What is the difference between public and private DNS zones?

Public DNS zones resolve domain names from the internet and are used for externally facing services. Private DNS zones provide name resolution within Azure Virtual Networks and are not accessible from the internet. Private zones support automatic VM registration and are commonly used for internal service endpoints.

Does Azure DNS support DNSSEC?

Azure public DNS zones support DNSSEC signing. When enabled, Azure DNS signs your zone records with DNSSEC, and you need to add the DS record to your domain registrar. Private DNS zones do not support DNSSEC since they are only resolved within VNets.

How much does Azure DNS cost?

Azure DNS charges per hosted zone (approximately $0.50/month for the first 25 zones) and per million DNS queries ($0.40 for the first billion queries). There is no charge for DNS records within a zone. Private DNS zones have similar pricing with an additional VNet link charge.

Azure DNS Zone Builder

NetworkingAzure

Build Azure DNS zone record configurations for public and private zones.

Last verified: May 2026

DNS Zone Record Configuration

Zone Type

Zone Name

Record Type

Maps a hostname to an IPv4 address, e.g. 192.0.2.1

Record Name

TTL (seconds)

Values (one per line)

Output

Output will appear here...

About This Tool

The Azure DNS Zone Builder helps you create DNS record configurations for both Azure public and private DNS zones. It supports A, AAAA, CNAME, MX, TXT, SRV, CAA, PTR, and SOA record types with proper TTL settings and record-specific validation. The tool generates configurations in ARM template and Bicep format, ready for deployment through Azure Resource Manager.

Real-World Scenario

You're migrating email from on-prem Exchange to Microsoft 365 and need to set up SPF, DKIM, and DMARC records in Azure DNS. The DKIM record is over 400 characters long. You paste it into the builder, which automatically splits it into 255-character quoted segments per the TXT record specification and outputs valid Bicep. You commit the Bicep to your IaC repo, deploy through your DNS pipeline, and email authentication starts passing on the first try — no second deploy because of malformed TXT chunks.

When to Use This Tool

•Building DNS record sets for a new domain hosted in Azure DNS with proper MX and TXT records for email.
•Creating private DNS zone records for internal service discovery within Azure Virtual Networks.
•Generating ARM or Bicep templates for DNS infrastructure-as-code deployments.
•Configuring CAA records to restrict which certificate authorities can issue certificates for your domain.

Pro Tips

TIP

Set TTL deliberately based on how often you change the record. Frontend records pointing to a CDN: 300 seconds is fine. Apex records pointing to a load balancer with a fixed VIP: 3600+ seconds reduces query costs. The default 3600 seconds is too long for active DNS-based traffic management.

TIP

CAA records are the cheapest security upgrade in Azure DNS — a single record like '0 issue "digicert.com"' prevents any other CA from issuing certificates for your domain. Without CAA, an attacker who compromises any CA can issue valid certs for your domain.

TIP

Private DNS zones charge per VNet link, not just per zone. If you have 30 spoke VNets all needing access to a centralized privatelink.blob.core.windows.net zone, that's 30 monthly link fees. Use Azure DNS Private Resolver in the hub instead to save on per-link costs at scale.

How It Works Under the Hood

The builder constructs Azure DNS record sets as Microsoft.Network/dnsZones/[recordType] resources, validating each record per RFC 1035 (length, character set) and per Azure's record-specific rules (max records per set, MX preference range, TXT 255-character segment limit). Output is generated in ARM JSON, Bicep, and Terraform formats with the same TTL and metadata for cross-tool consistency.

Frequently Asked Questions

What is the difference between public and private DNS zones?: Public DNS zones resolve domain names from the internet and are used for externally facing services. Private DNS zones provide name resolution within Azure Virtual Networks and are not accessible from the internet. Private zones support automatic VM registration and are commonly used for internal service endpoints.
Does Azure DNS support DNSSEC?: Azure public DNS zones support DNSSEC signing. When enabled, Azure DNS signs your zone records with DNSSEC, and you need to add the DS record to your domain registrar. Private DNS zones do not support DNSSEC since they are only resolved within VNets.
How much does Azure DNS cost?: Azure DNS charges per hosted zone (approximately $0.50/month for the first 25 zones) and per million DNS queries ($0.40 for the first billion queries). There is no charge for DNS records within a zone. Private DNS zones have similar pricing with an additional VNet link charge.

Related Learning Guides

Azure DNS Setup Guide20 min read
Azure Networking Deep Dive30 min read

Featured In

Migrating DNS to the Cloud: Route 53, Azure DNS, and Cloud DNS Compared

Was this tool helpful?

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.