Deep Dive: Azure DNS vs Windows DNS — 差异、场景关系与排查建议
Deep Dive: Azure DNS vs Windows DNS — 差异、场景关系与排查建议
Topic: Azure DNS vs Windows DNS Server
Category: Networking / DNS / Cloud
Level: 中高级 / Senior
Last Updated: 2026-03-18
1. 概述 (Overview)
在微软的技术生态中,有两套看似相似但架构完全不同的 DNS 系统:
- Windows DNS Server:Windows Server 上的传统 DNS 角色,通常与 Active Directory 深度集成,承担企业内网的名称解析
- Azure DNS:Azure 平台上的云原生 DNS 服务,包括公有 DNS 托管、私有 DNS 区域和 DNS Private Resolver
很多工程师容易混淆两者,尤其是在混合云 (Hybrid) 环境中,这两套系统需要协同工作。理解它们的本质差异和协作方式,是做好混合环境 DNS 排查的前提。
一句话总结:Windows DNS 是你自己开的邮局(自建、自管、自维护);Azure DNS 是顺丰/联邦快递的云端分拣中心(托管、免运维、按需付费)。两者可以配合——你的邮局负责本地包裹,快递公司负责跨区域投递。
2. 核心概念 (Core Concepts)
2.1 Windows DNS Server
Windows Server 内置的 DNS 服务角色,已有 20+ 年历史。
| 特性 | 说明 |
|---|---|
| 部署位置 | 本地服务器(物理机/VM),也可以是 Azure IaaS VM |
| AD 集成 | 核心优势。支持 AD-Integrated Zones(区域数据存储在 AD 中,随 AD 复制) |
| 区域类型 | Primary、Secondary、Stub、Conditional Forwarder、AD-Integrated |
| 动态更新 | 支持 Secure Dynamic Update(域成员机器自动注册 DNS 记录) |
| DNSSEC | 支持 |
| 管理方式 | DNS Manager (dnsmgmt.msc)、PowerShell (DnsServer 模块)、dnscmd |
| 适用场景 | AD 环境、内网名称解析、需要精细控制的企业 DNS |
类比:Windows DNS 就像公司内部的电话簿管理员——他认识每个员工(AD 集成),知道谁搬了办公室(动态更新),可以手动加条目也能自动维护。
2.2 Azure DNS 全家族
Azure DNS 不是一个单一服务,而是一个家族:
Azure Public DNS
- 定位:互联网域名托管(替代 GoDaddy、Cloudflare 等的 DNS 托管)
- 功能:托管公共 DNS 区域,管理 A/AAAA/CNAME/MX/TXT 等记录
- 特点:基于 Azure Anycast 网络,全球分布,100% SLA
- 不支持:域名购买(只做 DNS 托管,不卖域名)、DNSSEC(截至目前)
Azure Private DNS
- 定位:Azure 虚拟网络内部的私有 DNS 解析
- 功能:
- 创建自定义私有区域(如
contoso.internal) - VNet Link:将私有区域链接到 VNet,VNet 内的资源可以解析该区域
- Auto-registration:启用后,VNet 中的 VM 自动注册 A 记录到私有区域
- 创建自定义私有区域(如
- 关键限制:只能被 linked 的 VNet 中的资源解析;本地网络不能直接查询
类比:Azure Private DNS 像小区内部的楼号系统——住在小区内的人(VNet 内的 VM)能查到”3 号楼 502”在哪里,但小区外面的人(On-prem)看不到这个系统。
Azure DNS Private Resolver
- 定位:打通 Azure Private DNS 和本地 DNS 的”桥梁”
- 组件:
- Inbound Endpoint:接收来自外部(如本地 DNS)的查询,转发到 Azure DNS
- Outbound Endpoint:将 Azure 内的查询转发到外部(如本地 DNS 服务器)
- DNS Forwarding Ruleset:定义哪些域名转发到哪些 DNS 服务器
- 价值:无需部署 VM 做 DNS 转发器(之前的标准做法)
类比:Private Resolver 像小区和外面世界之间的传达室——外面来的信(on-prem DNS 查询)通过传达室转交给小区物业(Azure Private DNS);小区住户要查外面的地址(on-prem 域名),也通过传达室转交给外面的邮局(on-prem DNS)。
Azure Traffic Manager
- DNS 级别的全局流量分配器(非传统 DNS 角色,但基于 DNS 实现)
