Azure DNS overview
Azure DNS lets you host and manage DNS zones in Azure. For public DNS, Azure hosts authoritative public zones and returns answers for your delegated domain names. For private DNS, Azure hosts names meant for private resolution inside linked virtual networks. Together, these capabilities help teams manage internet-facing names and internal cloud naming patterns in a consistent way.
What is Azure DNS?
Azure DNS is Microsoft Azure’s managed service for hosting and managing DNS domains. It supports authoritative public DNS zones and Azure Private DNS zones. In public DNS, you delegate your domain to Azure’s authoritative name servers. In private DNS, you use private zones and virtual network links to make internal names resolve for Azure workloads.
What it does well
It centralizes DNS zone management, supports standard record types, enables public delegation, allows private zone resolution in Azure VNets, and integrates cleanly with Azure-native networking patterns.
What it is not
It is not a domain registrar, not a global application proxy, and not a DNS traffic-steering service by itself. Those roles belong to other services such as registrars, Front Door, and Traffic Manager.
Why Azure DNS is used
Teams use Azure DNS when they want DNS management to be part of their cloud operating model rather than a separate, manually managed system. It is especially useful when applications already live in Azure and engineers want DNS records, private name resolution, and zone administration to be consistent with the rest of their infrastructure.
Centralized zone management
DNS records for cloud applications can be managed in the same platform where the rest of the infrastructure lives.
Clean public and private split
Public zones support internet-facing names, while private DNS zones support internal-only names for Azure workloads.
Better cloud integration
Azure DNS works well with Traffic Manager, public IP designs, private endpoints, private DNS zones, and Azure DNS Private Resolver patterns.
Azure DNS explained with the 5 Ws + How
This format helps beginners, working engineers, and interview learners quickly understand the service and how it fits into Azure networking.
What
A managed Azure service for hosting public DNS zones and private DNS zones.
Why
To manage domain names, records, delegation, and internal name resolution without running custom DNS servers.
When
Use it when applications or internal services need DNS records hosted and controlled in Azure.
Where
For public domains on the internet and private names inside Azure virtual network designs.
Who
Cloud engineers, platform teams, DevOps engineers, network engineers, and architects designing Azure-hosted systems.
How
Azure hosts the DNS zone, stores record sets, responds authoritatively for delegated public names, and provides private zone resolution through linked VNets.
Public DNS vs Private DNS in Azure
This is one of the most important distinctions in Azure DNS. Public DNS is for names that internet clients resolve. Private DNS is for names that should resolve only inside private Azure network scopes.
| Type | Best for | How it works |
|---|---|---|
| Azure Public DNS | Internet-facing domains | Host a public DNS zone in Azure and delegate the domain to Azure name servers |
| Azure Private DNS | Internal Azure-only names | Host a private zone and link it to one or more Azure VNets for internal resolution |
Choose public DNS when
You need internet clients to resolve names such as www.contoso.com or api.contoso.com.
Choose private DNS when
You need internal Azure workloads to resolve private names such as service endpoints, private applications, or private-link-related records.
Core components of Azure DNS
Azure DNS becomes easier to design once you understand the key pieces: zone, record set, individual record value, delegation, and VNet linking for private DNS.
DNS zone
The administrative container for records in a domain such as contoso.com.
Record set
A named collection of records of the same type in the zone, such as A, AAAA, CNAME, MX, TXT, or NS.
Record value
The actual IP, hostname, mail target, text value, or other DNS data returned to resolvers.
Name servers
The authoritative DNS servers assigned by Azure for the public DNS zone after creation.
Alias record
A public DNS record set that can reference specific Azure resources so the record tracks the target resource more cleanly.
Virtual network link
The relationship that allows Azure Private DNS zones to resolve names inside linked VNets.
How Azure DNS works
Public and private DNS follow slightly different flows, but the main idea is straightforward: Azure stores the zone and records, then returns DNS answers when resolvers or clients query for names in that zone.
Public DNS flow
- You create a public DNS zone in Azure.
- Azure assigns authoritative name servers for that zone.
