This chapter covers the Azure DNS Private Resolver, a fully managed service that enables DNS resolution across Azure virtual networks and on-premises networks without needing to deploy custom DNS servers. For the AZ-104 exam, questions on the DNS Private Resolver appear in approximately 5-8% of networking questions, often as part of hybrid connectivity scenarios. You must understand its architecture, components (inbound/outbound endpoints, forwarding rules), and how it differs from Azure-provided DNS and custom DNS solutions. This chapter provides the deep technical knowledge required to answer exam questions correctly and to design resilient hybrid DNS solutions.
Jump to a section
Think of the Azure DNS Private Resolver as a private telephone exchange (PBX) for a large corporate campus. The campus has its own internal phone numbers (private IP addresses) that only work within the building. Employees want to call each other using short internal extensions (like "dial 123 for accounting") instead of remembering full external numbers. The PBX (the Private Resolver) sits in the campus lobby and maintains a directory of all internal extensions. When an employee picks up a phone and dials an internal extension, the PBX looks up the extension in its directory and connects the call directly—no need to go outside. If an employee dials an external number (e.g., 1-800-555-1234), the PBX forwards that call to the public telephone network (Azure's public DNS). The PBX also has a special feature: it can connect to other corporate campuses (on-premises networks) via a private leased line (Azure ExpressRoute or VPN). When an employee dials an extension that belongs to another campus, the PBX forwards the call over the leased line to the other campus's PBX, which then completes the call. The key point: all internal calls stay private and never touch the public network, and the PBX can resolve names across multiple private domains (multiple virtual networks and on-premises). The Azure DNS Private Resolver does exactly this for DNS queries: it resolves names within a virtual network, forwards queries to on-premises DNS servers, and conditionally forwards queries to other DNS servers—all while keeping traffic private.
What is Azure DNS Private Resolver and Why Does It Exist?
Azure DNS Private Resolver is a managed service that provides DNS resolution for Azure virtual networks (VNets) and hybrid networks. Before this service, if you needed to resolve hostnames across peered VNets or between Azure and on-premises, you had to deploy your own DNS servers (e.g., Windows Server with DNS role) or use Azure-provided DNS (168.63.129.16), which only resolved names within a single VNet. The Private Resolver eliminates the need for custom DNS infrastructure by offering a scalable, highly available, and secure DNS resolution service.
How It Works Internally
The Private Resolver operates as a regional service that you provision inside a VNet. It consists of two types of endpoints: - Inbound Endpoint: An inbound endpoint receives DNS queries from on-premises networks via Azure ExpressRoute or VPN. It exposes one or more private IP addresses from the VNet's subnet. On-premises DNS servers can forward queries to these IPs to resolve Azure private zones and custom domains. - Outbound Endpoint: An outbound endpoint sends DNS queries from Azure resources to on-premises DNS servers or other external DNS servers. It uses a dedicated subnet (called the "outbound endpoint subnet") to source traffic. Rules defined in a DNS forwarding ruleset control where queries are forwarded.
When a resource in a VNet (e.g., a VM) performs a DNS lookup, the query first goes to the Azure-provided DNS (168.63.129.16). If the name is not in the VNet's private zone or Azure's public DNS, the query is forwarded to the Private Resolver's outbound endpoint. The outbound endpoint checks the forwarding ruleset: if a rule matches the query domain, the query is forwarded to the specified target DNS servers (e.g., on-premises DNS). Otherwise, the query is sent to Azure's public DNS.
Key Components, Values, Defaults, and Timers
Private Resolver Resource: Created in a region. Must be associated with a VNet.
Inbound Endpoint: Requires a dedicated subnet (minimum /28) in the same VNet as the resolver. The subnet cannot be used for other resources. The endpoint gets one or more IP addresses from this subnet.
Outbound Endpoint: Also requires a dedicated subnet (minimum /28) in the same VNet. This subnet is used for outbound DNS traffic.