3. 工作原理 (How It Works)
3.1 整体架构:混合环境中的 DNS 协作
┌──────────────────────────────────────────────────────────────────────┐
│ Azure Cloud │
│ │
│ ┌─────────────┐ ┌────────────────────┐ ┌───────────────┐ │
│ │ Azure VM │ │ Azure Private DNS │ │Azure Public │ │
│ │ (VNet内) │─────>│ contoso.internal │ │DNS │ │
│ │ │ │ privatelink.blob.. │ │contoso.com │ │
│ └──────────────┘ └────────┬───────────┘ └───────────────┘ │
│ │ │
│ ┌────────────▼───────────┐ │
│ │ DNS Private Resolver │ │
│ │ ┌──────┐ ┌─────────┐ │ │
│ │ │Inbound│ │Outbound │ │ │
│ │ │Endpoint│ │Endpoint │ │ │
│ │ └──┬───┘ └────┬────┘ │ │
│ └─────┼───────────┼──────┘ │
│ │ │ │
└───────────────────────────┼───────────┼───────────────────────────────┘
│ │
ExpressRoute / VPN Gateway
│ │
┌───────────────────────────┼───────────┼───────────────────────────────┐
│ On-Premises │ │
│ │ │ │
│ ┌─────▼───────────▼────┐ │
│ │ Windows DNS Server │ │
│ │ (AD-Integrated) │ │
│ │ corp.contoso.com │ │
│ └──────────────────────┘ │
│ │ │
│ ┌─────▼──────┐ │
│ │ AD 域控/ │ │
│ │ 客户端/服务器│ │
│ └────────────┘ │
└──────────────────────────────────────────────────────────────────────┘
3.2 DNS 查询流程:Azure VM 解析 On-prem 域名
Azure VM 查询 fileserver.corp.contoso.com
│
▼
VNet DNS 设置 = Azure Default (168.63.129.16)
│
▼
Azure DNS 检查:有匹配的 Private DNS Zone?
│ 没有 corp.contoso.com 的私有区域
▼
检查 DNS Forwarding Ruleset(Outbound Endpoint)
│ 匹配规则:*.corp.contoso.com → 转发到 10.1.1.10 (on-prem DNS)
▼
通过 Outbound Endpoint → ExpressRoute/VPN → On-prem DNS
│
▼
Windows DNS Server 解析 → 返回 IP
3.3 DNS 查询流程:On-prem 客户端解析 Azure Private Endpoint
On-prem 客户端查询 storageaccount.blob.core.windows.net
│
▼
Windows DNS Server 收到查询
│ 配置了条件转发器:blob.core.windows.net → 10.2.1.4 (Private Resolver Inbound)
▼
通过 ExpressRoute/VPN → DNS Private Resolver Inbound Endpoint
│
▼
Azure DNS 检查 Private DNS Zone:privatelink.blob.core.windows.net
│ 找到 A 记录:storageaccount.privatelink.blob.core.windows.net → 10.2.2.5
▼
返回私有 IP 10.2.2.5(而不是公网 IP)
│
▼
On-prem 客户端通过 ExpressRoute/VPN 直接访问 Azure Storage 的私有端点
3.4 Private Endpoint 的 DNS 解析魔法
Private Endpoint 是 Azure DNS 最复杂的场景之一。以 Storage Account 为例:
公网解析(无 Private Endpoint):
storageaccount.blob.core.windows.net
