Private DNS Zones
The presented resiliency recommendations in this guidance include Private DNS Zones and associated resources and settings.
Summary of Recommendations
| Recommendation | Category | Impact | State | ARG Query Available |
|---|---|---|---|---|
| PVDNSZ-1 - Protect private DNS zones and records | Access & Security | Medium | Preview | No |
| PVDNSZ-2 - Monitor Private DNS Zones health and set up alerts | Monitoring | Low | Preview | No |
| PVDNSZ-3 - Make sure Production and DR zones have equivalent entries for workloads and resources that will be failed over | Governance | Medium | Preview | No |
Recommendations Details
PVDNSZ-1 - Protect private DNS zones and records
Category: Access & Security
Impact: Medium
Guidance
Private DNS zones and records are critical resources. Deleting a DNS zone or a single DNS record can result in a service outage. It’s important that DNS zones and records are protected against unauthorized or accidental changes. The Private DNS Zone Contributor role is a built-in role for managing private DNS resources. This role applied to a user or group enables them to manage private DNS resources.
Resources
Resource Graph Query
// under-development
PVDNSZ-2 - Monitor Private DNS Zones health and set up alerts
Category: Monitoring
Impact: Low
Guidance
The records contained in a private DNS zone aren’t resolvable from the Internet. DNS resolution against a private DNS zone works only from virtual networks that are linked to it. You can link a private DNS zone to one or more virtual networks by creating virtual network links. You can also enable the autoregistration feature to automatically manage the life cycle of the DNS records for the virtual machines that get deployed in a virtual network.
Resources
Resource Graph Query
// under-development
PVDNSZ-3 - Make sure Production and DR zones have equivalent entries for workloads and resources that will be failed over
Category: Governance
Impact: Medium
Guidance
Azure Private DNS provides a reliable, secure DNS service to manage and resolve domain names in a virtual network without the need to add a custom DNS solution. By using private DNS zones, you can use your own custom domain names rather than the Azure-provided names available today. The records contained in a private DNS zone aren’t resolvable from the Internet. DNS resolution against a private DNS zone works only from virtual networks that are linked to it. You can link a private DNS zone to one or more virtual networks by creating virtual network links. You can also enable the autoregistration feature to automatically manage the life cycle of the DNS records for the virtual machines that get deployed in a virtual network.
Resources
Resource Graph Query
// under-development