Centralized Private DNS Zone in the Hub Subscription

Question

Centralized Private DNS Zone in the Hub Subscription

Sumit Gaur 415

Hi Guys,

We are currently setting up a new Azure tenant using the Azure Landing Zone Accelerator to establish our platform landing zone. As part of this setup, we have centralized Private DNS Zones deployed in the connectivity subscription, along with our hub networks. These Private DNS Zones are linked to both the primary and secondary hub VNets.

Our plan is to use our custom on-premises DNS for most workloads, while relying on these Private DNS Zones to resolve queries for services accessed via Private Endpoints.

I have a couple of questions:

Can these centralized Private DNS Zones be used to resolve Private Endpoint DNS queries via conditional forwarding from our on-premises DNS?
Is it possible for this setup to work without deploying Azure Private DNS Resolver, and instead rely solely on the Azure-provided DNS IP for name resolution?

Thanks in advance for your guidance.

Vallepu Venkateswarlu 6,830 Reputation points Microsoft External Staff Moderator

2026-04-06T17:46:03.0733333+00:00
Hi @Sumit Gaur,

Welcome to Microsoft Q&A Platform.

Can these centralized Private DNS Zones be used to resolve Private Endpoint DNS queries via conditional forwarding from our on-premises DNS?

Yes, if you have DNS services on-premises, you can resolve your Private Endpoint (privatelink.*) names in hub-hosted zones by configuring your on-prem DNS servers with conditional forwarders for each zone.

The forwarder target must be an Azure-accessible DNS endpoint that is aware of your Private DNS zones, such as:

Azure DNS Private Resolver inbound endpoint(s) in the hub VNet, or

A pair of DNS-forwarding VMs (Windows/Linux) in the hub VNet configured to use 168.63.129.16 for Azure DNS lookups.

With this setup in place, on-prem queries for your privatelink domains will follow this path: on-prem DNS → forwarder IP in Azure → hub Private DNS zone → response returned to on-prem.

Using centralized Private DNS zones via conditional forwarding,Follow more about Azure Private Resolver with on-premises DNS forwarder

If you want to resolve only Private Endpoint FQDNs from an on-prem network (via VPN), you can simply create an Azure Private DNS Resolver with an inbound endpoint.

If you also need to resolve on-premises domains from Azure, you can configure Azure DNS forwarding rules using an Azure Private DNS Resolver and a DNS forwarding ruleset by following the appropriate steps resolve Azure and on-premises domains

Please "upvote" if the information helped you. This will help us and others in the community as well.
Sumit Gaur 415 Reputation points

2026-04-07T16:46:27.4133333+00:00
Hi @Venkateswarlu Vallepu

I have a follow-up question on the DNS setup we’re planning and wanted to get your perspective on it.We are going to have certain services exposed via Private Endpoints, and the current thought is to configure on-prem DNS at the Spoke VNET level since majority of our integration would talk to on-premise.

This would mean all DNS queries from the VNETs go to on-prem first. From there, we would use conditional forwarders for privatelink zones to forward requests to the Azure Private DNS Resolver (Inbound Endpoint), which would then resolve using the centralized Private DNS Zones in the Hub.

So effectively, this becomes a mix where:

Azure workloads rely on on-prem DNS

On-prem DNS forwards specific queries back into Azure for Private Endpoint resolution even originating from azure e.g., azure web app accessing a sql database with private endpoint.

Given this setup, I wanted to understand what is the recommended approach and does this align with Microsoft best practices, or would you lean towards keeping Azure VNETs on Azure DNS and handling hybrid resolution differently?
Vallepu Venkateswarlu 6,830 Reputation points Microsoft External Staff Moderator

2026-04-07T18:01:22.2733333+00:00

Hi @Sumit Gaur,

The recommended pattern is to keep Azure DNS resolution within Azure and use conditional forwarding from on-premises to Azure (via Private DNS Resolver or a DNS forwarder). Routing Azure → on-prem → Azure introduces unnecessary latency, dependency on hybrid connectivity, and a larger failure domain.

In short, keep Azure VNets on Azure DNS and extend resolution to on-premises, not the other way around.

Refer: Hybrid DNS resolution

I hope this information helps resolve your issue. Please feel free to ask if the provided solution does not help or if you have any additional questions.

Please "upvote" if the information helped you. This will help us and others in the community as well.

1 answer

Your answer

Vallepu Venkateswarlu 6,830 Reputation points Microsoft External Staff Moderator

2026-04-06T17:46:03.0733333+00:00

Hi @Sumit Gaur,

Welcome to Microsoft Q&A Platform.

Can these centralized Private DNS Zones be used to resolve Private Endpoint DNS queries via conditional forwarding from our on-premises DNS?

Yes, if you have DNS services on-premises, you can resolve your Private Endpoint (privatelink.*) names in hub-hosted zones by configuring your on-prem DNS servers with conditional forwarders for each zone.

The forwarder target must be an Azure-accessible DNS endpoint that is aware of your Private DNS zones, such as:

Azure DNS Private Resolver inbound endpoint(s) in the hub VNet, or

A pair of DNS-forwarding VMs (Windows/Linux) in the hub VNet configured to use 168.63.129.16 for Azure DNS lookups.

