DNS
Azure DNS provides a reliable, scalable, and secure way to host and manage your domain name system (DNS) records directly in Azure.
It supports both public DNS zones, used to resolve names over the internet, and private DNS zones, used for name resolution within your virtual networks.
By integrating DNS management into the Azure platform, you can centralize control, automate record updates, and ensure consistent name resolution across your cloud and hybrid environments.
In this post I will show how to configure and using both, private DNS zones and public DNS zones.
Private DNS Zone
Azure Private DNS provides a reliable and secure DNS service for your virtual networks.
Azure Private DNS manages and resolves domain names in the virtual network without the need to configure a custom DNS solution. By using private DNS zones, you can use your own custom domain name instead of the Azure-provided names during deployment.
Using a custom domain name helps you tailor your virtual network architecture to best suit your organization’s needs. It provides a naming resolution for virtual machines (VMs) within a virtual network and connected virtual networks.
Additionally, you can configure zones names with a split-horizon view, which allows a private and a public DNS zone to share the name.
More about here https://learn.microsoft.com/en-us/azure/dns/private-dns-overview.
More about using Azure Private DNS zones and Azure Private DNS resolver you will find in my following post.
Public DNS Zone
Azure DNS allows you to host a DNS domain and manage the DNS zone records. To host your domain in Azure, the zone must be created in Azure and delegated to Azure’s authoritative DNS servers with a domain registrar.
Azure DNS isn’t the domain registrar.
Azure Public DNS zones let you host authoritative DNS records for your domain within Azure, but they don’t register domains themselves. You delegate your domain from your registrar to Azure’s name servers so that DNS queries are resolved by Microsoft’s global infrastructure.
Azure DNS will providerReliability & global latency (Anycast-based Microsoft DNS infrastructure). Further you can manage DNS via ARM, Azure CLI, Biceps, Terraform, PowerShell, etc..
You will also have access control by using RBAC and logging integration with Azure Resource Manager.
To create a public DNS zone select DNS zone below.
Azure DNS billing is based on the number of DNS zones hosted in Azure and the number of DNS queries received.
First 25 hosted DNS zones ==> €0.428 per zone per month
Additional hosted DNS zones (over 25) ==> €0.086 per zone per month
First billion DNS queries/month ==> €0.343 per million
Additional DNS queries (over 1 billion)/month ==> €0.172 per millionSource: https://azure.microsoft.com/en-us/pricing/details/dns/
Under Instance details for the name, we need to enter our domain name like matrixpost-lab.net.
We can also import already existing records when creating the zone in Azure.
Below we will see the new authoritative nameservers in Azure we need to use to delegate the domain from our domain registrar provider our domain was registered.
Configure DNS Delegation
To delegate DNS management to Azure, we simply update the nameserver (NS) records at the registrar to point to the Azure DNS nameservers assigned to our newly created zone in Azure.
We need to delegate our domain to the following highlighted authoritative Azure DNS server.
Here you can see one of my domains registered by my domain registrar provider which I now want to delegate to Azure’s DNS server and my previously created (public) DNS zone in Azure.
Depending on your domain registrar provider, the way to delegate a domain may vary slightly.
Adding the Azure DNS servers to which we delegate our domain.
It can take up to 48 hours for your changes to propagate around the world.
To finally test if the delegation works, I will first add a new DNS record to my newly created Azure DNS zone for matrixpost-lab.de.
Testing DNS Delegation
Before relying on a new DNS zone configuration, it’s important to verify that delegation is working correctly, meaning that the parent zone properly points to our authoritative nameservers and they respond as expected.
Using tools like nslookup or dig, we can test whether queries are resolved by the intended authoritative DNS servers rather than cached recursive resolvers, ensuring that our domain’s DNS hierarchy is functioning end-to-end.
An authoritative DNS response comes directly from the DNS servers that host the domain’s actual zone records, making it the definitive source of truth.
A non-authoritative response, on the other hand, is returned by a recursive resolver (like your router or ISP) that has cached the data from a previous query.
While both provide the same information, only the authoritative response confirms the data straight from the domain’s configured DNS servers.
I will now first test if the delegation already works by querying Google’s DNS server (non-autoritative).
Looks good.
PS> nslookup server 8.8.8.8 > testing01.matrixpost-lab.de
To find the authoritative DNS servers for our domain by using nslookup, we can run:
These nameserver (NS) entries are the authoritative DNS servers for the queried domain.
When running nslookup against your default DNS server (e.g., in my case FritzBox), the result is usually marked as non-authoritative, because it comes from a recursive resolver’s cache rather than directly from the domain’s authoritative DNS servers.
PS> nslookup -type=ns matrixpost-lab.de
To get an authoritative answer, we need to query one of the domain’s listed nameservers explicitly like:
The DNS server I was explicitly queried (13.107.236.8, i.e. ns1-08.azure-dns.com) doesn’t have a reverse DNS (PTR) record set up for its IP address.
nslookup tries to resolve the server’s IP back to a hostname for display, and if that lookup fails, it just shows UnKnown.
PS> nslookup -type=ns matrixpost-lab.de ns1-08.azure-dns.com
Links
Azure DNS overview
https://learn.microsoft.com/en-us/azure/dns/dns-overviewOverview of DNS zones and records
https://learn.microsoft.com/en-us/azure/dns/dns-zones-recordsDelegation of DNS zones with Azure DNS
https://learn.microsoft.com/en-us/azure/dns/dns-domain-delegationAzure DNS pricing
https://azure.microsoft.com/en-us/pricing/details/dns/
