Why do I need Azure DNS Private Resolver instead of custom DNS VMs?

Custom DNS VMs (like Windows DNS or BIND) require you to manage availability, patching, scaling, and configuration. Azure DNS Private Resolver is a fully managed service that provides 99.99% SLA, automatic scaling, and native integration with Azure Private DNS zones. It eliminates the operational overhead of running DNS infrastructure while supporting the same conditional forwarding scenarios. The resolver also integrates with Azure policies for centralized DNS governance.

How do inbound and outbound endpoints differ?

Inbound endpoints accept DNS queries from outside the VNet — typically from on-premises networks via VPN or ExpressRoute. They provide a static IP address in a delegated subnet that on-premises DNS servers can forward to. Outbound endpoints send DNS queries to external DNS servers based on forwarding rulesets. They handle queries from Azure resources that need to resolve names hosted by on-premises DNS servers or third-party DNS services.

Can I link forwarding rulesets to multiple VNets?

Yes, a single DNS forwarding ruleset can be linked to up to 10 VNets, and each VNet can be linked to up to 2 rulesets. This lets you define forwarding rules once and apply them across multiple VNets, which is particularly useful in hub-and-spoke topologies. Ruleset links are separate from VNet peering — the resolver uses the outbound endpoint subnet for connectivity, and forwarded traffic follows the outbound endpoint's VNet routing.

Azure Private DNS Resolver Builder

NetworkingAzure

Build Private DNS Resolver configurations with forwarding rulesets and endpoints.

Private DNS Resolver Configuration

Build Private DNS Resolver configurations with inbound/outbound endpoints and forwarding rulesets.

Required Fields

namelocationvirtualNetworkIdforwardingRulesets

{
  "name": "prod-dns-resolver",
  "location": "eastus",
  "virtualNetworkId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-network/providers/Microsoft.Network/virtualNetworks/vnet-hub",
  "inboundEndpoints": [
    {
      "name": "inbound-endpoint",
      "subnetId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-network/providers/Microsoft.Network/virtualNetworks/vnet-hub/subnets/snet-dns-inbound",
      "privateIpAddress": "10.0.4.4",
      "privateIpAllocationMethod": "Static"
    }
  ],
  "outboundEndpoints": [
    {
      "name": "outbound-endpoint",
      "subnetId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-network/providers/Microsoft.Network/virtualNetworks/vnet-hub/subnets/snet-dns-outbound"
    }
  ],
  "forwardingRulesets": [
    {
      "name": "onprem-forwarding-ruleset",
      "rules": [
        {
          "ruleName": "forward-corp-domain",
          "domainName": "corp.contoso.com.",
          "targetDnsServers": [
            { "ipAddress": "10.100.1.10", "port": 53 },
            { "ipAddress": "10.100.1.11", "port": 53 }
          ],
          "ruleState": "Enabled"
        }
      ]
    }
  ]
}

Generated Output

Output will appear here...

About This Tool

Azure DNS Private Resolver enables name resolution between on-premises networks, Azure private DNS zones, and forwarded external domains without deploying custom DNS servers. It consists of inbound endpoints (for on-premises to Azure resolution) and outbound endpoints (for Azure to on-premises resolution) with DNS forwarding rulesets that define which domains are forwarded to which DNS servers. Configuring the resolver requires specifying VNet integration, subnet delegation, endpoint IPs, and ruleset rules. This builder helps you assemble resolver configurations with correct subnet references, forwarding rules, and endpoint settings.

When to Use This Tool

•Building an inbound endpoint configuration that allows on-premises servers to resolve Azure Private DNS zones via ExpressRoute or VPN
•Creating DNS forwarding rulesets that forward queries for on-premises Active Directory domains to corporate DNS servers
•Configuring outbound endpoints with conditional forwarding rules for hybrid DNS resolution across Azure and on-premises networks
•Generating resolver configurations for hub-and-spoke VNet topologies where the hub VNet hosts the DNS Private Resolver for all spoke VNets

Frequently Asked Questions

Why do I need Azure DNS Private Resolver instead of custom DNS VMs?: Custom DNS VMs (like Windows DNS or BIND) require you to manage availability, patching, scaling, and configuration. Azure DNS Private Resolver is a fully managed service that provides 99.99% SLA, automatic scaling, and native integration with Azure Private DNS zones. It eliminates the operational overhead of running DNS infrastructure while supporting the same conditional forwarding scenarios. The resolver also integrates with Azure policies for centralized DNS governance.
How do inbound and outbound endpoints differ?: Inbound endpoints accept DNS queries from outside the VNet — typically from on-premises networks via VPN or ExpressRoute. They provide a static IP address in a delegated subnet that on-premises DNS servers can forward to. Outbound endpoints send DNS queries to external DNS servers based on forwarding rulesets. They handle queries from Azure resources that need to resolve names hosted by on-premises DNS servers or third-party DNS services.
Can I link forwarding rulesets to multiple VNets?: Yes, a single DNS forwarding ruleset can be linked to up to 10 VNets, and each VNet can be linked to up to 2 rulesets. This lets you define forwarding rules once and apply them across multiple VNets, which is particularly useful in hub-and-spoke topologies. Ruleset links are separate from VNet peering — the resolver uses the outbound endpoint subnet for connectivity, and forwarded traffic follows the outbound endpoint's VNet routing.

Related Learning Guides

Virtual Network Architecture28 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.