Understanding of Azure Private DNS resolution

Question

Hi folks,

I'm trying to understand how resolution of Azure Private DNS Zones works.

1. What if I have a DNS Zone linked with Hub Vnet and the Hub is peered with the spoke vnets, will the resources deployed in the spoke would be able to utilize the records created in the DNS Zone?
2. What if I have a DNS Zone linked with a Spoke Vnet which is peered with a Hub vnet and the Hub is peered with the spoke vnets, will the resources deployed in the other spoke would be able to utilize the records created in the DNS Zone?
3. Does the DNS Servers settings in the linked Vnet have any impact on this?

Thanks in advance!

Answer 1

Hello Apurva Pathak

I understand that you're trying to understand how Azure Private DNS Zones works. The resolution depends on how the zones are linked to virtual networks and how DNS queries are forwarded. Let’s go through your scenarios one by one.

1. DNS Zone linked with Hub VNet, Hub peered with Spokes:

Spoke VNets can resolve records if you use Azure DNS Private Resolver in the Hub to forward DNS queries from spoke VNets to the Hub.

Refer Private Resolver architecture

2. DNS Zone linked with a Spoke VNet, Spoke peered with Hub, and Hub peered with other Spokes:

Resources in other spokes can resolve DNS records from a zone linked only to one spoke, if:

• The zone is also linked to those other spoke VNets explicitly, OR
• A custom DNS forwarder (e.g., running on a VM or Azure DNS Resolver) is deployed in the spoke or hub and configured across all VNets. Peering does not transitively share DNS zone links or resolution capabilities.

3. DNS servers setting in the linked VNet impact on Private DNS resolution

Yes, significantly. If you change the DNS server setting in a VNet to use custom DNS servers, then:

• The VNet will no longer automatically resolve Azure Private DNS zone.
• You must ensure your custom DNS server can forward queries for Private DNS zones to Azure’s IP.

Refer Configure DNS settings for Azure VNets

---

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Hi Apurva Pathak,

thank you for posting your question on the Q&A portal! It’s a great topic, and I’ll do my best to explain how Azure Private DNS resolution works in simple terms.

When you link a Private DNS Zone to a Hub VNet and that Hub is peered with Spoke VNets, the resources in the Spoke VNets can use the records in the DNS Zone. This happens because VNet peering allows the DNS resolution to flow through the peered networks. You can find more details in the Microsoft documentation here: Virtual network peering.

Now, if you link the Private DNS Zone to a Spoke VNet instead, and that Spoke is peered with a Hub (which is also peered with other Spokes), the resources in other Spokes won’t automatically resolve records from that DNS Zone. The resolution only flows "downstream" from the linked VNet to its peers, not the other way around. For more clarity, check the Azure Private DNS documentation here: Azure Private DNS.

About the DNS servers setting in the linked VNet yes, it can have an impact! If you customize the DNS servers in the VNet, Azure Private DNS resolution might not work as expected unless those servers forward requests to Azure’s default resolver (168.63.129.16). The official guidance on this is here: Name resolution for resources in Azure virtual networks.

Hope this helps clear things up! Let me know if you have any more questions.

Best regards,
Alex
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment
https://ctrlaltdel.blog/