Why does azure bot's .directline.botframework.com DNS not resolve with private endpoint enabled, but the .privatelink does.

Question

Why does azure bot's .directline.botframework.com DNS not resolve with private endpoint enabled, but the .privatelink does.

Pooja-5119 0

nslookup

Default Server: UnKnown

Address: 168.63.129.16

TestBot890.directline.botframework.com

Server: UnKnown

Address: 168.63.129.16

*** UnKnown can't find TestBot890.directline.botframework.com: Non-existent domain

TestBot890.privatelink.directline.botframework.com

Server: UnKnown

Address: 168.63.129.16

Non-authoritative answer:

Name: TestBot890.privatelink.directline.botframework.com

Address: 10.0.0.7

G Sree Vidya 2,270 Reputation points Microsoft External Staff Moderator

2025-06-13T05:08:47.32+00:00

Hello Pooja-5119

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.

1 answer

Your answer

G Sree Vidya 2,270 Reputation points Microsoft External Staff Moderator

2025-06-13T05:08:47.32+00:00

Hello Pooja-5119

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.

Answer 1

Obinna Ejidike 1,835

Hi Pooja-5119

Thanks for using the Q&A platform.

This behavior is expected when you enable Private Endpoint for Azure Bot Service. When a Private Endpoint is enabled for a PaaS service like Direct Line, Azure configures a private DNS zone to route traffic over a private IP.

Azure uses split-horizon DNS to isolate private endpoint traffic from public networks. When the private endpoint is in use:

Public resolution is disabled or suppressed to avoid accidental data leakage over the public internet.
Clients in the VNet must use the private DNS zone or have appropriate DNS forwarding rules in place.

Use the *.privatelink.directline.botframework.com address internally for bot communication.

If you must use the public hostname, avoid binding a private endpoint to Direct Line or configure DNS forwarding selectively.

Find documentation: https://learn.microsoft.com/en-us/azure/private-link/private-endpoint-dns

If the response was helpful, please feel free to mark it as “Accepted Answer” and consider giving it an upvote. This helps others in the community as well.

Regards,

Obinna.

DEMULIÈRE Denis (EQUANS) 0 Reputation points

2025-06-10T12:17:56.9133333+00:00

Hi @Obinna Ejidike

I have the exact same problem. The bot's name can't be resolve without adding .privatelink.
I understand your answer but I find it strange. With all other Azure resources with private endpoint and private DNS Zone, the resource name can be resolved without adding .privatelink.
For example:

nslookup web-smartagent-bot.westeurope-01.azurewebsites.net

Server: UnKnown

Address: 168.63.129.16

Non-authoritative answer:

Name: web-smartagent-bot.westeurope-01.privatelink.azurewebsites.net

Address: 10.6.45.24

Aliases: web-smartagent-bot.westeurope-01.azurewebsites.net

Is this something specific to Azure Bot ?

Thanks a lot

Denis
G Sree Vidya 2,270 Reputation points Microsoft External Staff Moderator

2025-06-11T15:12:30.72+00:00
Hi DEMULIÈRE Denis (EQUANS)

Thank you for your response.

You use the.privatelink.directline.botframework.com FQDN for all internal traffic when a Private Endpoint is enabled.

Ensure your VNet is linked to the correct Private DNS Zone (privatelink.directline.botframework.com).

If you need to resolve the public FQDN from inside the VNet (e.g., for fallback or testing), you must configure custom DNS forwarding to bypass Azure’s internal DNS.

Share via

Why does azure bot's .directline.botframework.com DNS not resolve with private endpoint enabled, but the .privatelink does.

1 answer

Your answer