DNS Forwarding Ruleset: A collection of rules that define how to forward queries. Rulesets can be linked to multiple VNets (up to 500 VNets per ruleset). Each rule has:
- Domain name (e.g., contoso.com) - Target DNS servers (IP addresses and port, default 53) - Forwarding state (enabled/disabled) - Default TTL: DNS responses from the Private Resolver are cached according to the TTL in the response. The service itself does not impose its own TTL. - Scalability: Each inbound endpoint can handle up to 10,000 queries per second (QPS). Outbound endpoints have similar limits. - High Availability: The service is zone-redundant by default in regions that support Availability Zones. You can also deploy multiple endpoints in different subnets or VNets.
Configuration and Verification Commands
To create a Private Resolver using Azure CLI:
# Create a resource group
az group create --name MyRG --location eastus
# Create a VNet with subnets for endpoints
az network vnet create --name MyVNet --resource-group MyRG --address-prefix 10.0.0.0/16 --subnet-name inbound-subnet --subnet-prefix 10.0.1.0/28
az network vnet subnet create --name outbound-subnet --resource-group MyRG --vnet-name MyVNet --address-prefix 10.0.2.0/28
# Create the Private Resolver
az network private-resolver create --name MyResolver --resource-group MyRG --location eastus --id /subscriptions/.../resourceGroups/MyRG/providers/Microsoft.Network/virtualNetworks/MyVNet
# Create inbound endpoint
az network private-resolver inbound-endpoint create --name MyInbound --resource-group MyRG --resolver-name MyResolver --location eastus --ip-configurations private-ip-address=10.0.1.4 private-ip-allocation-method=Static
# Create outbound endpoint
az network private-resolver outbound-endpoint create --name MyOutbound --resource-group MyRG --resolver-name MyResolver --location eastus --subnet /subscriptions/.../resourceGroups/MyRG/providers/Microsoft.Network/virtualNetworks/MyVNet/subnets/outbound-subnet
# Create a forwarding ruleset and link to VNets
az network private-resolver dns-forwarding-ruleset create --name MyRuleset --resource-group MyRG --location eastus --outbound-endpoints [{"id":"/subscriptions/.../outboundEndpoints/MyOutbound"}]
az network private-resolver dns-forwarding-ruleset link create --name MyLink --resource-group MyRG --ruleset-name MyRuleset --virtual-network /subscriptions/.../virtualNetworks/MyVNet
# Add a forwarding rule
az network private-resolver dns-forwarding-ruleset rule create --name MyRule --resource-group MyRG --ruleset-name MyRuleset --domain-name contoso.com. --target-dns-servers [{"ip-address":"192.168.1.10","port":53}] --forwarding-state EnabledVerification:
# Test DNS resolution from a VM in the VNet
nslookup vm01.contoso.com
# The response should come from the on-premises DNS server if the rule matches.How It Interacts with Related Technologies
Azure Private DNS Zones: The Private Resolver can resolve names in Azure Private DNS Zones. If a query matches a private zone, it resolves directly without going to the outbound endpoint.
Azure DNS (Public): Queries not matched by private zones or forwarding rules fall back to Azure public DNS.
Azure ExpressRoute and VPN: On-premises DNS servers can forward queries to the inbound endpoint IPs. The outbound endpoint sends queries to on-premises DNS servers over these connections.
Custom DNS Servers: If you have existing DNS servers (e.g., Active Directory), you can configure forwarding rules to send queries to them.
Azure Firewall: Can be used to filter DNS traffic but is not required for the Private Resolver.
Important Exam Details
The Private Resolver is a regional resource. You can have one resolver per VNet, but you can link multiple VNets to the same forwarding ruleset.
Inbound and outbound endpoints require /28 subnets. These subnets cannot be used for anything else.
The service supports conditional forwarding based on domain name.
It does NOT support DNS recursion (it forwards or resolves directly).
The Private Resolver is not the same as Azure DNS Private Zones; it complements them.
Pricing: Pay per endpoint (inbound/outbound) and per million queries.
