Azure DNS Private Resolver

Virtual Network
VPN Gateway

This article presents a solution for using Azure DNS Private Resolver to simplify hybrid recursive domain name system (DNS) resolution. You can use Azure DNS Private Resolver for on-premises workloads and Azure workloads. Azure DNS Private Resolver simplifies private DNS resolution from on-premises to Azure Private DNS and vice versa.


The following sections present alternatives for hybrid recursive DNS resolution. The first section discusses a solution that uses a DNS forwarder virtual machine (VM). Subsequent sections explain how to use Azure DNS Private Resolver.

Use a DNS forwarder VM

Before Azure DNS Private Resolver was available, a DNS forwarder VM was deployed so that an on-premises server could resolve Azure Private DNS. The following diagram illustrates the details of this name resolution. A conditional forwarder on the on-premises DNS server forwards requests to Azure, and a private DNS zone is linked to a virtual network. Requests to the Azure service then resolve to the appropriate private IP address.

In this solution, you can't use the Azure public DNS service to resolve on-premises domain names.

Architecture diagram that shows a solution without Azure DNS Private Resolver. Traffic from an on-premises server to an Azure database is visible.

Download a PowerPoint file of this architecture.


  1. A client VM sends a name resolution request for to an on-premises internal DNS server.

  2. A conditional forwarder is configured on the internal DNS server. That forwarder forwards the DNS query for to, which is the address of a DNS forwarder VM.

  3. The DNS forwarder VM sends the request to, the IP address of the Azure internal DNS server.

  4. The Azure DNS server sends a name resolution request for to the Azure recursive resolvers. The resolvers respond with the canonical name (CNAME)

  5. The Azure DNS server sends a name resolution request for to the private DNS zone The private DNS zone responds with the private IP address

  6. The response that associates the CNAME with the A record arrives at the DNS forwarder.

  7. The response arrives at the on-premises internal DNS server.

  8. The response arrives at the client VM.

  9. The client VM establishes a private connection to the private endpoint that uses the AP address The private endpoint provides the client VM with a secure connection to an Azure database.

For more information, see Azure private endpoint DNS configuration.

Use Azure DNS Private Resolver

When you use Azure DNS Private Resolver, you don't need a DNS forwarder VM, and Azure DNS is able to resolve on-premises domain names.

The following solution uses Azure DNS Private Resolver in a hub-spoke network topology. As a best practice, the Azure landing zone design pattern recommends using this type of topology. A hybrid network connection is established by using Azure ExpressRoute and Azure Firewall. This setup provides a secure hybrid network. Azure DNS Private Resolver is deployed in the hub network.

Architecture diagram that shows an on-premises network connected to an Azure hub-and-spoke network. Azure DNS Private Resolver is in the hub network.

Download a PowerPoint file of this architecture.


The solution that uses Azure DNS Private Resolver contains the following components:

  • An on-premises network. This network of customer datacenters is connected to Azure via ExpressRoute or a site-to-site Azure VPN Gateway connection. Network components include two local DNS servers. One uses the IP addresses The other uses Both servers work as resolvers or forwarders for all computers inside the on-premises network.

    An administrator creates all local DNS and Azure endpoints on these servers. Conditional forwarders are configured on these servers for the Azure Blob Storage and API private endpoint DNS zones. Those forwarders forward requests to the Azure DNS Private Resolver inbound connection. The inbound endpoint uses the IP address and is hosted within the hub virtual network.

    The following table lists the records on the local servers.

    Domain name IP address Record type Address mapping Address mapping DNS forwarder DNS forwarder
  • A hub network.

    • VPN Gateway or an ExpressRoute connection is used for the hybrid connection to Azure.
    • Azure Firewall provides a managed firewall as a service. The firewall instance resides in its own subnet.
    • The following table lists the parameters that are configured for Azure DNS Private Resolver. For App1 and App2 DNS names, the DNS forwarding rule set is configured.
    Parameter IP address
    Virtual network
    Inbound endpoint subnet
    Inbound endpoint IP address
    Outbound endpoint subnet
    Outbound endpoint IP address
    • The hub virtual network is linked to the private DNS zones for Blob Storage and the API service.
  • Spoke networks.

