Understanding DNS Services in Azure: Public and Private DNS Zones

The speaker introduces the topic of DNS in Azure, highlighting the confusion around custom DNS, Azure private DNS, and public DNS. The purpose of DNS is explained as providing a lookup from a host name to an IP address, involving a hierarchy of servers including root domain servers, root hints, and authoritative domain servers.

Azure offers two key types of DNS services: public and private. Public DNS services host records for resolving over the internet, while private DNS services are used for internal systems to keep records private and not accessible to the internet.

Public DNS services in Azure allow manual creation of records within zones, supporting host records (A or AAAA for IPv6) and aliases (CNAME records). The support for records is limited compared to private DNS services.

Private DNS services in Azure are focused on binding around virtual networks (VNet) to keep internal systems private. Records can be manually created in private zones, and auto registration based on Azure resource names automatically creates records in the private DNS zone. A full range of records is supported, including host, aliases, pointers, start of authority, MX, service, and text records.

Within a virtual network in Azure, the DNS configuration is crucial for all resources using DHCP to obtain their configuration. The default DNS configuration at the VNet level is Azure DNS, ensuring that resources inside the virtual network use DHCP for their IP configuration.

The Azure DNS default IP address is 168.63.129.16, which remains constant across all virtual networks. This IP address is used for Azure DNS services within a virtual network and is not routable outside the network.

Custom DNS configurations can be set at both the virtual network level and the network interface (NIC) level. This allows for specific DNS settings tailored to different virtual machines, such as domain controllers or specialized services.

An automatic private DNS zone, referred to as internal.cloudapp.net, is created by default for each virtual network. This zone is free, requires no manual record creation, and automatically registers any VMs created within the virtual network.

Private DNS zones offer more flexibility by allowing manual creation of custom DNS records. These zones can resolve across different virtual networks and support various record types like A, CNAME, TXT, etc. Virtual networks can be connected to private DNS zones to enable custom DNS resolution.

A virtual network can only connect to one private DNS zone for registration purposes. This means that resources created in a virtual network can only register to a single DNS zone and cannot register to multiple private DNS zones.

A virtual network can connect to one DNS zone for creating records based on the virtual machines (VMs) in the network. However, it can connect to up to a thousand private DNS zones for resolution purposes, allowing the resolution of records in those zones.

A DNS zone can have up to 100 virtual networks for registration purposes, where VMs automatically register. Additionally, it can have up to a thousand virtual networks for resolution purposes, enabling them to look up and resolve records.

VMs, including those in VM scale sets, AKS worker nodes, and SQL managed instances, get registered into a private DNS zone for auto-registration. This registration is all-inclusive, meaning all VMs in a virtual network register to one private DNS zone for registration purposes.

Private DNS zones allow for registering VMs in a virtual network to one DNS zone for registration, while multiple other DNS zones can be used for resolution purposes. It's an all-or-none registration process, ensuring consistency in DNS resolution across different virtual networks.

Private DNS zones are global and not bound to any specific region, subnet, virtual network, or tenant. They offer high resilience and replication across regions worldwide, allowing multiple v-nets from different locations to use the same DNS zones for consistent resolution.

Custom DNS servers require specific rights to access, such as BIND for Linux or Active Directory Domain Services. Azure AD Domain Services DNS is essentially the same but managed. When configuring custom DNS, IP addresses of the DNS servers are inputted.

To utilize Azure DNS for specific functions like Private Link zones while using custom DNS, a DNS resolver within a virtual network can be set up. This resolver forwards requests to Azure DNS, resolving the queries within the virtual network.

Azure DNS allows for the creation of private and public DNS zones. Private DNS zones are within a virtual network, while public DNS zones require manual creation and setting Azure as the authoritative server for the domain.

Split brain DNS involves having the same zone existing in both private and public domains. Private DNS trumps public DNS, meaning that if a record exists in the private zone, it will be used over the public one.

Azure Traffic Manager acts as a global balancer, allowing for the distribution of services around the world. It can resolve to different endpoints based on the client's location or using round-robin methods.

Azure Private DNS Zones allow for linking to multiple virtual networks for common resolution purposes. Currently, forwarding to other DNS servers from Azure Private DNS is not supported but is a feature being worked on by Microsoft.