Use local DNS servers

Reliability · Virtual Network · Rule · 2020_06

Virtual networks (VNETs) should use DNS servers deployed within the same Azure region.

Description

Virtual networks allow one or more custom DNS servers to be specified. These DNS servers are inherited by connected services such as virtual machines.

When configuring custom DNS server IP addresses, these servers must be accessible for name resolution to occur. Connectivity between services may be impacted if DNS server IP addresses are temporarily or permanently unavailable.

Avoid taking a dependency on external DNS servers for local communication such as those deployed on-premises. This can be achieved by using DNS services deployed into the same Azure region.

Where possible consider deploying:

• Azure DNS Private Resolver.
• Azure Private DNS Zones.

Alternatively, redundant virtual machines (VMs) can be deployed into Azure to perform DNS resolution.

Recommendation

Consider deploying redundant DNS services within a connected Azure VNET.

Examples

Configure with Azure template

To deploy Virtual Networks that pass this rule:

• Set properties.dhcpOptions.dnsServers to an IP address within the same or peered network within Azure. OR
• Use the default Azure DNS servers.

For example:

Azure Template snippet

{
  "type": "Microsoft.Network/virtualNetworks",
  "apiVersion": "2023-05-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "addressSpace": {
      "addressPrefixes": [
        "10.0.0.0/16"
      ]
    },
    "dhcpOptions": {
      "dnsServers": [
        "10.0.1.4",
        "10.0.1.5"
      ]
    }
  }
}

Configure with Bicep

To deploy Virtual Networks that pass this rule:

• Set properties.dhcpOptions.dnsServers to an IP address within the same or peered network within Azure. OR
• Use the default Azure DNS servers.

For example:

Azure Bicep snippet

resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
  name: name
  location: location
  properties: {
    addressSpace: {
      addressPrefixes: [
        '10.0.0.0/16'
      ]
    }
    dhcpOptions: {
      dnsServers: [
        '10.0.1.4'
        '10.0.1.5'
      ]
    }
  }
}

Notes

This rule applies when analyzing resources deployed to Azure (in-flight).

When deploying Active Directory Domain Services (ADDS) within Azure, you may decide to:

• Deploy an Identity subscription aligned to the Cloud Adoption Framework (CAF) Azure landing zone architecture.
• Host DNS services on the same VMs as ADDS, located in a separate VNET spoke for the Identity subscription.

When you do this, this rule may report a false positive by default. If you are using this configuration, we recommend you set the configuration option AZURE_VNET_DNS_WITH_IDENTITY to true.

For example:

configuration:
  AZURE_VNET_DNS_WITH_IDENTITY: true

Links

• Understand the impact of dependencies
• Hub-spoke network topology in Azure
• Azure landing zone conceptual architecture
• What is Azure DNS Private Resolver?
• What is Azure Private DNS?
• Azure deployment reference

---

Last update: 2023-09-09

Comments