DNS Zones and Records overview - Azure DNS (2023)

  • Article
  • 12 minutes to read

This article explains the key concepts of domains, DNS zones, DNS records, and record sets. You'll learn how it's supported in Azure DNS.

Domain names

The Domain Name System is a hierarchy of domains. The hierarchy starts from the 'root' domain, whose name is simply '.'. Below this come top-level domains, such as 'com', 'net', 'org', 'uk' or 'jp'. Below the top-level domains are second-level domains, such as 'org.uk' or 'co.jp'. The domains in the DNS hierarchy are globally distributed, hosted by DNS name servers around the world.

A domain name registrar is an organization that allows you to purchase a domain name, such as contoso.com. Purchasing a domain name gives you the right to control the DNS hierarchy under that name, for example allowing you to direct the name www.contoso.com to your company web site. The registrar may host the domain in its own name servers on your behalf, or allow you to specify alternative name servers.

Azure DNS provides a globally distributed and high-availability name server infrastructure that you can use to host your domain. By hosting your domains in Azure DNS, you can manage your DNS records with the same credentials, APIs, tools, billing, and support as your other Azure services.

Azure DNS currently doesn't support purchasing of domain names. If you want to purchase a domain name, you need to use a third-party domain name registrar. The registrar typically charges a small annual fee. The domains can then be hosted in Azure DNS for management of DNS records. See Delegate a Domain to Azure DNS for details.

DNS zones

A DNS zone is used to host the DNS records for a particular domain. To start hosting your domain in Azure DNS, you need to create a DNS zone for that domain name. Each DNS record for your domain is then created inside this DNS zone.

For example, the domain 'contoso.com' may contain several DNS records, such as 'mail.contoso.com' (for a mail server) and 'www.contoso.com' (for a web site).

When creating a DNS zone in Azure DNS:

  • The name of the zone must be unique within the resource group, and the zone must not exist already. Otherwise, the operation fails.
  • The same zone name can be reused in a different resource group or a different Azure subscription.
  • Where multiple zones share the same name, each instance is assigned different name server addresses. Only one set of addresses can be configured with the domain name registrar.


You do not have to own a domain name to create a DNS zone with that domain name in Azure DNS. However, you do need to own the domain to configure the Azure DNS name servers as the correct name servers for the domain name with the domain name registrar.

For more information, see Delegate a domain to Azure DNS.

(Video) Understanding DNS in Azure

DNS records

Record names

In Azure DNS, records are specified by using relative names. A fully qualified domain name (FQDN) includes the zone name, whereas a relative name does not. For example, the relative record name www in the zone contoso.com gives the fully qualified record name www.contoso.com.

An apex record is a DNS record at the root (or apex) of a DNS zone. For example, in the DNS zone contoso.com, an apex record also has the fully qualified name contoso.com (this is sometimes called a naked domain). By convention, the relative name '@' is used to represent apex records.

Record types

Each DNS record has a name and a type. Records are organized into various types according to the data they contain. The most common type is an 'A' record, which maps a name to an IPv4 address. Another common type is an 'MX' record, which maps a name to a mail server.

Azure DNS supports all common DNS record types: A, AAAA, CAA, CNAME, MX, NS, PTR, SOA, SRV, and TXT. Note that SPF records are represented using TXT records.

Record sets

Sometimes you need to create more than one DNS record with a given name and type. For example, suppose the 'www.contoso.com' web site is hosted on two different IP addresses. The website requires two different A records, one for each IP address. Here is an example of a record set:

www.contoso.com. 3600 IN A 3600 IN A

Azure DNS manages all DNS records using record sets. A record set (also known as a resource record set) is the collection of DNS records in a zone that have the same name and are of the same type. Most record sets contain a single record. However, examples like the one above, in which a record set contains more than one record, are not uncommon.

For example, suppose you have already created an A record 'www' in the zone 'contoso.com', pointing to the IP address '' (the first record above). To create the second record you would add that record to the existing record set, rather than create an additional record set.

The SOA and CNAME record types are exceptions. The DNS standards don't permit multiple records with the same name for these types, therefore these record sets can only contain a single record.