→ CNAME → storageaccount.privatelink.blob.core.windows.net
→ A → 52.x.x.x (公网 IP)
私网解析(有 Private Endpoint + Private DNS Zone):
storageaccount.blob.core.windows.net
→ CNAME → storageaccount.privatelink.blob.core.windows.net
→ (Private DNS Zone 接管) → A → 10.2.2.5 (私有 IP)
关键机制:Azure 在公共 DNS 上为每个服务自动创建一条 CNAME,指向
privatelink.*子域。当 VNet 链接了对应的 Private DNS Zone 时,privatelink.*的解析被私有区域”劫持”,返回私有 IP。公共 DNS 的 CNAME 是”钩子”,Private DNS Zone 是”拦截器”。
4. 关键差异对比 (Key Differences)
4.1 功能对比
| 维度 | Windows DNS Server | Azure Public DNS | Azure Private DNS |
|---|---|---|---|
| 部署位置 | On-prem / Azure VM | Azure PaaS | Azure PaaS |
| 管理方式 | DNS Manager / PowerShell / dnscmd | Azure Portal / CLI / ARM | Azure Portal / CLI / ARM |
| AD 集成 | ✅ 核心优势 | ❌ 不支持 | ❌ 不支持 |
| 动态更新 | ✅ Secure Dynamic Update | ❌ 不支持 | ✅ Auto-registration(仅限 Azure VM) |
| 条件转发 | ✅ | ❌ | ❌(需要 Private Resolver) |
| Stub Zone | ✅ | ❌ | ❌ |
| Secondary Zone | ✅ | ❌ | ❌ |
| DNSSEC | ✅ | ❌ | ❌ |
| 可用性 | 需自行配置 HA(AD 复制/辅助区域) | 100% SLA(Azure 基础设施) | 全局资源(不依赖单 VNet/Region) |
| 运维负担 | 高(OS 打补丁、监控、备份) | 零(完全托管) | 零(完全托管) |
| 成本 | Windows Server 许可证 + 硬件/VM | 按区域和查询计费 | 按区域和查询计费 |
| PTR 记录 | ✅ 反向查找区域 | ✅ | ✅ |
| 记录类型 | 所有标准类型 + WINS | A/AAAA/CNAME/MX/PTR/SOA/SRV/TXT/CAA | A/AAAA/CNAME/MX/PTR/SOA/SRV/TXT |
4.2 适用场景对比
| 场景 | 推荐方案 | 原因 |
|---|---|---|
| 纯 AD 环境(On-prem) | Windows DNS | AD 集成是刚需,域加入/SRV 记录/动态更新 |
| 公网域名托管 | Azure Public DNS | 全球 Anycast,高可用,与 Azure 服务集成 |
| Azure VNet 内部解析 | Azure Private DNS | 原生集成,Auto-registration,免运维 |
| Private Endpoint 解析 | Azure Private DNS + Private Resolver | privatelink.* 区域必须用 Private DNS |
| 混合云双向 DNS | Windows DNS + Private Resolver | 各管各的区域,通过 Resolver 互相转发 |
| Azure 中需要 AD | Azure VM 上的 Windows DNS | Azure 没有原生 AD DNS,只能 IaaS 自建 |
5. 常见场景与架构 (Common Scenarios)
场景 1: 纯 On-prem(无 Azure)
[客户端] → [Windows DNS (AD-Integrated)] → [互联网 Forwarder]
- 完全由 Windows DNS 处理
- AD-Integrated Zone 存储
corp.contoso.com - 外部查询通过 Forwarder(如 8.8.8.8 或 ISP DNS)
场景 2: 纯 Azure(无 On-prem)
[Azure VM] → Azure DNS (168.63.129.16) → [Private DNS Zone / Public DNS]
- VNet DNS 设置为默认(Azure-provided DNS = 168.63.129.16)
- Private DNS Zone 用于内部名称
- Azure Public DNS 用于公网域名
场景 3: 混合云(最复杂!)
