Azure Private DNS Resolver with Multiple Subscriptions with private DNS Zones

Robin Watt 0 Reputation points

Good morning,

Have a question on a relatively open Azure environment in which we've had allowed our users/customers to build their own subscriptions and are now standardizing and wrangling things into a common frame. One item is handing OnPrem to Azure DNS using Azure Private DNS resolver. The core concern is that in many of these subscriptions people may have created multiple different resources with the same name and requiring the same private DNS Zones. We already know that Private Endpoints does not have a method to prevent duplication.

What would be the best way to resolve any conflicts when attempting to setup the Azure Private DNS resolver in such a way that it doesn't break or cause conflicts in existing Private DNS zones within Azure in regards to duplicated names and zones?


Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
451 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Sina Salam 711 Reputation points

    @Robin Watt

    Welcome to Microsoft Q&A, thank you for posting your question here!

    Regarding your questions, you need a best way to resolve any conflicts when attempting to setup the Azure Private DNS, to avoid conflicts in existing Private DNS zones within Azure.

    To eliminate conflicts in existing Private DNS zones within Azure, you can use the following steps:

    • Create a new private DNS zone.
    • Move all conflicting records from the existing zone to the new zone.
    • Update the virtual network links to use the new private DNS zone.
    • Delete the conflicting records from the old zone.
    • You can also use Azure Private Endpoint DNS configuration to resolve conflicts between virtual networks.

    You can read more from the following links:


    Also, about your statement: Private Endpoints does not have a method to prevent duplication.

    To prevent duplication in private endpoint azure, you can use duplicate detection.

    Duplicate detection helps keep track of the application-controlled MessageId of all messages sent into a queue or topic during a specified time window. If any new message is sent with MessageId that was logged during the time window, the message is reported as accepted (the send operation succeeds), but the newly sent message is ignored and dropped as a duplicate.

    You can also set up duplicate detection rules to keep your data clean.

    You can use the below links to read more:

    Hope this is helpful.

    Kindly let me know if the above helps or you need further assistance or explanation on this issue.

    Best Regards,


    0 comments No comments

  2. KapilAnanth-MSFT 15,621 Reputation points Microsoft Employee

    @Robin Watt

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to organize your Azure DNS Zones and Azure Private DNS resolvers.

    There are multiple ways to do this, I will list the most common ones here.

    This is same as any other resource.

    Use Tags for each project

    Use Resource Groups for each project (instead of resource)

    • This way, you can make sure the users or clients only deploy and use resources that are deployed in their respective resource groups.

    Use RBAC

    • The above two methods require users to be compliant and not exploit their access.
    • However, using RBAC can eliminate users from different projects accessing/modifying resources from a different client/project and also prevent deploying unnecessary resources.
    • Make sure users/clients have only Minimum Required level of access to resources.
    • RBAC can be applied to individual resources or Resource Groups. Roles applied at Resource group level are automatically inherited to resources contained.
    • You can also fine tune the individual resource level access.
    • E.g. UserA can access only PrivateDNSZones deployed in RGA while UserA cannot access PrivateDNSZones deployed in RGB even though they have the same name and properties.

    Now, in your case,

    • The user who is in charge of configuring the Private DNS zone should only have access to Private DNS Zones that are required for this configuration and not different Zones.
    • This way, we can make sure we do not link an unexpected Zone.

    Kindly let us know if this helps or you need further assistance on this issue.



    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments No comments