(Video) Azure Fundamentals - #25 - AzureDNS


The time to live, or TTL, specifies how long each record is cached by clients before being requeried. In the above example, the TTL is 3600 seconds or 1 hour.

In Azure DNS, the TTL gets specified for the record set, not for each record, so the same value is used for all records within that record set. You can specify any TTL value between 1 and 2,147,483,647 seconds.

Wildcard records

Azure DNS supports wildcard records. Wildcard records get returned in response to any query with a matching name, unless there's a closer match from a non-wildcard record set. Azure DNS supports wildcard record sets for all record types except NS and SOA.

To create a wildcard record set, use the record set name '*'. You can also use a name with '*' as its left-most label, for example, '*.foo'.

CAA records

CAA records allow domain owners to specify which Certificate Authorities (CAs) are authorized to issue certificates for their domain. This record allows CAs to avoid mis-issuing certificates in some circumstances. CAA records have three properties:

  • Flags: This field is an integer between 0 and 255, used to represent the critical flag that has special meaning per the RFC
  • Tag: an ASCII string that can be one of the following:
    • issue: if you want to specify CAs that are permitted to issue certs (all types)
    • issuewild: if you want to specify CAs that are permitted to issue certs (wildcard certs only)
    • iodef: specify an email address or hostname to which CAs can notify for unauthorized cert issue requests
  • Value: the value for the specific Tag chosen

CNAME records

CNAME record sets can't coexist with other record sets with the same name. For example, you can't create a CNAME record set with the relative name 'www' and an A record with the relative name 'www' at the same time.

Since the zone apex (name = '@') will always contain the NS and SOA record sets during the creation of the zone, you can't create a CNAME record set at the zone apex.

These constraints arise from the DNS standards and aren't limitations of Azure DNS.

NS records

The NS record set at the zone apex (name '@') gets created automatically with each DNS zone, and gets deleted automatically when the zone gets deleted. It can't be deleted separately.

This record set contains the names of the Azure DNS name servers assigned to the zone. You can add more name servers to this NS record set, to support cohosting domains with more than one DNS provider. You can also modify the TTL and metadata for this record set. However, removing or modifying the pre-populated Azure DNS name servers isn't allowed.

This restriction only applies to the NS record set at the zone apex. Other NS record sets in your zone (as used to delegate child zones) can be created, modified, and deleted without constraint.

(Video) How to configure Azure DNS?||Internal and External name resolution||DNS Zone vs Private DNS Zone

SOA records

A SOA record set gets created automatically at the apex of each zone (name = '@'), and gets deleted automatically when the zone gets deleted. SOA records cannot be created or deleted separately.

You can modify all properties of the SOA record except for the 'host' property. This property gets pre-configured to refer to the primary name server name provided by Azure DNS.

The zone serial number in the SOA record isn't updated automatically when changes are made to the records in the zone. It can be updated manually by editing the SOA record, if necessary.

SPF records

Sender policy framework (SPF) records are used to specify which email servers can send email on behalf of a domain name. Correct configuration of SPF records is important to prevent recipients from marking your email as junk.

The DNS RFCs originally introduced a new SPF record type to support this scenario. To support older name servers, they also allowed the use of the TXT record type to specify SPF records. This ambiguity led to confusion, which was resolved by RFC 7208. It states that SPF records must be created by using the TXT record type. It also states that the SPF record type is deprecated.

SPF records are supported by Azure DNS and must be created by using the TXT record type. The obsolete SPF record type isn't supported. When you import a DNS zone file, any SPF records that use the SPF record type are converted to the TXT record type.

SRV records

SRV records are used by various services to specify server locations. When specifying an SRV record in Azure DNS:

  • The service and protocol must be specified as part of the record set name, prefixed with underscores. For example, '_sip._tcp.name'. For a record at the zone apex, there's no need to specify '@' in the record name, simply use the service and protocol, for example '_sip._tcp'.
  • The priority, weight, port, and target are specified as parameters of each record in the record set.

TXT records

TXT records are used to map domain names to arbitrary text strings. They're used in multiple applications, in particular related to email configuration, such as the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).

The DNS standards permit a single TXT record to contain multiple strings, each of which may be up to 255 characters in length. Where multiple strings are used, they are concatenated by clients and treated as a single string.