核心挑战:On-prem 和 Azure 各有自己的 DNS 区域,需要双向解析。
方案 A: DNS Private Resolver(推荐)
On-prem → Windows DNS
├── corp.contoso.com: 本地解析
├── privatelink.*.core.windows.net: 条件转发 → Private Resolver Inbound
└── *.internal.contoso.com: 条件转发 → Private Resolver Inbound
Azure → Azure DNS (168.63.129.16)
├── contoso.internal: Private DNS Zone
├── privatelink.blob.core.windows.net: Private DNS Zone
└── corp.contoso.com: Forwarding Rule → On-prem DNS (10.1.1.10)
方案 B: Azure VM 做 DNS 转发器(旧方案,不推荐)
On-prem → Windows DNS → 条件转发到 Azure VM (运行 Windows DNS)
Azure VM (DNS forwarder) → Azure DNS 168.63.129.16 → Private DNS Zone
⚠️ 这种方案需要额外维护 VM,是 Private Resolver 出现之前的唯一选择。
场景 4: Private Endpoint 解析(最常见的混合 DNS 问题源)
当客户启用了 Azure Storage/SQL/App Service 的 Private Endpoint:
- Azure 自动在公共 DNS 创建 CNAME →
privatelink.* - 需要创建
privatelink.blob.core.windows.netPrivate DNS Zone - Private Endpoint 自动在该 Zone 创建 A 记录
- On-prem 必须也能解析到私有 IP(否则走公网绕远路或被防火墙拦截)
- On-prem DNS 需要条件转发
privatelink.blob.core.windows.net→ Private Resolver
场景 5: Split-Horizon DNS(分裂视图)
同一个域名,内外解析结果不同:
- 外部用户查询
app.contoso.com→ 公网 IP - 内部用户查询
app.contoso.com→ 私有 IP
Azure 实现:
- Azure Public DNS 托管
contoso.com(公网记录) - Azure Private DNS 托管
contoso.com(私有记录,链接到 VNet) - VNet 内查询时 Private DNS Zone 优先
6. 关键配置与参数 (Key Configurations)
| 配置项 | 位置 | 说明 | 典型值 |
|---|---|---|---|
| VNet DNS Servers | VNet → DNS servers | VNet 使用的 DNS 服务器 | Default (168.63.129.16) 或自定义 IP |
| Conditional Forwarder | Windows DNS | 将特定域名转发到指定 DNS | privatelink.blob.core.windows.net → 10.2.1.4 |
| Private DNS Zone VNet Link | Azure Private DNS | 将区域链接到 VNet | 启用/禁用 auto-registration |
| DNS Forwarding Ruleset | Private Resolver | 出站转发规则 | corp.contoso.com → 10.1.1.10:53 |
| Inbound Endpoint IP | Private Resolver | 入站端点 IP(On-prem 转发目标) | VNet 子网中分配的 IP |
| NIC DNS | Azure VM NIC | VM 级别 DNS 覆盖 | 通常继承 VNet 设置 |
关键的 “168.63.129.16”
这是 Azure 平台的虚拟公共 IP(Azure wireserver),用于:
- 默认 DNS 解析(Azure-provided DNS)
- DHCP 续租
- Health probe
- VM Agent 通信
⚠️ 如果 VNet DNS 设置为自定义 DNS 服务器(如 on-prem DNS),Azure VM 将不再查询 168.63.129.16,也就无法解析 Azure Private DNS Zone。这是混合场景中最常见的配置错误。
7. 常见问题与排查 (Common Issues & Troubleshooting)
问题 A: Azure VM 无法解析 Private Endpoint
症状:Azure VM 访问 Storage/SQL 的 Private Endpoint 时解析到公网 IP 而非私有 IP。
排查思路:
nslookup storageaccount.blob.core.windows.net— 看返回的是公网 IP 还是私有 IP- 检查 VNet DNS 设置:是 Default (168.63.129.16) 还是自定义?
- 如果是自定义 DNS(如指向 on-prem DNS),VM 不会查 Azure Private DNS Zone
- 自定义 DNS 必须能转发
privatelink.*查询回 Azure(通过 Private Resolver Inbound 或 Azure VM forwarder)
- 检查 Private DNS Zone 是否链接到 VM 所在的 VNet
- 检查 Private Endpoint 的 A 记录是否存在于 Private DNS Zone
关键命令:
# 在 Azure VM 上
nslookup storageaccount.blob.core.windows.net
nslookup storageaccount.privatelink.blob.core.windows.net
# 检查 Private DNS Zone
az network private-dns record-set list -g <rg> -z privatelink.blob.core.windows.net
问题 B: On-prem 无法解析 Azure Private Endpoint
症状:On-prem 客户端访问 Azure Storage Private Endpoint 时解析到公网 IP,流量走公网(可能被防火墙拦截)。
排查思路:
- On-prem DNS 是否配置了条件转发器?
