Hi, I’m Makoto, a freelance engineer.
In this article, I’ll explain the DNS service provided by Azure. As the name suggests, it’s a basic service that provides domain name resolution, but it’s also a service that can be confusing due to its various uses.
Once again, I’ll explain it in an easy-to-understand manner with diagrams, so please read to the end.
Let’s get started!
How DNS Works
Before we explain Azure services, let’s review how DNS works. DNS terminology can be confusing and difficult to understand, so it’s important to get it right to avoid confusion.
First, DNS stands for Domain Name System, and it’s a mechanism for managing IP address strings with names that are easy for humans to remember. It’s an essential mechanism that supports the foundation of the Internet.
DNS servers manage the association between IP addresses and names (domains) much like a phone book, and these DNS servers are divided into two main roles:
- Authoritative Name Server
- Recursive DNS Server
Authoritative Name Server
When people talk about a DNS server, they usually mean this authoritative name server. It manages each line of IP address and domain name associations as records and responds to queries without consulting other servers.
Authoritative name servers share the management area (zone) with the root at the top, and if there’s a query outside their area, they respond with information about the delegated authoritative name server.
Something like that.
This hierarchical and delegation mechanism allows you to find the IP address of the domain name you want to know by following the hierarchical structure.
The diagram above illustrates this using the domain name of this blog as an example.
When accessing az-start.com, it follows the path from the root in order and finally receives the IP address response from the authoritative name server of XServer, which operates the server of this blog.
To repeat, the role of the authoritative name server is to respond with the answer if it knows it and to provide the delegation destination if it doesn’t. The entity that makes these queries is the “Recursive DNS Server”, which we’ll explain next.
Recursive DNS Server
A recursive DNS server plays a secretarial role, receiving requests from clients (browsers) and querying authoritative name servers on their behalf.
Something like that. (A seemingly timid secretary)
Once an IP address is looked up, it’s stored (cached) for a specified time, allowing it to skip querying the authoritative name server for the same domain name.
The address of this recursive DNS server is usually provided by the Internet Service Provider, but for example, Google’s public DNS “8.8.8.8” is also a recursive DNS server.
On Windows, this is the DNS server you set in the following screen. If set to automatic, your provider’s DNS server will be used.
DNS Services Provided by Azure
With that long introduction out of the way, let’s take a look at the DNS services provided by Azure one at a time. As you read, keep in mind whether it’s an authoritative name server or a recursive DNS server.
Azure DNS
Azure DNS is a public authoritative name server provided by Azure. It’s used when publishing web services to the Internet.
Servers are distributed across Azure’s global network, and a mechanism called IP Anycast ensures that the DNS server closest to the user responds.
In addition, Azure DNS has an SLA of 100%, which is one of its notable features in terms of high reliability (although that doesn’t mean it never goes down).
If you manage a domain name you own with Azure, you’ll need to create and delegate an Azure DNS (DNS zone), but if you purchase a domain from Azure’s App Service Domains, a DNS zone is created automatically.
In the diagram, imagine that the XServer name server is replaced by Azure DNS from the beginning.
DNS-based traffic routing and failover features, similar to those in AWS’s Route 53, are provided by Azure Traffic Manager in Azure.
Azure Private DNS
Azure Private DNS is an authoritative name server that operates within Azure virtual network (VNet).
Be careful not to confuse this with the Azure DNS mentioned above. This one has “Private” in its name, so it’s only for use within the VNet.
Because it’s used within a closed network and not on the Internet, you can use your own custom domain names. (You don’t need to buy a domain from a DNS provider.)
It’s used when you need to publish internal services within a corporate network without exposing them to the Internet.
Azure Private DNS is used by linking (associating) it to a virtual network (the domain name is shown as the same for example purposes).
If you thought that, you’re quite sharp. I’ll explain later.
In addition, Azure Private DNS has a feature that automatically registers/deletes A records for virtual machine hostnames, which can reduce the workload of managing numerous virtual machines.
Below is an actual screen where I tested creating two virtual machines in separate subnets.
Azure-provided DNS server (168.63.129.16)
This is a Recursive DNS server that works within Azure’s virtual network. I’m not sure what its official name is, but I’m using this name because it’s listed as “Azure-provided” in the Azure portal.
This Azure-provided DNS server is provided with a fixed virtual public IP address of 168.63.129.16 and is common to all regions.
Although not shown in the explanation of Azure Private DNS, this is the recursive DNS server provided by default when using a virtual network.
By default, when a virtual machine needs name resolution, it requests name resolution from 168.63.129.16. You can confirm that the DNS server is Azure’s by checking ipconfig in Windows or resolv.conf in Linux.
Windows Server
Linux
This gets a bit complicated, but the previously introduced “Azure Private DNS” will only accept name resolution requests from this default DNS resolver, among others. Since this is a requirement for using Azure services in some cases, be careful if you want to set up your own DNS server as a recursive DNS server.
Summary
In this article, we have explained how DNS works and the DNS services provided by Azure. Summarizing each service by its use case results in the following table:
Service Name | Use Case | Notes |
---|---|---|
Azure DNS | Authoritative name server used on the internet | – |
Azure Private DNS | Authoritative name server used within VNet | Needs to be linked to VNet |
Azure-provided DNS server | Full resolver operating within VNet | Fixed at 168.63.129.16 |
It’s best to understand the difference between authoritative and recursive DNS servers, and whether you’re using them on the Internet or within a virtual network.