When calling the Azure DNS REST API, you need to specify each TXT string separately. When you use the Azure portal, PowerShell, or CLI interfaces, you should specify a single string per record. This string is automatically divided into 255-character segments if necessary.

The multiple strings in a DNS record shouldn't be confused with the multiple TXT records in a TXT record set. A TXT record set can contain multiple records, each of which can contain multiple strings. Azure DNS supports a total string length of up to 1024 characters in each TXT record set (across all records combined).

(Video) AZ-104 Exam EP 18: Azure DNS


Tags are a list of name-value pairs and are used by Azure Resource Manager to label resources. Azure Resource Manager uses tags to enable filtered views of your Azure bill and also enables you to set a policy for certain tags. For more information about tags, see Using tags to organize your Azure resources.

Azure DNS supports using Azure Resource Manager tags on DNS zone resources. It doesn't support tags on DNS record sets, although as an alternative 'metadata' is supported on DNS record sets as explained below.


As an alternative to record set tags, Azure DNS supports annotating record sets using 'metadata'. Similar to tags, metadata enables you to associate name-value pairs with each record set. This feature can be useful, for example to record the purpose of each record set. Unlike tags, metadata cannot be used to provide a filtered view of your Azure bill and cannot be specified in an Azure Resource Manager policy.


Suppose two people or two processes try to modify a DNS record at the same time. Which one wins? And does the winner know that they've overwritten changes created by someone else?

Azure DNS uses Etags to handle concurrent changes to the same resource safely. Etags are separate from Azure Resource Manager 'Tags'. Each DNS resource (zone or record set) has an Etag associated with it. Whenever a resource is retrieved, its Etag is also retrieved. When updating a resource, you can choose to pass back the Etag so Azure DNS can verify the Etag on the server matches. Since each update to a resource results in the Etag being regenerated, an Etag mismatch indicates a concurrent change has occurred. Etags can also be used when creating a new resource to ensure the resource doesn't already exist.

By default, Azure DNS PowerShell uses Etags to block concurrent changes to zones and record sets. The optional -Overwrite switch can be used to suppress Etag checks, in which case any concurrent changes that have occurred are overwritten.

At the level of the Azure DNS REST API, Etags are specified using HTTP headers. Their behavior is given in the following table:

NonePUT always succeeds (no Etag checks)
If-match <etag>PUT only succeeds if resource exists and Etag matches
If-match *PUT only succeeds if resource exists
If-none-match *PUT only succeeds if resource doesn't exist


The following default limits apply when using Azure DNS:

Public DNS zones

Public DNS zones per subscription250 1
Record sets per public DNS zone10,000 1
Records per record set in public DNS zone20
Number of Alias records for a single Azure resource20

1If you need to increase these limits, contact Azure Support.

Private DNS zones

(Video) How to Configure Public DNS Zone for Hosting your Domain in Azure

Private DNS zones per subscription1000
Record sets per private DNS zone25000
Records per record set for private DNS zones20
Virtual Network Links per private DNS zone1000
Virtual Networks Links per private DNS zones with auto-registration enabled100
Number of private DNS zones a virtual network can get linked to with auto-registration enabled1
Number of private DNS zones a virtual network can get linked1000
Number of DNS queries a virtual machine can send to Azure DNS resolver, per second1000 1
Maximum number of DNS queries queued (pending response) per virtual machine200 1

1These limits are applied to every individual virtual machine and not at the virtual network level. DNS queries exceeding these limits are dropped.

DNS private resolver1

DNS private resolvers per subscription15
Inbound endpoints per DNS private resolver5
Outbound endpoints per DNS private resolver5
Forwarding rules per DNS forwarding ruleset1000
Virtual network links per DNS forwarding ruleset500
Outbound endpoints per DNS forwarding ruleset2
DNS forwarding rulesets per outbound endpoint2
Target DNS servers per forwarding rule6
QPS per endpoint10,000

1Different limits might be enforced by the Azure portal until the portal is updated. Use PowerShell to provision elements up to the most current limits.

Next steps

  • To start using Azure DNS, learn how to create a DNS zone and create DNS records.
  • To migrate an existing DNS zone, learn how to import and export a DNS zone file.