- You update your registrar to delegate the domain to those Azure name servers.
- Public resolvers ask Azure for names in that domain.
- Azure returns the record data from your zone.
Private DNS flow
- You create a private DNS zone in Azure.
- You link the zone to one or more virtual networks.
- Azure workloads in linked VNets query for private names.
- Azure resolves those names using the linked private zone data.
Delegation and Azure name servers
Public DNS delegation is the step that makes Azure authoritative for your public domain. This part is often misunderstood because engineers sometimes assume that creating the zone alone is enough.
How delegation works
After you create the public DNS zone, Azure provides the authoritative name servers for that zone. You then go to your domain registrar and update the domain’s NS records there so the registrar points the domain to Azure’s name servers.
Important limitation
Azure DNS hosts the zone, but Azure DNS does not register the domain name for you. Registration and delegation are separate steps.
Record sets and alias records explained
Azure DNS uses the concept of record sets rather than isolated records. That means multiple values of the same record type can exist under one record set name. Public Azure DNS also supports alias record sets for certain Azure resources.
Common public record types
- A and AAAA for IPv4 and IPv6 addresses
- CNAME for hostname aliases
- MX for mail delivery
- TXT for verification and metadata
- NS for delegation
- SRV and PTR where relevant
Alias records
Public Azure DNS supports alias record sets that can refer to supported Azure resources such as an Azure public IP address, a Traffic Manager profile, or a CDN endpoint. That helps the DNS record follow the service resource more cleanly when underlying IP relationships change.
Private DNS zones and VNet linking
Azure Private DNS is for internal-only name resolution in Azure. Instead of public delegation, private DNS relies on virtual network links so workloads in linked networks can resolve names in the private zone.
Private resolution scope
A private DNS zone is not public on the internet. It is intended for private resolution in Azure-linked network environments.
VNet links
Linking the zone to a virtual network is what allows resources in that VNet to resolve names from the private zone.
Private endpoint patterns
Azure private networking designs often rely on private DNS zones so service names resolve to private IPs rather than public endpoints.
Azure DNS Private Resolver
Azure DNS Private Resolver is a related but separate service. Azure DNS hosts zones. DNS Private Resolver solves a different problem: recursive DNS resolution between Azure VNets and on-premises networks without you running custom DNS VMs.
When it matters
It becomes important in hybrid environments where Azure private names and on-premises private names both need to resolve cleanly across VPN or ExpressRoute-connected networks.
Why not confuse it with Azure DNS
Azure DNS is zone hosting. DNS Private Resolver is managed recursive resolution for private network scenarios. They are related, but they solve different layers of the DNS problem.
Architecture diagram
This simplified layout shows how Azure DNS fits into public and private name resolution patterns.
Public Internet Users
|
v
+----------------------------+
| Azure Public DNS Zone |
| - contoso.com |
| - A / CNAME / MX / TXT |
| - delegated from registrar |
+----------------------------+
|
v
Public App / Front Door / Traffic Manager / Public IP
Azure Workloads in VNets
|
v
+----------------------------+
| Azure Private DNS Zone |
| - internal.contoso.local |
| - private records |
| - linked VNets |
+----------------------------+
|
v
Private Apps / Private Endpoints / Internal Services
Hybrid Private Resolution
|
v
+----------------------------+
| Azure DNS Private Resolver |
| - inbound / outbound |
| - Azure <-> on-prem DNS |
+----------------------------+
Real-world Azure DNS use cases
Strong pages need practical examples. These are the kinds of production scenarios where Azure DNS becomes part of the core platform design.
Hosting a public application domain
A company hosts contoso.com in Azure DNS, delegates the domain from its registrar, and manages A, CNAME, TXT, and MX records centrally from Azure.
Private application naming
Internal microservices in Azure resolve names through a private DNS zone linked to the application virtual networks.
Hybrid private name resolution
A business with on-premises DNS and Azure VNets uses Azure DNS Private Resolver so private names resolve cleanly between both environments.
