![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 92%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETW%3C/text%3E%3C/svg%3E)
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 52%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Hi Trenton Whitaker,
Thanks for reaching out in Microsoft Q&A forum,
All recent documentation point to using azure private link for public resolution and not forwarding the privatelink zone alone. Where is the original documentation referencing this design?
The original design you described force-tunneling all public/internet DNS to on-premises while using Azure forwarders specifically for Private Link zones (like privatelink.database.windows.net) stems from early hybrid networking guidance in Microsoft's Azure Architecture Center.
Core document:
This pattern is outlined in the 2022 article "Design a Hybrid Domain Name System (DNS) Solution by using Azure" (https://learn.microsoft.com/en-us/azure/architecture/hybrid/hybrid-dns-infra). It describes hub-spoke topologies where on-premises DNS handles general resolution via VPN/ExpressRoute, with conditional forwarders in a hub VNet's DNS servers (or VMs) directing only Private Link traffic to Azure's recursive resolver at xxxxxxx. Private DNS zones link to VNets for autoregistration, keeping public lookups on-prem.
Recent document:
Newer guidance (post-2024) favors Azure DNS Private Resolver for bidirectional resolution without per-zone forwarders, as in https://learn.microsoft.com/en-us/azure/dns/private-resolver-hybrid-dns. Your setup was standard before Private Resolver GA, aligning with pre-2023 best practices for split-brain DNS in hybrid environments.
While understandably correct for the new guidance. The previous guidance fits my Orgs security compliance, and I would like some assistance in finding the older reference documentation.
I understand your compliance needs favor the older hybrid DNS pattern forcing public/internet traffic on-premises while forwarding only privatelink.* zones to Azure which remains technically valid despite guidance evolution.
Your setup precisely follows, is documented in the Azure Architecture Center's longstanding guidance: 'Design a Hybrid Domain Name System (DNS) Solution by using Azure' (https://learn.microsoft.com/en-us/azure/architecture/hybrid/hybrid-dns-infra). This 2022 reference details:
- VNets configured with on-premises DNS IPs for force-tunneled public resolution over VPN/ExpressRoute.
- Hub-based DNS forwarders (typically VMs) with conditional forwarders exclusively for privatelink zones (e.g., privatelink.database.windows.net), querying Azure's xx8.xx.xxx.16 resolver.
- Private DNS zones linked to VNets for Private Endpoint A-record resolution.
While newer docs emphasize forwarding public zones (database.windows.net) for Azure's internal CNAME aliasing to privatelink.*, your implementation matches the pre-2023 enterprise standard designed for strict security controls. This pattern continues to function reliably without requiring changes."
Kindly let us know if the above helps or you need further assistance on this issue.
Please do not forget to 
and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