What is a DNS zone in Azure? ›

A DNS zone is a data resource that contains the DNS records for a domain name. You can use Azure DNS to host a DNS zone and manage the DNS records for a domain in Azure. It also provides DNS name servers to answer DNS queries from the Internet.

What are DNS zones and records? ›

A DNS zone is used to host the DNS records for a particular domain. To start hosting your domain in Azure DNS, you need to create a DNS zone for that domain name. Each DNS record for your domain is then created inside this DNS zone.

What are the 3 types of DNS zones? ›

The DNS zones can be classified into the following types:

Active Directory Integrated Zone. Secondary Zone. Stub Zone.

How do I find my Azure DNS zone? ›

In the Azure portal, go to the DNS zone overview page. Search for the record set and select it will open the record set properties.

How do I use DNS zones in Azure? ›

In the Azure portal, enter dns zone in the search box at the top of the portal, and then select DNS zones from the search results. In DNS zones, select + Create. Select your Azure subscription. Select OK.

What are the three 3 types of DNS queries? ›

3 types of DNS queries—recursive, iterative, and non-recursive.

What are the two types of DNS zones? ›

There are two types of DNS zones – Primary (Master) DNS zone for control and Secondary (Slave) DNS zone for redundancy and better performance. The first contains all the original DNS records, and the second gets them from the Primary DNS zone. The process is called DNS zone transfer.

How many types of DNS records are there? ›

DNS servers store records. When a DNS query is sent by a device, that query gets a response from those records with the help of DNS servers and resolvers. There are eight records that you see again and again: A, AAAA, CNAME, PTR, NS, MX, SOA, and TXT.

What is the difference between a zone and a domain in DNS? ›

A domain is a logical division of the DNS name space whereas a zone is physical, as the information is stored in a file called a zone file. In most cases you have a 1 to 1 relationship between a Domain and a DNS Zone i.e. the domain mydomain.com would be stored in a zone file called mydomain.com. txt.

Where are DNS records stored in Active Directory? ›

DNS zone data is stored in an application directory partition. A forest-wide partition named ForestDnsZones is used for the zone data. For each AD DS domain, a domain partition is created named DomainDnsZones. Typically, DNS implementations are used with a contiguous namespace.

Why are DNS zones important? ›

A DNS zone is a distinct part of the domain namespace which is delegated to a legal entity—a person, organization or company, who are responsible for maintaining the DNS zone. A DNS zone is also an administrative function, allowing for granular control of DNS components, such as authoritative name servers.

How do I find my DNS zone records? ›

To view DNS resource records for a zone
  1. In Server Manager, click IPAM. ...
  2. In the navigation pane, in MONITOR AND MANAGE, click DNS Zones. ...
  3. In the lower navigation pane, click Forward Lookup, and then expand the domain and zone list to locate and select the zone you want to view.
Jul 29, 2021

How do I find my DNS server details? ›

How to check your DNS settings
  1. Click on Start, select Control Panel then double click on Network Connections.
  2. Right-click on the network connection in use and select Properties.
  3. Double click on Internet Protocol (TCP/IP)
  4. Make sure “Obtain an IP address automatically” is selected.

What DNS server does Azure use? ›

The Azure DNS IP address is 168.63. 129.16. This is a static IP address and won't change.

How does Azure manage DNS records? ›

Create a DNS record
  1. In the Azure portal, under All resources, open the contoso. xyz DNS zone in the MyResourceGroup resource group. You can enter contoso. ...
  2. At the top of the DNS zone page, select + Record set.
  3. On the Add record set page, type or select the following values: Name: Type www.
Sep 29, 2022

How DNS works in Azure cloud? ›

Azure DNS private zones provide a simple, reliable, secure DNS service to manage and resolve names in a virtual network without the need to create and manage a custom DNS solution. Use your own domain names and get name resolution for virtual machines within and between virtual networks.

What is the most common type of record in a DNS zone? ›

An A record is one of the most common types of DNS records. During an IP address lookup, an A record uses the domain name to locate the IPv4 address of the computer hosting the domain name on the internet.

How do I read DNS records? ›

The most efficient way to check DNS records of the domain is to use a terminal with the command nslookup. This command will run on almost all operating systems (Windows, Linux, and macOS).