- 需要将
privatelink.blob.core.windows.net转发到 Private Resolver Inbound Endpoint IP
- 需要将
- ExpressRoute/VPN 是否正常(DNS 查询需要走专线)
- Private Resolver Inbound Endpoint 是否正常运行
- Private DNS Zone 是否链接到 Private Resolver 所在的 VNet
典型修复:
# 在 On-prem Windows DNS 上添加条件转发器
Add-DnsServerConditionalForwarderZone -Name "privatelink.blob.core.windows.net" -MasterServers 10.2.1.4
Add-DnsServerConditionalForwarderZone -Name "privatelink.database.windows.net" -MasterServers 10.2.1.4
Add-DnsServerConditionalForwarderZone -Name "privatelink.file.core.windows.net" -MasterServers 10.2.1.4
问题 C: Azure VM 无法解析 On-prem AD 域名
症状:Azure VM 无法域加入、无法访问本地文件服务器 FQDN。
排查思路:
- VNet DNS 设置是否指向了能解析 AD 域的 DNS?
- 方案 1:VNet DNS 指向 Azure 中的 AD DC(如果 DC 已扩展到 Azure)
- 方案 2:VNet DNS 保持 Default + Private Resolver Outbound 转发
corp.contoso.com到 On-prem DNS
- DNS Forwarding Ruleset 是否正确配置
- ExpressRoute/VPN 到 On-prem DNS 的连通性
问题 D: “VNet DNS 设置为自定义后 Private DNS Zone 不生效”
这是最高频的混合 DNS 问题!
根因:将 VNet DNS 设置为自定义(如 on-prem DNS 的 IP)后,Azure VM 不再查询 168.63.129.16,因此 Private DNS Zone 的解析被绕过。
解决方案(任选一):
- ✅ 推荐:自定义 DNS 服务器配置条件转发 → Private Resolver Inbound → Azure DNS → Private DNS Zone
- 自定义 DNS 服务器上为
privatelink.*区域手动创建 A 记录(不推荐,维护成本高) - VNet DNS 改回 Default,用 Private Resolver Outbound 转发 on-prem 域名(适用于不需要自定义 DNS 的场景)
问题 E: Private DNS Zone Auto-registration 不工作
排查清单:
- VNet Link 是否启用了 “Enable auto registration”
- 一个 VNet 只能有一个启用了 auto-registration 的 Private DNS Zone
- VM 是否在该 VNet 中
- VM 的 NIC 是否有私有 IP
8. 实战经验 (Practical Tips)
最佳实践
- Private Endpoint 命名规范:为每个 Azure 服务类型创建对应的 Private DNS Zone(如
privatelink.blob.core.windows.net、privatelink.database.windows.net),不要把多个服务的记录混在一个区域 - Private Resolver 是混合环境首选:取代了过去用 Azure VM 做 DNS 转发器的做法,零运维
- 条件转发器列表:混合环境中 On-prem DNS 可能需要为几十个
privatelink.*域名配置条件转发器。建议参考 Private Endpoint DNS 配置 中的完整列表 - 测试 DNS 解析时用 nslookup 指定 DNS 服务器:
nslookup storageaccount.blob.core.windows.net 168.63.129.16可以验证 Azure DNS 是否能正确返回私有 IP
常见误区
- ❌ 误区:Azure Private DNS 可以替代 Windows DNS 做 AD 域名解析
- ✅ 事实:Azure Private DNS 不支持动态更新(SRV/域加入所需),AD 环境仍需 Windows DNS
- ❌ 误区:设置了 Private DNS Zone 就够了,On-prem 自动能解析
- ✅ 事实:On-prem 需要通过条件转发 + Private Resolver Inbound 才能查到 Private DNS Zone
- ❌ 误区:VNet DNS 设为自定义 DNS 后 Private DNS Zone 仍然生效
- ✅ 事实:自定义 DNS 绕过了 168.63.129.16,Private DNS Zone 不再被自动查询
- ❌ 误区:Azure Public DNS 和 Azure Private DNS 是同一个东西
- ✅ 事实:完全不同。Public = 互联网域名托管;Private = VNet 内部私有解析
排查工具
| 工具 | 用途 | 使用场景 |
|---|---|---|
nslookup <name> <server> |
指定 DNS 服务器查询 | 验证不同 DNS 返回的结果 |
Resolve-DnsName |
PowerShell DNS 查询 | 支持指定 DNS 类型和服务器 |
dig (Linux) |
DNS 查询(比 nslookup 详细) | Azure Linux VM 排查 |
az network private-dns record-set list |
列出 Private DNS Zone 记录 | 验证 Private Endpoint A 记录 |
az network private-dns zone show |
查看 Private DNS Zone 状态 | 检查区域配置 |
Get-DnsServerForwarder |
Windows DNS 转发器配置 | On-prem DNS 检查 |
Get-DnsServerZone |
Windows DNS 区域列表 | 检查条件转发器 |
9. 与相关技术的对比 (Comparison)
9.1 DNS 解析方案对比