Provision the Private Resolver
First, you create the Private Resolver resource in a specific Azure region. You must associate it with a VNet that has at least one dedicated /28 subnet for inbound and/or outbound endpoints. The resolver itself is a logical container for endpoints and forwarding rulesets. During creation, you specify the VNet ID. The service then becomes available for that VNet. If you need high availability, deploy the resolver in a region that supports Availability Zones; the service automatically distributes across zones.
Create inbound endpoint
The inbound endpoint is a front-end for DNS queries coming from on-premises networks. You allocate one or more private IP addresses from a dedicated /28 subnet within the same VNet as the resolver. On-premises DNS servers must be configured to forward queries for Azure private zones to these IPs. The endpoint is zone-redundant if the region supports it. Each inbound endpoint can handle up to 10,000 QPS. You can create multiple inbound endpoints for load balancing or to serve different on-premises locations.
Create outbound endpoint
The outbound endpoint is used to forward DNS queries from Azure resources to on-premises or other DNS servers. It also requires a dedicated /28 subnet in the same VNet. This subnet is used as the source IP for outbound DNS traffic. You must ensure that the subnet's network security group (NSG) allows UDP and TCP port 53 outbound to the target DNS servers. The outbound endpoint is referenced by DNS forwarding rulesets.
Configure DNS forwarding ruleset
A DNS forwarding ruleset contains one or more rules that map domain names to target DNS servers. Create the ruleset and associate it with the outbound endpoint. Then link the ruleset to one or more VNets (up to 500). For each rule, specify the domain name (e.g., 'contoso.com.' with trailing dot), the target DNS servers (IP and port, default 53), and whether forwarding is enabled. Rules are evaluated in order of specificity: more specific domains (e.g., 'sub.contoso.com.') take precedence over less specific ones. If no rule matches, the query is forwarded to Azure public DNS.
Test and verify resolution
After configuration, test DNS resolution from a VM in a linked VNet. Use tools like nslookup or dig. For example, query 'host1.contoso.com'. The VM's DNS query goes to Azure DNS (168.63.129.16), which then forwards it to the Private Resolver outbound endpoint. The resolver checks the forwarding ruleset; if a rule matches 'contoso.com', it forwards the query to the on-premises DNS server. The response flows back. Verify that on-premises DNS servers can also resolve Azure names by querying the inbound endpoint IP from on-premises.
Scenario 1: Hybrid DNS Resolution for a Multi-Site Enterprise
A large enterprise has an on-premises data center with Active Directory (AD) DNS servers (192.168.1.10 and 192.168.1.11) and multiple Azure VNets hosting IaaS workloads. They need Azure VMs to resolve on-premises hostnames (e.g., 'file-server.contoso.com') and on-premises clients to resolve Azure VM names (e.g., 'web-vm.contoso.com'). They deploy an Azure DNS Private Resolver in a hub VNet with both inbound and outbound endpoints. The outbound endpoint is configured with a forwarding ruleset that sends queries for 'contoso.com' to the on-premises DNS servers. The inbound endpoint IPs (10.0.1.4 and 10.0.1.5) are added as conditional forwarders on the on-premises DNS servers for 'contoso.com' (Azure private zone). This creates a full bidirectional resolution. In production, they monitor query rates and scale by adding more IPs to the inbound endpoint or deploying additional resolvers in spoke VNets. A common misconfiguration is forgetting to allow UDP/53 traffic on NSGs for the outbound endpoint subnet, causing queries to time out.
Scenario 2: Isolated Dev/Test Environments with Custom DNS
A software company runs multiple isolated dev/test environments in separate VNets. Each environment uses a custom DNS suffix (e.g., 'dev.contoso.com', 'test.contoso.com'). They want each VNet to resolve its own private zone but also have a central 'shared.contoso.com' zone. They deploy a single Private Resolver in a management VNet with an outbound endpoint. They create separate forwarding rulesets for each environment linked to the respective VNet. Each ruleset has rules for the environment-specific domain pointing to a dedicated DNS server (e.g., a VM running BIND) and a catch-all rule for 'contoso.com' pointing to the central DNS server. This avoids the need to deploy a resolver per VNet. However, if the central DNS server goes down, all 'contoso.com' queries fail. They mitigate this by deploying redundant DNS servers and using multiple target IPs in the rule.