With this setup in place, on-prem queries for your privatelink domains will follow this path: on-prem DNS → forwarder IP in Azure → hub Private DNS zone → response returned to on-prem.

Using centralized Private DNS zones via conditional forwarding,Follow more about Azure Private Resolver with on-premises DNS forwarder

If you want to resolve only Private Endpoint FQDNs from an on-prem network (via VPN), you can simply create an Azure Private DNS Resolver with an inbound endpoint.

If you also need to resolve on-premises domains from Azure, you can configure Azure DNS forwarding rules using an Azure Private DNS Resolver and a DNS forwarding ruleset by following the appropriate steps resolve Azure and on-premises domains

Please "upvote" if the information helped you. This will help us and others in the community as well.
Sumit Gaur 415 Reputation points

2026-04-07T16:46:27.4133333+00:00

Hi @Venkateswarlu Vallepu

I have a follow-up question on the DNS setup we’re planning and wanted to get your perspective on it.We are going to have certain services exposed via Private Endpoints, and the current thought is to configure on-prem DNS at the Spoke VNET level since majority of our integration would talk to on-premise.

This would mean all DNS queries from the VNETs go to on-prem first. From there, we would use conditional forwarders for privatelink zones to forward requests to the Azure Private DNS Resolver (Inbound Endpoint), which would then resolve using the centralized Private DNS Zones in the Hub.

So effectively, this becomes a mix where:

Azure workloads rely on on-prem DNS

On-prem DNS forwards specific queries back into Azure for Private Endpoint resolution even originating from azure e.g., azure web app accessing a sql database with private endpoint.

Given this setup, I wanted to understand what is the recommended approach and does this align with Microsoft best practices, or would you lean towards keeping Azure VNETs on Azure DNS and handling hybrid resolution differently?
Vallepu Venkateswarlu 6,830 Reputation points Microsoft External Staff Moderator

2026-04-07T18:01:22.2733333+00:00

Hi @Sumit Gaur,

The recommended pattern is to keep Azure DNS resolution within Azure and use conditional forwarding from on-premises to Azure (via Private DNS Resolver or a DNS forwarder). Routing Azure → on-prem → Azure introduces unnecessary latency, dependency on hybrid connectivity, and a larger failure domain.

In short, keep Azure VNets on Azure DNS and extend resolution to on-premises, not the other way around.

Refer: Hybrid DNS resolution

I hope this information helps resolve your issue. Please feel free to ask if the provided solution does not help or if you have any additional questions.

Please "upvote" if the information helped you. This will help us and others in the community as well.

Answer 1

Yes. Centralized Private DNS zones in the hub/connectivity subscription can be used to resolve Private Endpoint DNS queries from on-premises via conditional forwarding. The recommended pattern is:
- Link the Azure Private DNS zones (for example, privatelink.blob.core.windows.net, azure.contoso.com, etc.) to the hub VNet(s).
- Expose those zones to on-premises by forwarding queries from on-premises DNS to an Azure-side DNS endpoint.
- In Microsoft guidance, this Azure-side endpoint is typically the inbound endpoint of Azure DNS Private Resolver in the hub VNet. On-premises DNS servers are configured with conditional forwarders for the Azure private zones, pointing to that inbound endpoint IP. The resolver then uses Azure-provided DNS (168.63.129.16) to resolve records in the linked Private DNS zones and returns the private IPs to on-premises.
This design is explicitly described for hybrid name resolution:
- On-premises DNS servers have conditional forwarders for each private endpoint public DNS zone, pointing to the DNS Private Resolver inbound endpoint in the hub VNet.
- The hub VNet is linked to the Private DNS zones for Azure services.
So: centralized Private DNS zones are suitable for your scenario, but the supported hybrid pattern uses DNS Private Resolver as the bridge between on-premises DNS and Azure Private DNS.
No, not in the way described. Azure-provided DNS (168.63.129.16) cannot be directly used as a target for conditional forwarding from on-premises, and it does not accept queries from outside Azure VNets. Key points from the documented designs:
- For Azure-only environments, Azure Private DNS zones plus Azure-provided DNS are sufficient; VMs in VNets linked to the zones resolve records automatically via 168.63.129.16.
- For environments that require name resolution across Azure and on-premises, guidance is to use DNS Private Resolver together with Azure Private DNS zones. On-premises DNS uses conditional forwarders to the resolver’s inbound endpoint IP in the hub VNet, not directly to 168.63.129.16.
- The DNS Private Resolver then uses Azure-provided DNS as a forwarder to resolve records in Azure Private DNS zones and returns answers to on-premises.
Therefore, a hybrid design that:
- Uses on-premises DNS as the primary resolver for workloads, and
- Needs to resolve Private Endpoint FQDNs in centralized Azure Private DNS zones
is not supported purely by pointing on-premises DNS at 168.63.129.16. The supported approach is to deploy Azure DNS Private Resolver in the hub VNet and forward from on-premises DNS to its inbound endpoint.

References:

Share via

Centralized Private DNS Zone in the Hub Subscription

1 answer

Your answer