What is a DNS a record example? ›

The "A" stands for "address" and this is the most fundamental type of DNS record: it indicates the IP address of a given domain. For example, if you pull the DNS records of cloudflare.com, the A record currently returns an IP address of: 104.17. 210.9. A records only hold IPv4 addresses.

Can we integrate DNS zones with Active Directory? ›

Therefore, any domain controller in the domain running the DNS Server service can write updates to the Active Directory-integrated DNS zones for the domain name for which they are authoritative. A separate DNS zone transfer topology is not needed. Secure dynamic updates are supported.

What is the basic structure of DNS? ›

The DNS hierarchy, also called the domain name space, is an inverted tree structure. The DNS hierarchy tree has a single domain at the top of the structure called the root domain – indicated by the “.” as we have mentioned above.

Why have multiple DNS zones? ›

A Multi-DNS architecture is one that utilizes authoritative DNS nameservers from two or more providers. Most, if not all DNS service providers, use multiple nameservers for high availability and redundancy, allowing them to mitigate most issues without clients even being aware.

How many lookup zones are in DNS? ›

There are two Primary zone types that can be set up on a DNS Server—Forward Lookup Zones and Reverse Lookup Zones. Forward Lookup Zones—Forward Lookup Zones allow the DNS Server to resolve queries where the client sends a name to the DNS Server to request the IP address of the requested host.

What are zones in Active Directory? ›

An -Active Directory-integrated zone is a primary DNS zone that is stored in Active Directory and thus can, unlike all other zone types, use multi-master replication and Active Directory security features. It is an authoritative primary zone in which all of the zone data is stored in Active Directory.

Can I have 2 DNS A records? ›

An A record maps a domain to the physical IP address of the computer hosting that domain. Internet traffic uses the A record to find the computer hosting your domain's DNS settings. The value of an A record is always an IP address, and multiple A records can be configured for one domain name.

What is the difference between a domain and a zone? ›

A "domain" represents the entire set of names / machines that are contained under an organizational domain name. For example, all domain names ending with ".com" are part of the "com" domain. A "zone" is a domain less any sub-domains delegated to other DNS servers (see NS-records).

What is DMZ zone in Azure? ›

This reference architecture shows a secure hybrid network that extends an on-premises network to Azure. The architecture implements a perimeter network, also called a DMZ, between the on-premises network and an Azure virtual network. All inbound and outbound traffic passes through Azure Firewall.

What are the 4 types of domain? ›

Types of Domain
  • Generic Top-Level Domains (gTLD)
  • Country Code Top-Level Domains (ccTLD)
  • Internationalized Country Code Top-Level Domains (IDN ccTLD)
  • Subdomain.
Jul 19, 2022

What is an example of a zone? ›

time zone (noun) towaway zone (noun) twilight zone (noun) Canal Zone (proper noun)

What are the types of zones? ›

Based on temperature, the Earth is divided into three zones: Torrid Zone, Temperate Zone, and Frigid Zone.


1. Azure Public DNS Zone Overview
(Scott Duffy @ GetCloudSkills)
2. Azure Public DNS ZONE create records Transfer from Godaddy to Azure DNS
(Paddy Maddy)
3. Azure DNS Zone Creation
(Robert McMillen)
4. Creating a Microsoft Azure DNS Zone
(Network Expert Inc)
5. How to manage your domain with azure DNS Zone?
(Bee a Learner 🐝🌨️)
6. Azure Public and Private DNS Zone | DNS Server | Lecture 9
Top Articles
Latest Posts
Article information

Author: Rev. Leonie Wyman

Last Updated: 11/12/2022

Views: 6196

Rating: 4.9 / 5 (79 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Rev. Leonie Wyman

Birthday: 1993-07-01

Address: Suite 763 6272 Lang Bypass, New Xochitlport, VT 72704-3308

Phone: +22014484519944

Job: Banking Officer

Hobby: Sailing, Gaming, Basketball, Calligraphy, Mycology, Astronomy, Juggling

Introduction: My name is Rev. Leonie Wyman, I am a colorful, tasty, splendid, fair, witty, gorgeous, splendid person who loves writing and wants to share my knowledge and understanding with you.