Share via

Azure Service Tag - AzureDNS

Peter Stieber 65 Reputation points
2026-03-26T11:07:11.7066667+00:00

I came across an NSG rule referencing AzureDNS. Initially, I assumed it was a service tag, but I couldn’t find any matching service tag with that exact name—only AzurePlatformDNS exists.

Could someone clarify what AzureDNS refers to in this context and which IP address or range it represents?

{
  "name": "Allow-DNS-Azure",
  "id": "/subscriptions/xxxx/resourceGroups/..../Allow-DNS-Azure",
  "etag": "xxxx",
  "type": "Microsoft.Network/networkSecurityGroups/securityRules",
  "properties": {
    "provisioningState": "Succeeded",
    "protocol": "Udp",
    "sourcePortRange": "*",
    "destinationPortRange": "53",
    "sourceAddressPrefix": "*",
    "destinationAddressPrefix": "AzureDNS",
    "access": "Allow",
    "priority": 140,
    "direction": "Outbound",
    "sourcePortRanges": [],
    "destinationPortRanges": [],
    "sourceAddressPrefixes": [],
    "destinationAddressPrefixes": []
  }
}
Azure Virtual Network
Azure Virtual Network

An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praveen Bandaru 11,310 Reputation points Microsoft External Staff Moderator
    2026-03-31T19:28:23.53+00:00

    Hello Peter Stieber

    There isn't a built-in service tag called AzureDNS. The correct tag to use is AzurePlatformDNS, which stands for Azure’s default DNS resolver at IP 168.63.129.16. Here’s a summary:

    1. “AzureDNS” does not appear in the official service tag list.
    2. Documentation and the JSON/Discovery API refer to the tag as AzurePlatformDNS.
    3. AzurePlatformDNS corresponds to 168.63.129.16 (UDP/TCP port 53), used by all VMs in every region as the Azure-hosted DNS service.

    As per MS Documentation Azure provides a special virtual IP address: 168.63.129.16

    This IP is used for:

    • DNS resolution within Azure VNets
    • DHCP services
    • Health probes and platform communication

    The AzurePlatformDNS service tag corresponds to this platform DNS endpoint. As stated in Microsoft Docs, Azure uses a special virtual IP address: 168.63.129.16. For more information, refer to the documentation.
    Available service tags
    Azure platform considerationsNote: The AzurePlatformDNS service tag is associated only with the platform DNS endpoint, not with DNS zone management or related functions. Therefore, it will not appear in the service tag list.

    I hope the above answer helps you! Please let us know if you have any further questions.

    Please don't forget to "upvote" where the information provided will help you, this can be beneficial to other members of the community.

    0 comments
  2. Vallepu Venkateswarlu 6,995 Reputation points Microsoft External Staff Moderator
    2026-03-26T12:42:57.51+00:00

    Hi @ Peter Stieber,

    Welcome to Microsoft Q&A Platform.

    As per Microsoft documentation, there is no service tag named AzureDNS. The supported and documented tag for Azure-provided DNS is

    The documentation explicitly lists AzurePlatformDNS as the service tag that represents the Azure platform DNS service.

    From the official service tags reference: Available service tags

    As per MS Documentation Azure provides a special virtual IP address: 168.63.129.16

    This IP is used for:

    • DNS resolution within Azure VNets
    • DHCP services
    • Health probes and platform communication

    The AzurePlatformDNS service tag maps to this platform DNS endpoint. According to Microsoft Docs, Azure provides a special virtual IP address: 168.63.129.16,refer: Azure IP address 168.63.129.16 overview

    This IP is used for:

    • DNS resolution within Azure VNets
    • DHCP services
    • Health probes and platform communication

    The AzurePlatformDNS service tag maps to this platform DNS endpoint.

    In your rule:

    "destinationAddressPrefix": "AzureDNS"
    • AzureDNS is not a valid or documented service tag
    • It does not appear in the official service tag list

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  3. Q&A Assist
    2026-03-26T11:07:33.23+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    In an NSG rule, AzureDNS is being used as a destination address prefix string, not as a recognized Azure service tag. It does not correspond to any documented service tag or to a specific IP range managed by Azure.

    From the available documentation:

    • The official DNS-related service tag is AzurePlatformDNS, which represents the basic platform (default) DNS service and can be used in NSG rules to control access to Azure’s default DNS. It is explicitly documented as a service tag and can be used in outbound NSG rules.
    • The NSG schema for destinationAddressPrefix allows:
      • CIDR or IP ranges
      • *
      • Default tags such as VirtualNetwork, AzureLoadBalancer, and Internet

    AzureDNS is not listed among the supported service tags and is not mentioned in the NSG schema as a special keyword. Therefore, in the JSON shown, "destinationAddressPrefix": "AzureDNS" is effectively just an arbitrary string value. Unless there is some external process or tooling that interprets this value, the NSG engine will not treat it as a valid service tag or map it to any specific IP range.

    In practice, to allow outbound DNS to Azure’s default DNS resolvers, the rule should use the documented AzurePlatformDNS service tag instead of AzureDNS.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.