In this comprehensive article, I will walk you through everything you need to know about Azure DNS. We will cover how to host your public domains, how to secure your internal networks with Private DNS, and the advanced traffic strategies I use to keep applications online 24/7.
Table of Contents
- Azure Domain Name Services
Azure Domain Name Services
What Is Azure DNS? (And What It Isn’t)
Before we start configuring resources, we need to clear up a common misconception.
Azure DNS is primarily a hosting service for DNS domains, providing name resolution using Microsoft Azure infrastructure.
- It IS: A place to host your DNS records (A, CNAME, MX, TXT). It uses Microsoft’s global network of Anycast name servers to answer queries incredibly fast.
- It IS NOT: A domain registrar (mostly). While you can technically buy “App Service Domains,” Azure DNS is typically used to manage domains you bought elsewhere (like GoDaddy, Namecheap, or Network Solutions).
Think of it this way: You buy your “phone number” (domain name) from Verizon (Registrar), but you list it in the Azure “Yellow Pages” (DNS Host) because Azure distributes those phone books to every corner of the globe instantly.
Why I Recommend Switching to Azure DNS
- Speed: Azure uses Anycast networking. If a user in Los Angeles queries your site, they hit a DNS server in California. If a user in London queries it, they hit a server in the UK.
- Security: You can manage DNS records using Azure Role-Based Access Control (RBAC). I can let my junior devs view records without letting them delete the production database connection.
- Automation: You can update records via PowerShell, CLI, or Terraform pipelines.
Part 1: Setting Up Your First Public DNS Zone
Let’s get into the “how-to.” Imagine we are setting up a domain for a fictional US logistics company called “https://www.google.com/search?q=LogisticsUS-Example.com”. We bought the domain at a third-party registrar, but we want Azure to handle the traffic.
1. Create the DNS Zone
Logging into the Azure Portal, I search for “DNS zones” and hit Create.
- Name:
logisticsus-example.com(Must match your purchased domain exactly). - Resource Group: I usually create a dedicated RG called
rg-dns-networkingso networking assets don’t get accidentally deleted with app deployments.
2. The Delegation Step (Crucial)
Once the zone is created, Azure gives me four name servers. They usually look like this:
ns1-03.azure-dns.comns2-03.azure-dns.netns3-03.azure-dns.orgns4-03.azure-dns.info
This is where the magic happens. I must log into my registrar (e.g., GoDaddy) and replace their default name servers with these four Azure addresses. This tells the internet: “Don’t ask GoDaddy where my website is; ask Microsoft.”
Part 2: Azure Private DNS
Public DNS is great for your website, but what about your internal servers?
In a typical US-based enterprise architecture, you might have a SQL database in ‘East US 2’ and a backend API in ‘Central US’. You don’t want these talking over the public internet. You want them talking privately.
This is where Azure Private DNS Zones come in.
I use Private DNS to create internal-only domain names, like api.internal.logisticsus. These domains are invisible to the outside world.
The “Auto-Registration” Feature
This is my favorite feature in Azure networking. When I create a Private DNS Zone, I can link it to my Virtual Network (VNet) and enable “Auto-registration”.
If I spin up a new Virtual Machine named VM-Inventory-01, Azure automatically creates an A-Record for VM-Inventory-01.internal.logisticsus in the private zone. I don’t have to touch a single DNS record manually. If I delete the VM, the record is removed. It keeps the environment clean automatically.
Table: Public vs. Private DNS
| Feature | Azure Public DNS | Azure Private DNS |
| Visibility | Accessible by anyone on the internet | Accessible only within your Virtual Network |
| Cost | ~$0.50/zone/month + query costs | ~$0.50/zone/month + query costs |
| Resolution | Resolves public IPs | Resolves private IPs (10.x.x.x) |
| Key Use Case | Web Apps, Marketing Sites | Databases, Internal APIs, Legacy VMs |
Part 3: Solving the “Naked Domain” Problem with Alias Record
One of the most annoying limitations in traditional DNS is that you cannot put a CNAME record at the root (apex) of a domain.
- You can CNAME
www.logisticsus-example.comtomyapp.azurewebsites.net. - You cannot CNAME
logisticsus-example.com(no www) tomyapp.azurewebsites.net.
Historically, this required complex workarounds using static IPs (A-Records). But static IPs are fragile; if you delete and recreate your load balancer, the IP changes, and your site goes down.
The Azure Alias Record Solution
Azure DNS supports a special type of record called an Alias Record. This allows me to point the root domain dynamically to an Azure resource.
