Linkedin Profile

clouddevopsinsights

Azure Private DNS Resolver Explained: Secure Name Resolution for Hybrid Networks

Abilash Vavilala's photo
Abilash Vavilala
·

3 min read

Cover Image for Azure Private DNS Resolver Explained: Secure Name Resolution for Hybrid Networks

In hybrid cloud environments, name resolution can become a challenge—especially when you need to resolve Azure service private endpoints (like *.azurewebsites.net) from on-premises networks. This is where Azure Private DNS Resolver comes in.

In this article, we'll walk through:

  • What Azure Private DNS Resolver is

  • How to create an inbound endpoint

  • How to configure conditional forwarding from your on-prem DNS to Azure

  • The benefits of using private name resolution

What is Azure Private DNS Resolver?

Azure Private DNS Resolver is a fully managed DNS service that enables DNS resolution between Azure virtual networks and your on-premises environment without deploying and managing DNS servers.

It supports:

  • Inbound endpoints: Accept DNS queries from on-premises or other networks.

  • Outbound endpoints and forwarding rulesets: Resolve custom DNS names from Azure to on-prem or external DNS servers.

Scenario Overview

We want to resolve the domain *.azurewebsites.net from our on-premises network to the private IP of the web app's private endpoint in Azure.

To do this:

  1. Deploy Azure Private DNS Resolver with an inbound endpoint.

  2. Set up a conditional forwarder in your on-prem DNS server pointing azurewebsites.net to the inbound endpoint's private IP.

  3. Azure resolves the name using the Private DNS zone linked to the web app's private endpoint.

Step-by-Step: Creating an Inbound Endpoint

Step 1: Deploy Azure DNS Resolver

az network dns-resolver create \
  --name myDnsResolver \
  --resource-group myResourceGroup \
  --location eastus \
  --virtual-network myVnet

Step 2: Create an Inbound Endpoint

az network dns-resolver inbound-endpoint create \
  --name inboundEndpoint1 \
  --dns-resolver-name myDnsResolver \
  --resource-group myResourceGroup \
  --location eastus \
  --ip-configurations '[{"subnet": { "id": "/subscriptions/<sub-id>/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/inboundSubnet" }}]'

⚠️ Use a dedicated subnet for DNS Resolver. It cannot be shared with other resources.

Step 3: Configure Conditional Forwarding in On-Prem DNS

On your on-prem DNS server (e.g., Windows Server DNS):

  1. Open DNS Manager.

  2. Right-click Conditional Forwarders > New Conditional Forwarder.

  3. Enter:

    • Domain name: azurewebsites.net

    • IP address: Private IP of the inbound endpoint

    • Optionally, enable "Store this conditional forwarder in Active Directory"

This routes only azurewebsites.net queries to Azure, avoiding unnecessary traffic.

Benefits of Private Name Resolution with Azure DNS Resolver

Improved Security
Resolves names to private IPs securely—without exposing DNS records to public resolvers.

Seamless Hybrid Integration
Enables on-premises apps to resolve private Azure services like Web Apps, Key Vault, and Storage.

No DNS VM Management
Azure handles high availability, patching, and scaling of the DNS infrastructure.

Fine-Grained Control
Use conditional forwarding to send only specific zones to Azure.

Final Thoughts

Azure Private DNS Resolver simplifies DNS management across hybrid environments. By setting up an inbound endpoint and configuring conditional forwarding, you can securely and efficiently resolve private Azure service endpoints from your on-premises network.

This setup is especially valuable for enterprise environments adopting Private Endpoints, Zero Trust Networking, and Hybrid Cloud Architectures.

🔧 Got questions or want help automating this setup with Terraform or Bicep? Let me know in the comments or connect with me!