| 维度 | Windows DNS on Azure VM | Azure Private DNS | Azure Private Resolver |
|---|---|---|---|
| 运维 | 高(OS+DNS 维护) | 零 | 零 |
| 成本 | VM 费用 + 许可证 | 按区域/查询计费 | 固定 + 按查询 |
| AD 集成 | ✅ | ❌ | ❌ |
| 条件转发 | ✅ | ❌ | ✅(Forwarding Ruleset) |
| HA | 需手动配置 | 内置(全局资源) | 内置(AZ-aware) |
| On-prem 互通 | 需额外配置 | 不直接支持 | ✅ 设计目标 |
| 适用 | AD 域控在 Azure 中 | Azure 内部解析 | 混合 DNS 桥梁 |
9.2 何时需要 Windows DNS vs 何时用 Azure DNS
需要 AD 域加入/SRV 记录/安全动态更新?
│
├── 是 → Windows DNS Server(On-prem 或 Azure VM)
│
└── 否 → 需要公网域名托管?
│
├── 是 → Azure Public DNS
│
└── 否 → 需要 Azure VNet 内部解析?
│
├── 是 → Azure Private DNS
│ + Private Resolver(如果需要混合解析)
│
└── 否 → 标准 DNS(第三方/ISP)
10. 参考资料 (References)
- What is Azure DNS? — Azure DNS 服务全家族概述
- What is Azure Private DNS? — 私有 DNS 区域功能和最佳实践
- What is Azure DNS Private Resolver? — Private Resolver 架构和工作流程
- Set up hybrid DNS using Azure DNS Private Resolver — 混合 DNS 配置实战指南
- Azure Private Endpoint DNS configuration — Private Endpoint DNS 区域名称和配置规范
English Version
Deep Dive: Azure DNS vs Windows DNS — Differences, Scenario Relationships & Troubleshooting
Topic: Azure DNS vs Windows DNS Server
Category: Networking / DNS / Cloud
Level: Senior
Last Updated: 2026-03-18
1. Overview
Microsoft’s ecosystem has two fundamentally different DNS systems:
- Windows DNS Server: Traditional DNS role on Windows Server, deeply integrated with Active Directory for enterprise intranet name resolution
- Azure DNS: Cloud-native DNS service family on Azure — Public DNS hosting, Private DNS zones, and DNS Private Resolver
Understanding their differences and how they collaborate is essential for troubleshooting DNS in hybrid cloud environments.
One-liner: Windows DNS is your own post office (self-built, self-managed). Azure DNS is a cloud-based sorting center (managed, zero-maintenance, pay-as-you-go). They work together — your post office handles local mail, the cloud center handles cross-region delivery.
2. Core Concepts
Windows DNS Server
- On-premises DNS role with 20+ years of history
- AD Integration is its core strength: AD-Integrated Zones, Secure Dynamic Update, SRV records for domain services
- Supports: Primary/Secondary/Stub/Conditional Forwarder zones, DNSSEC
- Management: DNS Manager, PowerShell DnsServer module, dnscmd
Azure DNS Family
| Service | Purpose | Key Feature |
|---|---|---|
| Azure Public DNS | Internet domain hosting | Anycast, 100% SLA, replaces third-party DNS hosting |
| Azure Private DNS | VNet internal resolution | VNet Link, Auto-registration for VMs |
| DNS Private Resolver | Hybrid DNS bridge | Inbound/Outbound Endpoints, Forwarding Rulesets |
| Traffic Manager | DNS-based global load balancing | Not traditional DNS, but DNS-powered |
Key analogy: Azure Private DNS = apartment building’s internal directory (only residents can see it). Private Resolver = the concierge desk that relays messages between the building and the outside world.
