Azure Proactive Resiliency Library v2
Tools Glossary GitHub GitHub Issues Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

privateDnsZones

Summary

RecommendationImpactCategoryAutomation AvailableIn Azure Advisor
Protect private DNS zones and recordsMediumSecurityNoNo
Monitor Private DNS Zones health and set up alertsHighMonitoring and AlertingNoNo
Use regional Private DNS Zones when there is a low recovery time objective (RTO) requirementMediumDisaster RecoveryNoNo
Ensure Time-To-Live (TTL) is set appropriately to ensure RPOs can be metHighDisaster RecoveryNoNo

Details

Protect private DNS zones and records

Impact:  Medium Category:  Security

APRL GUID:  2820f6d6-a23c-7a40-aec5-506f3bd1aeb6

Description:

Assign the built-in Private DNS Zone Contributor role to specific authorized users, groups, and entities to protect against unauthorized or accidental changes to Private DNS Zones and records. Restrict access by granting Private DNS Zone Contributor permission to all zones.

Potential Benefits:

Prevents DNS outages
Learn More:
Protecting private DNS Zones and Records - Azure DNS

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Monitor Private DNS Zones health and set up alerts

Impact:  High Category:  Monitoring and Alerting

APRL GUID:  ab896e8c-49b9-2c44-adec-98339aff7821

Description:

Use Azure Monitor to monitor Private DNS Zone query volume, record set count, and capacity metrics for Record Set, Virtual Network Link, and Virtual Network Link with auto-registration. Create alerts based on Azure Monitor Baseline Alerts for these metrics that exceed specific thresholds.

Potential Benefits:

Enhanced DNS reliability and alerting
Learn More:
Azure Monitor Baseline Alerts - privateDnsZones

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Use regional Private DNS Zones when there is a low recovery time objective (RTO) requirement

Impact:  Medium Category:  Disaster Recovery

APRL GUID:  1e02335c-1f90-fd4e-a5a5-d359c7b22d70

Description:

For business continuity scenarios with a low recovery time objective (RTO), ensure that distinct regional production and disaster recovery (DR) Private DNS Zones are configured and have identical workload and resource DNS entries. This keeps DNS resolution consistent across both zones.

Potential Benefits:

Ensures seamless failover for DNS during a regional outage
Learn More:
Private Link and DNS integration at scale

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development

Ensure Time-To-Live (TTL) is set appropriately to ensure RPOs can be met

Impact:  High Category:  Disaster Recovery

APRL GUID:  3538aa48-c40b-455b-a93b-269fe6e65be2

Description:

Azure Private DNS allows the Time-To-Live (TTL) for record sets in the zone to be set to a value between 1 and 2147483647 seconds. You should ensure that the TTL for the DNS record sets in your DNS Zones are set appropriately to meet your RPO targets.

Potential Benefits:

Ensures that no cached DNS records exist past RPO targets
Learn More:
Reliability in Azure DNS

ARG Query:

Click the Azure Resource Graph tab to view the query

// under-development