Azure DNS
Every time a browser visits a website by typing a name like www.example.com, a behind-the-scenes lookup converts that name into a numeric IP address. This process is called DNS — Domain Name System. Azure DNS is Microsoft's cloud-hosted DNS service that allows managing domain names and DNS records within Azure, using the same infrastructure and tools as all other Azure resources.
What is DNS?
DNS works like a phone book for the internet. When a browser needs to find the IP address behind www.example.com, it queries a DNS server. The DNS server looks up the record and returns the IP address. The browser then connects to that IP.
DNS Resolution Flow
User types: www.mycompany.com in browser │ ▼ 1. Browser checks its local cache — not found │ ▼ 2. Asks the Recursive Resolver (usually ISP's DNS server) │ ▼ 3. Resolver queries Root Name Server → returns .com DNS server address │ ▼ 4. Resolver queries .com DNS server → returns mycompany.com DNS server address │ ▼ 5. Resolver queries mycompany.com DNS server (Azure DNS) → returns IP: 20.50.10.5 │ ▼ 6. Browser connects to 20.50.10.5 → Website loads
Azure DNS Zones
A DNS Zone in Azure holds the DNS records for a single domain. When a DNS zone for mycompany.com is created in Azure, Azure assigns four name servers to it. These name server addresses must be configured at the domain registrar (GoDaddy, Namecheap, etc.) to delegate DNS management to Azure.
DNS Record Types
| Record Type | Full Name | Purpose | Example |
|---|---|---|---|
| A | Address Record | Maps a hostname to an IPv4 address | www → 20.50.10.5 |
| AAAA | IPv6 Address Record | Maps a hostname to an IPv6 address | www → 2001:db8::1 |
| CNAME | Canonical Name | Maps a hostname to another hostname (alias) | shop → myapp.azurewebsites.net |
| MX | Mail Exchange | Specifies mail servers for the domain | @ → mail.mycompany.com (priority 10) |
| TXT | Text Record | Stores arbitrary text — used for domain verification and SPF/DKIM | @ → "v=spf1 include:sendgrid.net ~all" |
| NS | Name Server | Identifies the authoritative name servers for the domain | @ → ns1-01.azure-dns.com |
| SOA | Start of Authority | Contains administrative info about the zone | Automatically created with every zone |
| PTR | Pointer Record | Reverse DNS — maps an IP address back to a hostname | 20.50.10.5 → www.mycompany.com |
| SRV | Service Record | Specifies host and port for specific services | Used by SIP, XMPP, and game servers |
Public DNS Zones vs Private DNS Zones
Public DNS Zone
A public DNS zone is accessible from the internet. It holds DNS records for publicly reachable domain names. When a company wants www.mycompany.com to resolve for anyone on the internet, they use a public DNS zone in Azure.
Private DNS Zone
A private DNS zone is only accessible within Azure Virtual Networks. It is used to resolve internal hostnames — like resolving vm1.internal.mycompany.com to a private IP address — without exposing anything to the internet.
Private DNS zones are essential in enterprise architectures where internal services communicate using meaningful names instead of raw IP addresses.
Diagram – Public vs Private DNS
Internet User Azure VNet (Internal)
│ │
▼ ▼
Public DNS Zone Private DNS Zone
mycompany.com internal.mycompany.com
───────────── ────────────────────────
www → 20.50.10.5 (public IP) vm1 → 10.0.1.4 (private IP)
api → 20.50.10.6 (public IP) db → 10.0.3.5 (private IP)
app → 10.0.2.8 (private IP)
Internet users resolve public IPs.
Azure resources resolve private IPs internally.
Linking Private DNS Zones to Virtual Networks
A private DNS zone must be linked to a VNet for the VMs and services in that VNet to use it. During the link creation, auto-registration can be enabled — this means any VM added to the VNet automatically gets a DNS record in the private zone with its private IP address.
Azure DNS Alias Records
Standard DNS CNAME records cannot point to the zone apex (root domain like mycompany.com — without any subdomain prefix). Azure DNS supports Alias records that overcome this limitation. An alias record can point the root domain directly to an Azure resource like a Traffic Manager profile, an Azure Front Door endpoint, or a public IP address.
Example
Standard CNAME (NOT allowed at root domain): mycompany.com → myapp.azurewebsites.net ← This fails Azure Alias Record (WORKS at root domain): mycompany.com (A record, alias) → Traffic Manager Profile When the Traffic Manager IP changes, the DNS updates automatically.
Creating a DNS Zone and Records via Azure CLI
# Create a public DNS zone
az network dns zone create \
--resource-group myRG \
--name mycompany.com
# Add an A record (www → 20.50.10.5)
az network dns record-set a add-record \
--resource-group myRG \
--zone-name mycompany.com \
--record-set-name www \
--ipv4-address 20.50.10.5
# Add a CNAME record (shop → myapp.azurewebsites.net)
az network dns record-set cname set-record \
--resource-group myRG \
--zone-name mycompany.com \
--record-set-name shop \
--cname myapp.azurewebsites.net
# View the name servers assigned (configure these at your registrar)
az network dns zone show \
--resource-group myRG \
--name mycompany.com \
--query nameServers
Azure DNS Pricing
- Hosted DNS zones: Charged per zone per month (first 25 zones free, then per zone).
- DNS queries: Charged per million queries (first billion queries/month are very low cost).
- Azure DNS has no upfront commitment and no minimum fee.
Benefits of Using Azure DNS
- Reliability: DNS zones are hosted across multiple Azure name servers globally with 100% SLA for availability.
- Speed: Anycast routing sends DNS queries to the nearest Azure DNS server worldwide.
- Integration: Manage DNS records alongside other Azure resources using the same portal, CLI, ARM templates, or Terraform scripts.
- Security: Role-based access control (RBAC) can restrict who can modify DNS records.
- Private resolution: Private DNS zones provide internal name resolution within VNets without any public exposure.
Key Takeaways
- Azure DNS hosts DNS zones and manages DNS records for domains using Microsoft's global DNS infrastructure.
- Common record types include A (IPv4), CNAME (alias), MX (mail), TXT (verification), and NS (name server).
- Public DNS zones serve internet-facing hostnames; private DNS zones serve internal VNet name resolution.
- Auto-registration in private zones automatically creates DNS records when VMs join a linked VNet.
- Azure Alias records solve the root domain limitation that standard CNAME records have.