Azure DNS (168.63.129.16) unreachable from VNet-integrated App Services - all production services down
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 67%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDK%3C/text%3E%3C/svg%3E)
David Krasznai
0
Reputation points
IMPACT:
Multiple production App Services are completely down. Services restart
but crash again within minutes due to DNS resolution failure.
AFFECTED RESOURCES:
- VNet: SiaMainGroup-vnet (Central US)
- App Services: sia-messaging-api, edlio-connect (Auth API), and others
- All App Services with VNet integration on this VNet are affected
- App Services crash on startup with: SocketException: No such host is known
- Services come back briefly after restart/stop-start, then crash again
- Stop and Start (not restart) does NOT resolve the issue
- XXXXXXXXX from Kudu console (sia-XXXXXX-api):
nameXXXXXX sia-XXXXXX.azconfig.io
Server: 168.63.129.16
DNS request timed out.
naXXXXXXX google.com
Server: 168.63.129.16
DNS request timed out.
- DNS resolution for ALL domains fails, not just Azure services
- Azure-provided DNS server 168.63.129.16 is unreachable from inside the VNet
- Same domains resolve fine from outside the VNet (local machine nslookup works)
- VNet DNS: Azure-provided (default) - no custom DNS servers
- No private endpoints on App Configuration (sia-XXXXXX)
- App Configuration networking: Automatic (public access enabled)
- No Private DNS zone for azconfig.io
- SNAT ports: normal (NAT Gateway in use, not exhausted)
- Connection strings: verified correct
- Issue started: ~2026-03-25
- Still ongoing as of 2026-03-26
- Restarting and Stop/Start do not permanently resolve
edited PII information
Azure DevOps
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 7.000000000000001%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Praneeth Maddali 7,315 Reputation points Microsoft External Staff Moderator2026-03-26T17:38:04.8233333+00:00 Thank you for contacting us about the Azure DNS (168.63.129.16) unreachable from VNet-integrated App Services - all production services down issue. We have begun looking into it and will share our suggestions with you as soon as possible. If you have any additional details or concerns in the meantime, please let us know. We appreciate your patience while we work on this.
-
Praneeth Maddali 7,315 Reputation points Microsoft External Staff Moderator
2026-03-26T19:19:12.81+00:00 ,We have reached out to you in Private messages for additional details, could you please look into it and share us the details? Thanks
-
Praneeth Maddali 7,315 Reputation points Microsoft External Staff Moderator
2026-03-27T19:19:46.18+00:00 Just following up to see if your issue has been resolved or if you had a chance to review my earlier comment?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 36%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Shree Hima Bindu Maganti 7,035 Reputation points Microsoft External Staff Moderator2026-04-03T18:06:47.03+00:00 Hi @David Krasznai
It looks like your VNet-integrated App Services can’t reach Azure DNS (168.63.129.16), so every DNS lookup is timing out and your apps crash with “No such host is known.Validate basic connectivity to 168.63.129.16
- From your app’s Kudu console use tcpping (Windows) or curl/ping (Linux) against 168.63.129.16 on ports 53/80/32526 to confirm you can reach the Azure platform.
- Example (Linux):
ping -c 4 168.63.129.16 curl -v http://168.63.129.16/?comp=versions
Check subnet Network Security Group (NSG) rules
- Make sure there isn’t an outbound deny on UDP/TCP port 53 or a deny toward the AzurePlatformDNS service tag. Azure DNS traffic isn’t subject to your UDR but is subject to NSGs.
Inspect any User-Defined Routes (UDRs)
- Confirm you don’t have a 0.0.0.0/0 or 168.63.129.16 route forcing DNS traffic to an NVA or on-prem. If you do, Azure’s system route to 168.63.129.16 won’t be used.
Verify VNet integration subnet delegation
- Your integration subnet must be delegated to Microsoft.Web/serverFarms. If it’s not, integration traffic (including DNS) can misroute.
Test DNS from a VM in the same VNet/subnet
- Spin up a temporary VM in that subnet and run
nslookup google.com 168.63.129.16to see if it’s a VNet-wide DNS issue or only from App Service.
As a temporary workaround (not recommended long-term)
- You can point your app to a custom DNS server by setting the WEBSITE_DNS_SERVER app setting, but first nail down why the Azure DNS endpoint itself is unreachable.
https://learn.microsoft.com/en-us/azure/dns/dns-troubleshoot
https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16?tabs=windows
https://learn.microsoft.com/en-us/troubleshoot/azure/app-service/troubleshoot-vnet-integration-apps
Sign in to comment
Sign in to answer