When creating the record in the portal:
- I leave the “Name” field blank (representing the root).
- I select “Alias Record Set: Yes”.
- I choose my Azure resource (e.g., an Azure Front Door or Public IP).
Azure internally manages the IP mapping. If the underlying IP of my Front Door changes, Azure DNS updates the A-record instantly without me lifting a finger.
Part 4: Advanced Traffic Management
For my clients with a national presence—say, users in New York, Chicago, and San Francisco—DNS becomes a load-balancing tool.
We can use Azure Traffic Manager in conjunction with Azure DNS. Traffic Manager works at the DNS level to route users based on performance or geography.
Scenario: The East/West Split
I can set up a policy that says:
- If the user’s DNS query comes from the West Coast, give them the IP of the San Francisco datacenter.
- If the query comes from the East Coast, give them the IP of the Virginia datacenter.
This isn’t just about speed; it’s about survival. If the Virginia datacenter goes offline (which, while rare, happens), Traffic Manager detects the failure and instantly updates DNS to point everyone to San Francisco.
Part 5: Security with DNSSEC
In recent years, security standards in the USA have tightened. “DNS Spoofing” or “Cache Poisoning” are real threats where an attacker intercepts a user’s DNS request and sends them to a fake banking site instead of the real one.
To prevent this, I always enable DNSSEC (Domain Name System Security Extensions) on critical zones.
DNSSEC adds a cryptographic signature to your DNS records. It proves to the user’s browser that the IP address they received actually came from you, not a hacker in a coffee shop.
How to enable it in Azure:
- Go to your DNS Zone.
- Select DNSSEC from the menu.
- Click Enable.
- Azure signs the zone. You then take the provided “DS Records” and upload them to your registrar (where you bought the domain).
It is a 10-minute setup that significantly hardens your security posture.
Pricing and Cost Management
One of the reasons I push for Azure DNS is that it is incredibly cheap for the value it provides.
- Zone Price: Roughly $0.50 per zone per month.
- Query Price: Roughly $0.40 per million queries.
For a typical mid-sized US business, your DNS bill might be $2.00 a month. Even for massive enterprises, it rarely exceeds a few hundred dollars. Compared to the cost of a single hour of downtime, this is negligible.
Bullet Point Summary of Costs:
- You pay for the Zone (the container for records).
- You pay for the Queries (traffic).
- Private Zones follow a similar pricing model.
- Alias records linked to Azure resources are often free of query charges (check current pricing).
Troubleshooting Common Issues
Even with a robust system, things break. Here are the top issues I see in the field and how I fix them.
1. “It works on my machine but not for the client”
This is usually a TTL (Time To Live) issue. If you change a record from IP 1.2.3.4 to 5.6.7.8, but the TTL was set to 1 hour (3600 seconds), anyone who visited the site recently still has the old IP cached in their ISP’s resolver.
- My Fix: Before making a big change, I lower the TTL to 60 seconds a day in advance.
2. The “Dangling DNS” Risk
This happens when you delete a Virtual Machine (and its Public IP) but forget to delete the DNS record pointing to it. A hacker can potentially claim that now-released IP address and serve malicious content to your users who are still visiting the old link.
- My Fix: Use Alias Records wherever possible, as they prevent this by strictly linking the record to the resource’s lifecycle.
3. Private DNS Resolution Failure
Sometimes a VM in VNet A cannot resolve a name in Private Zone B.
- My Fix: Check the Virtual Network Links. Just creating the zone isn’t enough; you must explicitly “link” the VNet to the Private DNS Zone in the Azure Portal.
Conclusion
Azure Domain Name Services is the hero of the cloud ecosystem. It bridges the gap between your brand name and your technical infrastructure with enterprise-grade reliability and security.
By moving your DNS management into Azure, you gain the ability to manage your entire stack—from the domain name down to the database—in a single place. You eliminate the security risk of shared registrar logins, you gain the speed of Microsoft’s global network, and you unlock powerful features like Private DNS and Alias Records.
You may like the following Azure tutorials:
- How to Create a Private DNS Zone in Azure
- Azure AD group membership PowerShell
- How to reset password in Azure virtual machine
I am Bijay, a Microsoft MVP (10 times) having more than 17 years of experience in the software industry. During my IT career, I got a chance to share my expertise in SharePoint and Microsoft Azure, like Azure VM, Azure Active Directory, Azure PowerShell, etc. I hope you will learn from these Azure tutorials. Read more