Scenario 3: Mergers and Acquisitions – DNS Consolidation
After an acquisition, two companies need to integrate their DNS namespaces. Company A uses 'acompany.com' and Company B uses 'bcompany.com'. Both have on-premises DNS and Azure VNets. They deploy a Private Resolver in a shared VNet with inbound and outbound endpoints. On-premises DNS servers of both companies forward queries for the other company's domain to the inbound endpoint. The forwarding ruleset sends queries for 'acompany.com' to Company A's DNS and 'bcompany.com' to Company B's DNS. This allows seamless name resolution without changing existing DNS infrastructure. Performance is critical: if the inbound endpoint is overloaded, queries from on-premises may fail. They scale by adding more IPs to the inbound endpoint and using DNS server-level load balancing.
What AZ-104 Tests on This Topic
The exam objective "Configure and manage Azure DNS" (4.3) includes the Azure DNS Private Resolver. Specifically, you need to know:
The purpose and architecture (inbound/outbound endpoints, forwarding rulesets).
How to configure hybrid DNS resolution using the Private Resolver.
Differences between Azure DNS Private Resolver, Azure Private DNS Zones, and custom DNS servers.
Requirements: dedicated /28 subnets for endpoints.
Limitations: cannot be used for public DNS resolution; does not support recursion.
Common Wrong Answers and Why Candidates Choose Them
"You can use the same subnet for inbound and outbound endpoints." – Wrong. Each endpoint type requires its own dedicated /28 subnet. Candidates see that both are endpoints and assume they can share a subnet. Reality: they must be separate.
"The Private Resolver replaces Azure DNS (168.63.129.16)." – Wrong. The Private Resolver works alongside Azure DNS. Azure DNS still handles initial resolution for VNet private zones; only unmatched queries go to the resolver.
"You need to deploy a VM to run the DNS server role." – Wrong. The Private Resolver is a managed service; no VMs are needed. Candidates familiar with on-premises DNS think they need to provision infrastructure.
"The forwarding ruleset can be linked to any VNet in any region." – Wrong. The ruleset must be linked to VNets in the same region as the resolver. Cross-region linking is not supported. Candidates might think it's global.
Specific Numbers and Terms That Appear on the Exam
Subnet size: /28 (minimum) for both inbound and outbound endpoints.
Port: 53 (UDP and TCP).
Maximum VNets per forwarding ruleset: 500.
Queries per second per inbound endpoint: up to 10,000.
The trailing dot in domain names (e.g., 'contoso.com.') is important in rules.
Edge Cases and Exceptions
If you have multiple Private Resolvers in the same VNet? Not allowed; only one per VNet.
Can an inbound endpoint receive queries from the internet? No; it only receives from on-premises via ExpressRoute/VPN.
What if you don't configure any forwarding rules? The outbound endpoint sends all unmatched queries to Azure public DNS.
Can you use Private Resolver with Azure Firewall as DNS proxy? Yes, but the Firewall must forward to the resolver's inbound endpoint.
How to Eliminate Wrong Answers
Focus on the mechanism: the Private Resolver is a conditional forwarder, not a recursive resolver. If an answer says it performs recursion, it's wrong. Also, remember it requires dedicated subnets—if an option says "use existing subnet," it's likely wrong. For hybrid scenarios, the correct answer involves both inbound and outbound endpoints. If the question is about resolving on-premises names from Azure, you need an outbound endpoint. If it's about resolving Azure names from on-premises, you need an inbound endpoint.
Azure DNS Private Resolver is a managed service that provides conditional forwarding for DNS queries between Azure VNets and on-premises networks.