    • VMs are hosted in all spoke networks for testing and validating DNS resolution.
    • All Azure spoke virtual networks use the default Azure DNS server at the IP address All spoke networks are peered with the hub virtual network.
    • The spoke virtual networks are linked to private DNS zones, which makes it possible to resolve the names of private endpoint link services like

Traffic flow for an on-premises DNS query

The following diagram shows the traffic flow that results when an on-premises server issues a DNS request.

Architecture diagram that shows Azure DNS Private Resolver name resolution traffic when an on-premises server queries an Azure private DNS record.

Download a PowerPoint file of this architecture.

  1. An on-premises server queries an Azure private DNS record such as The request is sent to the local DNS server at IP address or All on-premises computers point to the local DNS server.

  2. A conditional forwarder on the local DNS server for forwards the request to the DNS resolver at IP address

  3. The DNS resolver queries Azure DNS and receives information about an Azure Private DNS virtual network link.

  4. Azure Private DNS resolves DNS queries that are sent through the Azure public DNS service to the DNS resolver inbound endpoint.

Traffic flow for a spoke DNS query

The following diagram shows the traffic flow that results when VM 1 issues a DNS request. In this case, the Spoke 1 spoke network attempts to resolve the request.

Architecture diagram that shows name resolution traffic with Azure DNS Private Resolver when a spoke VM issues a DNS request.

Download a PowerPoint file of this architecture.

  1. VM 1 queries a DNS record. The spoke virtual networks are configured to use the name resolution that Azure provides. As a result, Azure DNS is used to resolve the DNS query.

  2. If the query attempts to resolve a private name, Azure Private DNS is contacted.

  3. If the query doesn't match a private DNS zone that's linked to the virtual network, Azure DNS connects to Azure DNS Private Resolver. A virtual network link exists for the Spoke 1 virtual network. Azure DNS Private Resolver checks for a DNS forwarding rule set that's associated with the Spoke 1 virtual network.

  4. If a match is found in the DNS forwarding rule set, the DNS query is forwarded via the outbound endpoint to the IP address that's specified in the rule set.

  5. If Azure Private DNS (2) and Azure DNS Private Resolver (3) can't find a matching record, Azure DNS is used to resolve the query.

Each DNS forwarding rule specifies one or more target DNS servers to use for conditional forwarding. Specified information includes the domain name, target IP address, and port.


  • VPN Gateway is a virtual network gateway that you can use to send encrypted traffic:

    • Between an Azure virtual network and an on-premises location over the public internet.
    • Between Azure virtual networks over the Azure backbone network.
  • ExpressRoute extends on-premises networks into the Microsoft cloud. By using a connectivity provider, ExpressRoute establishes private connections to cloud components like Azure services and Microsoft 365.

  • Azure Virtual Network is the fundamental building block for private networks in Azure. Through Virtual Network, Azure resources like VMs can securely communicate with each other, the internet, and on-premises networks.

  • Azure Firewall enforces application and network connectivity policies. This network security service centrally manages the policies across multiple virtual networks and subscriptions.

  • Azure DNS Private Resolver is a service that bridges an on-premises DNS with Azure DNS. You can use this service to query Azure DNS private zones from an on-premises environment and vice versa without deploying VM-based DNS servers.

  • Azure DNS is a hosting service for DNS domains. Azure DNS uses Azure infrastructure to provide name resolution.

  • Azure Private DNS manages and resolves domain names in a virtual network and in connected virtual networks. When you use this service, you don't need to configure a custom DNS solution. When you use private DNS zones, you can use custom domain names instead of the names that Azure provides during deployment.

  • DNS forwarders are DNS servers that forward queries to servers that are outside the network. The DNS forwarder only forwards queries for names that it can't resolve.

Scenario details

Azure offers various DNS solutions:

  • Azure DNS is a hosting service for DNS domains. By default, Azure virtual networks use Azure DNS for DNS resolution. Microsoft manages and maintains Azure DNS.
  • Azure Traffic Manager acts as a DNS-based load balancing service. It provides a way to distribute traffic across Azure regions to public-facing applications.
  • Azure Private DNS provides a DNS service for virtual networks. You can use Azure private DNS zones to resolve your own domain names and VM names without having to configure a custom solution and without modifying your own configuration. During deployment, you can use custom domain names instead of names that Azure provides if you use private DNS zones.
  • Azure DNS Private Resolver Preview is a cloud-native, highly available, DevOps-friendly service. It provides a straightforward, zero-maintenance, reliable, and secure DNS service. You can use this service to resolve DNS names that are hosted in Azure DNS private zones from on-premises networks. You can also use the service for DNS queries for your own domain names.