3. How It Works
Hybrid Architecture
Azure Cloud:
Azure VM → Azure DNS (168.63.129.16) → Private DNS Zone
→ Private Resolver Outbound → On-prem DNS
On-Premises:
Client → Windows DNS → Conditional Forwarder → Private Resolver Inbound → Private DNS Zone
Private Endpoint DNS Resolution (Most Complex)
Public resolution (no PE): storage.blob.core.windows.net → CNAME → storage.privatelink.blob.core.windows.net → Public IP
Private resolution (with PE + Private DNS Zone): Same CNAME, but Private DNS Zone intercepts privatelink.* → Returns private IP
The CNAME is the “hook” in public DNS; the Private DNS Zone is the “interceptor.”
4. Key Differences
| Dimension | Windows DNS | Azure Public DNS | Azure Private DNS |
|---|---|---|---|
| Deployment | On-prem / Azure VM | Azure PaaS | Azure PaaS |
| AD Integration | ✅ Core strength | ❌ | ❌ |
| Dynamic Update | ✅ Secure Dynamic | ❌ | ✅ Auto-registration (VMs only) |
| Conditional Forwarding | ✅ | ❌ | ❌ (needs Private Resolver) |
| DNSSEC | ✅ | ❌ | ❌ |
| Availability | Self-managed HA | 100% SLA | Global resource |
| Maintenance | High (OS patching, monitoring) | Zero | Zero |
5. Common Issues & Troubleshooting
Issue A: Azure VM Resolves Private Endpoint to Public IP
- Root cause: VNet DNS set to custom (on-prem DNS), bypassing 168.63.129.16 → Private DNS Zone not consulted
- Fix: Configure custom DNS to conditionally forward
privatelink.*→ Private Resolver Inbound
Issue B: On-prem Can’t Resolve Azure Private Endpoint
- Root cause: Missing conditional forwarder on Windows DNS for
privatelink.*domains - Fix: Add conditional forwarders pointing to Private Resolver Inbound Endpoint IP
Issue C: Azure VM Can’t Resolve On-prem AD Domain
- Root cause: No DNS forwarding rule for
corp.contoso.com→ on-prem DNS - Fix: Configure Private Resolver Outbound with forwarding rule, or set VNet DNS to Azure AD DC
Issue D: Private DNS Zone Stops Working After Setting Custom VNet DNS
- #1 most common hybrid DNS issue!
- Root cause: Custom DNS bypasses 168.63.129.16 → Private DNS Zone silently ignored
- Fix: Custom DNS must forward
privatelink.*back to Azure (via Private Resolver)
Issue E: Auto-registration Not Working
- Check VNet Link has auto-registration enabled
- Only ONE Private DNS Zone can have auto-registration per VNet
- VM must be in the linked VNet
6. Practical Tips
Best Practices
- Private Resolver is the recommended hybrid DNS bridge — replaces VM-based DNS forwarders
- Create per-service Private DNS Zones for Private Endpoints (blob, database, file, etc.)
- Test with
nslookup <name> 168.63.129.16to verify Azure DNS returns private IPs - Maintain a conditional forwarder list on on-prem DNS for all
privatelink.*domains
Common Misconceptions
- ❌ Azure Private DNS replaces Windows DNS for AD → ✅ AD needs Windows DNS (SRV records, dynamic update)
- ❌ Setting up Private DNS Zone is enough for on-prem → ✅ On-prem needs conditional forwarding via Private Resolver
- ❌ Custom VNet DNS still queries Private DNS Zones → ✅ Custom DNS bypasses 168.63.129.16 entirely
- ❌ Azure Public DNS = Azure Private DNS → ✅ Completely different services
Decision Tree: Which DNS to Use
Need AD join / SRV records / Secure Dynamic Update?
Yes → Windows DNS Server
No → Public domain hosting? → Azure Public DNS
Azure VNet internal? → Azure Private DNS + Private Resolver (hybrid)
7. References
- What is Azure DNS? — Azure DNS service family overview
- What is Azure Private DNS? — Private DNS zone features and best practices
- What is Azure DNS Private Resolver? — Private Resolver architecture and workflow
- Set up hybrid DNS using Azure DNS Private Resolver — Hybrid DNS configuration guide
- Azure Private Endpoint DNS configuration — Complete list of Private Endpoint DNS zone names