Use local DNS servers#
Reliability · Virtual Network · Rule · 2020_06 · Important
Virtual networks (VNETs) should use DNS servers deployed within the same Azure region.
Description#
Virtual networks allow one or more custom DNS servers to be specified. These DNS servers are inherited by connected services such as virtual machines.
When configuring custom DNS server IP addresses, these servers must be accessible for name resolution to occur. Connectivity between services may be impacted if DNS server IP addresses are temporarily or permanently unavailable.
Avoid taking a dependency on external DNS servers for local communication such as those deployed on-premises. This can be achieved by using DNS services deployed into the same Azure region.
Where possible consider deploying:
- Azure DNS Private Resolver.
- Azure Private DNS Zones.
Alternatively, redundant virtual machines (VMs) can be deployed into Azure to perform DNS resolution.
Recommendation#
Consider deploying redundant DNS services within a connected Azure VNET.
Examples#
Configure with Azure template#
To deploy Virtual Networks that pass this rule:
- Set
properties.dhcpOptions.dnsServers
to an IP address within the same or peered network within Azure. OR - Use the default Azure DNS servers.
For example:
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2023-05-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"dhcpOptions": {
"dnsServers": [
"10.0.1.4",
"10.0.1.5"
]
}
}
}
Configure with Bicep#
To deploy Virtual Networks that pass this rule:
- Set
properties.dhcpOptions.dnsServers
to an IP address within the same or peered network within Azure. OR - Use the default Azure DNS servers.
For example:
resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
name: name
location: location
properties: {
addressSpace: {
addressPrefixes: [
'10.0.0.0/16'
]
}
dhcpOptions: {
dnsServers: [
'10.0.1.4'
'10.0.1.5'
]
}
}
}
Notes#
This rule applies when analyzing resources deployed to Azure (in-flight).
When deploying Active Directory Domain Services (ADDS) within Azure, you may decide to:
- Deploy an Identity subscription aligned to the Cloud Adoption Framework (CAF) Azure landing zone architecture.
- Host DNS services on the same VMs as ADDS, located in a separate VNET spoke for the Identity subscription.
When you do this, this rule may report a false positive by default.
If you are using this configuration, we recommend you set the configuration option AZURE_VNET_DNS_WITH_IDENTITY
to true
.
For example:
Links#
- Understand the impact of dependencies
- Hub-spoke network topology in Azure
- Azure landing zone conceptual architecture
- What is Azure DNS Private Resolver?
- What is Azure Private DNS?
- Azure deployment reference