Before Azure DNS Private Resolver was available, you had to use custom DNS servers for DNS resolution from on-premises systems to Azure and vice versa. Custom DNS solutions have many disadvantages:

  • Managing multiple custom DNS servers for multiple virtual networks involves high infrastructure and licensing costs.
  • You have to handle all aspects of installing, configuring, and maintaining DNS servers.
  • Overhead tasks, such as monitoring and patching these servers, are complex and prone to failure.
  • There's no DevOps support for managing DNS records and forwarding rules.
  • It's expensive to implement scalable DNS server solutions.

Azure DNS Private Resolver overcomes these obstacles by providing the following features and key advantages:

  • A fully managed Microsoft service with built-in high availability and zone redundancy.
  • A scalable solution that works well with DevOps.
  • Cost savings when compared with traditional infrastructure as a service (IaaS)–based custom solutions.
  • Conditional forwarding for Azure DNS to on-premises servers. The outbound endpoint provides this capability, which hasn't been available in the past. Workloads in Azure no longer require direct connections to on-premises DNS servers. Instead, the Azure workloads connect to the outbound IP address of Azure DNS Private Resolver.

Potential use cases

This solution simplifies private DNS resolution in hybrid networks. It applies to many scenarios:

  • Transition strategies during long-term migration to fully cloud-native solutions
  • Disaster recovery and fault tolerance solutions that replicate data and services between on-premises and cloud environments
  • Solutions that host components in Azure to reduce latency between on-premises datacenters and remote locations


These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that you can use to improve the quality of a workload. For more information, see Microsoft Azure Well-Architected Framework.


Reliability ensures your application can meet the commitments you make to your customers. For more information, see Overview of the reliability pillar.

Regional availability

For a list of regions in which Azure DNS Private Resolver is available, see Regional availability.

A DNS resolver can only refer to a virtual network that's in the same region as the DNS resolver.


Security provides assurances against deliberate attacks and the abuse of your valuable data and systems. For more information, see Overview of the security pillar.

Azure DNS supports the extended ASCII encoding set for text (TXT) record sets. For more information, see Azure DNS FAQ.

Azure DNS doesn't currently support DNS security extensions (DNSSEC). But users have requested this feature.

Cost optimization

Cost optimization looks at ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Overview of the cost optimization pillar.

  • As a solution, Azure DNS Private Resolver is largely cost-effective. One of the primary benefits of Azure DNS Private Resolver is that it's fully managed, which eliminates the need for dedicated servers.

  • To calculate the cost of Azure DNS Private Resolver, use the Azure pricing calculator. For Azure DNS Private Resolver pricing models, see Azure DNS pricing.

  • Pricing also includes availability and scalability features.

  • ExpressRoute supports two billing models:

    • Metered data, which charges you per gigabyte for outbound data transfers
    • Unlimited data, which charges you a fixed monthly port fee that covers all inbound and outbound data transfers

    For more information, see Azure ExpressRoute pricing.

  • If you use VPN Gateway instead of ExpressRoute, the cost varies by the SKU and is charged per hour. For more information, see VPN Gateway pricing.

Performance efficiency

Performance efficiency is the ability of your workload to scale to meet the demands placed on it by users in an efficient manner. For more information, see Performance efficiency pillar overview.

Azure DNS Private Resolver is a fully managed Microsoft service that can handle millions of requests. Use a subnet address space between /28 and /24. For most users, /26 works best. For more information, see Subnet restrictions.


The following resources provide more information about creating a private DNS resolver:

Reverse DNS support

For detailed information about Azure support for reverse DNS and how reverse DNS works, see Overview of reverse DNS and support in Azure.

Traditionally, DNS records map a DNS name to an IP address. For example, resolves to With reverse DNS, the mapping goes in the opposite direction. An IP address is mapped back to a name. For example, the IP address resolves to


Azure DNS Private Resolver has the following limitations:

  • Azure DNS Private Resolver can only resolve virtual networks that are within the same geographical region as the resolver.
  • A virtual network can't contain more than one DNS resolver.
  • You need to assign a dedicated subnet to each inbound and outbound endpoint.

For more information, see Virtual network restrictions.


This article is maintained by Microsoft. It was originally written by the following contributor.

Principal author:

To see non-public LinkedIn profiles, sign in to LinkedIn.

Next steps