What is an Azure Private DNS zone?
Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. By using private DNS zones, you can use your own custom domain names rather than the Azure-provided names available today.
The records contained in a private DNS zone aren't resolvable from the Internet. DNS resolution against a private DNS zone works only from virtual networks that are linked to it.
You can link a private DNS zone to one or more virtual networks by creating virtual network links. You can also enable the autoregistration feature to automatically manage the life cycle of the DNS records for the virtual machines that get deployed in a virtual network.
Private DNS zone resolution
Private DNS zones linked to a VNet are queried first when using the default DNS settings of a VNet. Azure provided DNS servers are queried next. However, if a custom DNS server is defined in a VNet, then private DNS zones linked to that VNet are not automatically queried, because the custom settings override the name resolution order.
To enable custom DNS to resolve the private zone, you can use an Azure DNS Private Resolver in a VNet linked to the private zone as described in centralized DNS architecture. If the custom DNS is a virtual machine, configure a conditional forwarder to Azure DNS (168.63.129.16) for the private zone.
Limits
Private DNS zones
| Resource | Limit |
|---|---|
| Private DNS zones per subscription | 1000 |
| Record sets per private DNS zone | 25000 |
| Records per record set for private DNS zones | 20 |
| Virtual Network Links per private DNS zone | 1000 |
| Virtual Networks Links per private DNS zones with autoregistration enabled | 100 |
| Number of private DNS zones a virtual network can get linked to with autoregistration enabled | 1 |
| Number of private DNS zones a virtual network can get linked | 1000 |
Restrictions
Single-label private DNS zones aren't supported. Your private DNS zone must have two or more labels. For example, contoso.com has two labels separated by a dot. A private DNS zone can have a maximum of 34 labels.
You can't create zone delegations (NS records) in a private DNS zone. If you intend to use a child domain, you can directly create the domain as a private DNS zone. Then you can link it to the virtual network without setting up a nameserver delegation from the parent zone.
The following list of reserved zone names are blocked from creation to prevent disruption of services:
Public Azure Government Microsoft Azure operated by 21Vianet azclient.ms azclient.us azclient.cn azure.com azure.us azure.cn cloudapp.net usgovcloudapp.net chinacloudapp.cn core.windows.net core.usgovcloudapi.net core.chinacloudapi.cn microsoft.com microsoft.us microsoft.cn msidentity.com msidentity.us msidentity.cn trafficmanager.net usgovtrafficmanager.net trafficmanager.cn windows.net usgovcloudapi.net chinacloudapi.cn
Next steps
- Review and understand Private DNS records.
- Learn how to create a private zone in Azure DNS by using Azure PowerShell or Azure CLI.
- Read about some common private zone scenarios that can be realized with private zones in Azure DNS.
- For common questions and answers about private zones in Azure DNS, see Private DNS FAQ.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for