Azure DNS vs related Azure services
One of the most common design mistakes is expecting Azure DNS to do the work of other services. This comparison helps place Azure DNS in the right layer of the architecture.
| Service | Layer / role | Best for | When to choose it |
|---|---|---|---|
| Azure DNS | Authoritative zone hosting | Public and private zone management | Choose for zone hosting, records, delegation, and private zone linking |
| Azure DNS Private Resolver | Recursive private resolution | Hybrid Azure and on-premises private DNS | Choose for hybrid private resolution without custom DNS servers |
| Azure Traffic Manager | DNS-based traffic steering | Global endpoint routing and failover | Choose when you need DNS answers to steer clients to different endpoints |
| Azure Front Door | Global Layer 7 edge proxy | WAF, caching, proxy routing, acceleration | Do not use Azure DNS alone when you actually need inline application delivery features |
Azure DNS vs Traffic Manager
Azure DNS hosts zones and records. Traffic Manager is a DNS-based routing service that decides which endpoint should be returned in a DNS response. They can work together, but they are not the same service.
Azure DNS vs DNS Private Resolver
Azure DNS hosts the data for zones. DNS Private Resolver handles hybrid recursive resolution between Azure and on-premises environments. Zone hosting and recursive resolution are different problems.
Best practices
These recommendations help Azure DNS designs stay cleaner, safer, and easier to operate in production.
Separate public and private intent clearly
Do not blur internet-facing zone design with internal-only naming patterns. Treat public and private DNS as separate architecture concerns.
Use a real delegation checklist
For public zones, confirm the registrar NS records point to Azure name servers before expecting Azure DNS to serve the domain on the internet.
Keep records tidy
Use clear naming conventions, TTL policies, and ownership practices so large zones stay understandable.
Design private zones intentionally
Think through which VNets should link to which zones, especially in hub-spoke and multi-environment topologies.
Review alias use cases carefully
Alias records are helpful for supported Azure public resources, but they should still fit the overall service design and operational ownership model.
Plan hybrid DNS up front
If on-premises networks need private Azure resolution, design DNS Private Resolver or another hybrid resolution approach early instead of bolting it on later.
Common mistakes
These are the problems engineers often hit when Azure DNS is misunderstood or mixed up with adjacent services.
Forgetting delegation
Creating a public DNS zone in Azure does not automatically make it authoritative for the internet until the registrar points the domain to Azure name servers.
Mixing Azure DNS with the registrar role
Azure DNS hosts the zone but does not replace the domain registration step itself.
Using public DNS for private needs
Internal-only services should not rely on public zone logic when a private DNS zone is the correct architecture choice.
Ignoring VNet links
Private DNS zones do not automatically resolve everywhere unless the correct virtual networks are linked.
Expecting Azure DNS to provide traffic steering
Azure DNS hosts records, but services like Traffic Manager handle DNS-based endpoint selection and failover patterns.
No hybrid DNS plan
Teams sometimes build private zones in Azure and only later realize on-premises systems cannot resolve them without resolver design.
Frequently asked questions
These questions target real search intent around Azure DNS and help make the page useful for engineers and interview learners.
Is Azure DNS a domain registrar?
No. Azure DNS hosts DNS zones and records, but domain registration and registrar management are separate.
What is the difference between Azure DNS and Azure Private DNS?
Public Azure DNS is for internet-facing authoritative DNS zones. Azure Private DNS is for private name resolution inside linked Azure virtual networks.
What is an alias record in Azure DNS?
In Azure Public DNS, alias record sets can refer to supported Azure resources such as a public IP address, a Traffic Manager profile, or a CDN endpoint.
How do I make Azure DNS authoritative for my domain?
Create the zone in Azure DNS, then update the domain’s NS records at your registrar so the domain delegates to the Azure-provided name servers.
When do I need Azure DNS Private Resolver?
You typically need it in hybrid environments where Azure private DNS names and on-premises private DNS names must resolve across connected networks without deploying and managing custom DNS servers.
Does Azure DNS do traffic routing like Traffic Manager?
No. Azure DNS hosts records and zones. Traffic Manager uses DNS responses to steer clients to different endpoints based on routing policy.