Hello @testuser7 ,
Apologies for the delay in my response as I was testing this scenario in my lab.
No matter if it is a azure hosted public zone or a domain hosted outside Azure, 168.63.129.16 will recurse and follow the normal DNS resolution process.
I have a Azure public DNS zone named "msazurelabs.tk" whose nameservers have been added to the DNS registrar and is delegated to Azure.
I launched a VM and used dig’s +trace to show, here is the output:
C:\Users\azureuser>dig www.msazurelabs.tk @168.63.129.16 +trace
; <<>> DiG 9.16.25 <<>> www.msazurelabs.tk @168.63.129.16 +trace
;; global options: +cmd
. 517241 IN NS j.root-servers.net.
. 517241 IN NS e.root-servers.net.
. 517241 IN NS i.root-servers.net.
. 517241 IN NS b.root-servers.net.
. 517241 IN NS d.root-servers.net.
. 517241 IN NS a.root-servers.net.
. 517241 IN NS f.root-servers.net.
. 517241 IN NS l.root-servers.net.
. 517241 IN NS m.root-servers.net.
. 517241 IN NS c.root-servers.net.
. 517241 IN NS g.root-servers.net.
. 517241 IN NS h.root-servers.net.
. 517241 IN NS k.root-servers.net.
;; Received 824 bytes from 168.63.129.16#53(168.63.129.16) in 3 ms
tk. 172800 IN NS c.ns.tk.
tk. 172800 IN NS d.ns.tk.
tk. 172800 IN NS a.ns.tk.
tk. 172800 IN NS b.ns.tk.
tk. 86400 IN NSEC tkmaxx. NS RRSIG NSEC
tk. 86400 IN RRSIG NSEC 8 1 86400 20220221050000 20220208040000 9799 . ipNC6MxVezjLgvhTQ6ZEbQ+z/PfxApvRXqpKFKQoC/o17B2AqF7m+Rea Ulk6umP7zY5On7y4tA4NJ8SXaEfOU++m7exxpIohFh6TVHLhy4boQXcf G1yFhbe/gsZYAUmiUPB+CeXG2m5V4KrMT9vAi9KdPLe71B2Hk7tkPFBJ vFJdoPeEBj3H7pSyMbOrwTDhNcGVWVhlw+66onWm0DdGfPqVWLTUs1c7 KhPNaEGEMK+bZzyEDzQSjf1dTToAbawEBZG8cvK03BP6AtZbV9xIoFr6 DXUB9zkdJvKdeVphRjQso5olmCfxqaCnTUMaqORTexNrpaenviCHC30/ 0HSBUQ==
;; Received 605 bytes from 202.12.27.33#53(m.root-servers.net) in 62 ms
msazurelabs.tk. 300 IN NS ns1-09.azure-dns.com.
msazurelabs.tk. 300 IN NS ns2-09.azure-dns.net.
msazurelabs.tk. 300 IN NS ns3-09.azure-dns.org.
msazurelabs.tk. 300 IN NS ns4-09.azure-dns.info.
;; Received 184 bytes from 194.0.38.1#53(a.ns.tk) in 15 ms
www.msazurelabs.tk. 3600 IN A 20.20.20.20
;; Received 63 bytes from 64.4.48.9#53(ns2-09.azure-dns.net) in 31 ms
Refer this blog to see how to use dig +trace to understand DNS Resolution: https://ns1.com/blog/using-dig-trace
As mentioned in this doc, Azure DNS provides an authoritative DNS service. It doesn't provide a recursive DNS service. Cloud Services and VMs in Azure are automatically configured to use a recursive DNS service that is provided separately as part of Azure's infrastructure. DNS clients in PCs or mobile devices typically call a recursive DNS server to do any DNS queries the client applications need. So, the Azure VM also calls the recursive DNS service that is provided as part of Azure's infrastructure to resolve both Azure public DNS zone and domains hosted outside Azure.
Also, you can find the difference between authoritative & recursive DNS server as below:
- An authoritative DNS server hosts DNS zones. It answers DNS queries for records in those zones only.
- A recursive DNS server doesn't host DNS zones. It answers all DNS queries by calling authoritative DNS servers to gather the data it needs.
Since, Azure public DNS hosts DNS zones, it is an authoritative DNS server which answers DNS queries for records in those zones only.
But the DNS resolution process doesn't change which means when you are in your Azure VM and try to resolve "mydomain.com" which is a delegated azure-hosted public-zone, 168.63.129.16 (Azure infrastructure recursive DNS service) will answer DNS queries by calling authoritative DNS servers starting from the root server and then eventually will call Azure DNS public zone "mydomain.com" which is hosting the respective domain and here the Azure public DNS will answer the query for the record asked as this is where the zone is hosted.
Hope this helps!
Regards,
Gita