Microsoft AZ-304 Certifications, Network Security Groups, Public IP addresses, Using managed identities, What to watch out for

Azure DNS – Network Connectivity and Security

by Katie Campbell

Once we have our resources built in Azure, we need to resolve names with IP addresses to communicate with them. By default, services in Azure use Azure-managed DNS servers. Azure-managed DNS provides name resolution for your Azure resources and doesn’t require any specific configuration from you.

Azure-managed DNS servers

Azure-managed DNS is highly available and fully resilient. VMs built in Azure can use Azure-managed DNS to communicate with other Azure services or other VMs in your VNETs without the need for a Fully Qualified Domain Name (FQDN).

However, this name resolution only works for Azure services; if you wish to communicate with on-premises servers or need more control over DNS, you must build and integrate with your DNS servers.

When configuring a VNET in Azure, you can override the default DNS servers. In this way, you can define your DNS servers to ensure queries to your on-premises resources are resolved correctly. You can also enter the Azure-managed DNS servers as well; if your DNS solution cannot resolve a query, the service would then fall back to the alternate Azure DNS service. The address for the Azure DNS service is 168.63.129.16.

To change the default DNS servers in Azure, perform the following steps:

  1. Navigate to the Azure portal at https://portal.azure.com.
  2. In the search bar, search for and select Virtual Networks.
  3. Select your VNET.
  4. On the left-hand menu, select DNS servers.
  5. Change the default option from Default (Azure-provided) to Custom.
  6. Enter your DNS servers, optionally followed by the Azure internal DNS server address.

The following screenshot shows an example of how this might look:

Figure 8.3 – Setting up custom DNS servers

These settings must be set up on each VNET that you wish to set up the custom DNS settings.

Tip

Be careful how many DNS servers you set. Each DNS server will be queried in turn, and if you put too many, the request will time out before it reaches the final server. This can cause issues if you need to fall back to the Azure DNS service for Azure-hosted services.

You can also leverage Azure private DNS, using private zones, for your internal DNS needs, using your custom domain names.

Azure private DNS zones

Using custom DNS allows you to use your domains with your Azure resources without the need to set up and maintain your DNS servers for resolution.

This option can provide much tighter integration with your Azure-hosted resources as it allows automatic record updates and DNS resolution between VNETs. As a managed solution, it is also resilient without maintaining separate VMs to run the DNS server.

Azure also provides you with the ability to manage your external domain records. Using Azure DNS zones, you can delegate the name resolution for your custom domain to Azure’s DNS servers.

Private zones are also used with PrivateLink IP services, which we will examine in the next section, Implementing network security.