Two endpoint types: inbound (receives queries from on-premises) and outbound (forwards queries from Azure to on-premises).
Each endpoint requires a dedicated /28 subnet in the same VNet as the resolver.
DNS forwarding rulesets contain rules that map domain names to target DNS servers; rulesets can be linked to up to 500 VNets.
The Private Resolver does not replace Azure DNS (168.63.129.16); it works alongside it for unmatched queries.
For hybrid resolution, you need both inbound and outbound endpoints for bidirectional name resolution.
The service is regional; forwarding rulesets can only link to VNets in the same region.
Default port for DNS is 53 (UDP and TCP).
No custom DNS features like DNSSEC; use custom VMs if needed.
Pricing is based on endpoints and queries; no upfront cost.
These come up on the exam all the time. Here's how to tell them apart.
Azure DNS Private Resolver
Managed service – no VM maintenance or OS patching
Automatic zone-redundant high availability in supported regions
Scales up to 10,000 QPS per endpoint automatically
Requires dedicated /28 subnets for endpoints
No support for custom DNS features like DNSSEC or AD-integrated zones
Custom DNS Servers (IaaS VMs)
Full control over DNS software and configuration
Can integrate with Active Directory and support DNSSEC
Requires manual high-availability design (load balancers, multiple VMs)
No subnet restrictions; can use any IP in the VNet
Higher operational overhead (patching, monitoring, scaling)
Mistake
The Azure DNS Private Resolver can resolve public internet DNS names.
Correct
False. The Private Resolver is designed for private namespaces. For public names, it forwards queries to Azure public DNS (168.63.129.16) or your specified forwarders. It does not perform public recursion itself.
Mistake
You can use the same /28 subnet for both inbound and outbound endpoints.
Correct
False. Each endpoint type requires its own dedicated /28 subnet. They cannot share a subnet because they serve different traffic directions and have different security requirements.
Mistake
The Private Resolver replaces the need for Azure Private DNS Zones.
Correct
False. Private DNS Zones and Private Resolver are complementary. Private Zones provide authoritative resolution within a VNet. The Private Resolver forwards queries that are not in a private zone or that need to go on-premises.
Mistake
You must deploy at least one VM to use the Private Resolver.
Correct
False. The Private Resolver is a fully managed PaaS service. No VMs are required. You configure it entirely through Azure Portal, CLI, or PowerShell.
Mistake
The forwarding ruleset can be linked to VNets in any region.
Correct
False. A forwarding ruleset can only be linked to VNets in the same region as the Private Resolver. Cross-region linking is not supported.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure Private DNS Zones provide authoritative DNS resolution for a domain within a VNet (e.g., 'contoso.com' resolves to private IPs). The Private Resolver forwards queries that are not in a private zone to other DNS servers (on-premises or custom). They complement each other: use private zones for Azure resources, and the resolver for hybrid resolution.
No. Each endpoint type requires its own dedicated /28 subnet. They cannot share a subnet because they serve different traffic directions and have different security requirements. Using the same subnet would cause conflicts and is not allowed.
No. The Private Resolver is a conditional forwarder. It either forwards queries to a specified target or sends them to Azure public DNS. It does not perform recursion itself. If you need recursive resolution, use Azure DNS (168.63.129.16) or a custom DNS server.
Up to 500 VNets can be linked to one forwarding ruleset. All linked VNets must be in the same region as the ruleset. If you need more, you can create multiple rulesets.
You assign one or more private IP addresses from the dedicated inbound endpoint subnet. These IPs are used by on-premises DNS servers to forward queries to Azure. You can assign static or dynamic IPs, but static is recommended for predictable forwarding.
Yes, if you only need to resolve Azure names from on-premises (inbound only). But if you need Azure resources to resolve on-premises names, you must have an outbound endpoint. For full hybrid resolution, both are required.
In regions that support Availability Zones, the service is zone-redundant by default. You can also deploy multiple endpoints in different subnets or VNets for additional redundancy.
You've just covered Azure DNS Private Resolver — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?