My name is DNS, Azure DNS

Using the Internet without Domain Name Services (DNS) is like using your smartphone without any option to save your contacts. As a consequence, you have to remember all the phone numbers of your friends – unthinkable for most of us. For the internet, the DNS Servers are providing this index of numbers and is an essential asset of the backbone for any network. It isn’t a service which gets much attention though but is vital in the on-premises world as well as in the cloud. Maybe you should change this perception for the future as choosing the right DNS hosting provider can have a considerable impact on websites performance, reliability, and security.

How DNS works, in three simple steps

Azure DNS does not replace the clients DNS Servers. The ISP still provides these, or you chose the famous ones from CloudFlare (, or Google (, Azure DNS is a hosting service for DNS Domains, providing name resolution using the Microsoft global Azure infrastructure.

The illustration below shows the simplified process when a user requested to visit a website. As the first step (1) the user asks its local DNS Server to get the IP Address for the requested website, as an example If this is the first request to the domain and the www CNAME or A-Record is not known, the ISP’s DNS Server has to connect to the DNS Server of the domain, which runs in Azure for this example. In step two (2), the DNS Server for answers the request by providing the IP Address for the requested www-record. This information, the IP Address, finally allows the user to connect to the website in step three (3). The web app or virtual machine hosting the webserver does take care of the rest and provides the requested content as the final step.

Azure DNS Concepts

It is likely that through browsing to a single URL, such as, the resources required to load the website are scattered across multiple hosts or addresses, such as a CDN or subdomains for images or graphics – or even some external content. In such case, a single visit to the website can trigger multiple DNS calls.

Any domain can be hosted on Azure DNS – while you don’t have to host the content that goes with the domain on Azure. What I like the most about Azure DNS:

  • It’s secure – Having the DNS hosted in Azure allows me to use the same credentials as for the other Azure Services. As it’s based on the Azure Resource Manager (ARM), it’s easily possible to grant access to other personas or services on a record level which wants to update individual records.
  • It’s fast – Azure DNS uses a global network of name servers to provide fast responses to DNS queries. It uses the Anycast networking, so DNS queries automatically route to the closest name servers which provide fast performance and high availability.
  • It’s fancy – Domains and records can be managed using the same Azure Portal, the PowerShell cmdlets, or Azure CLI as for any other resource. Azure DNS even supports integration with the service using REST API.

You can read more about DNS in the official Azure Docs.

How to use Azure DNS?

As a first step, you have to create a “DNS zone” for your domain in Azure. This is a very straightforward process, which can be done directly from the Azure Portal, using PowerShell, or Azure CLI. The DNS zone is created as a global resource, no region has to be/or can be selected. The newly created zone is typically reflected on the Azure DNS name servers within a few seconds. You need to know the name servers for your zone created before, to delegate the DNS Zone from your registrar to Azure DNS. The records for your zone are shown in the Azure portal or can also be retrieved using the Azure CLI.

Azure DNS does not support the purchase or management of domain names, which means the domain purchase and management still happen outside of Azure. I like namesilo, as it offers low prices and identity privacy without additional cost, but any other like GoDaddy,, etc. will do it as well. After the purchase, the registrar usually offers the option to setup the name server (NS) records where you will have to enter the name servers from Azure.

When completed, the registrar stores these NS records in the parent domain, for our URL this would be “.net”. You can verify if the delegation is set up correctly using nslookup from your client:

nslookup -type=SOA

To summarize the steps performed before:

  1. In Azure, create a new DNS Zone…
  2. … and lookup the NS Records for your DNS Zone.
  3. With the registrar, register your domain name…
  4. … add the Azure NS Records to your domain.
  5. From your client, verify everything works correctly.

That’s basically it – and doesn’t take more than 5 minutes to setup. At this point, you have your DNS Zone deployed in Azure, and you will be able to manage all your records from the Azure Portal. The entire process including the CLI-commands mentioned above is described in more detail in the Azure Documentation: Delegate a Domain to Azure DNS. Btw. Domain Purchase is a feature being tracked in Azure backlog – you can “vote” for this feature here.

Why we changed our DNS

This blog is hosted by a local web hosting company. As their main business is within Europe, changing from their “local” DNS to the global DNS provided by Azure improved the DNS Lookup time as well as the Time to First Byte (TTFB) by an interesting factor. Just like with Content Delivery Network (CDN), global DNS Hosting Providers also have multiple POP’s in different areas of the world. Having more POP’s / locations means there will be more likely a DNS Server closer to our visitors, decreasing the lookup time:

Good tools I like to check the performance of a website are:

In general practice, it is better to keep a longer Time to Live (TTL) for DNS records, because ISPs also cache the DNS. By setting a longer TTL also means fewer queries to the DNS servers. TTL values are always represented in seconds. We’re using 3600 seconds for most of our entries, a rather short duration. In this blog you find a good explanation of TTL and recommended settings. As an alternative to Azure DNS you might want to check this article explaining how to use the free CloudFlare DNS to speed-up your website.

Choosing your DNS Server

Azure DNS isn’t the only service providing name resolutions; there are many different options from free to big money – so the scale ranges from hobby to enterprise. While all leading cloud providers offer a robust service that will probably easily outperform your average DNS Server hosted locally, CloudFlare and Dyn (now owned by Oracle) are ranked quite well – which isn’t too much of a surprise, as these services have been there the main competency for quite some time. Don’t get too distracted by the comparisons, considering Azure’s global presence and the strategy to expand with the services Azure DNS will be a winning horse to bet on.

To have the option to host the DNS close to the Web Service and use the same management tools was vital for me, which makes the operation and also integration between the Azure Services. Moving forward, Azure DNS not only can replace your DNS Servers hosting your public endpoints – like the records for your website or Office 365 infrastructure – Azure DNS will also be available to host your private DNS Zones used in your virtual network.

You can bring DNS Zones to your VNet without the need of managing custom DNS Servers. While DNS was available already before, it wasn’t possible to use custom domain names. I wrote an earlier article about this topic (Why is there a “reddog” DNS Suffix for my VM’s?). Azure will dynamically register the A Records in the private DNS Zone for the VM’s within this VNet and will also keep track of other additions or removals. You can read more about the Azure DNS Private Zone Feature in the Azure Docs.

The Azure DNS Private Zone feature is currently in Public Preview (as of April 2018). This preview version is provided without a service level agreement, and it is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

Using DNS for Domain Validation

When you configure the Webmaster Tools of Bing, Google, or Yandex, you have first to verify your site. For WordPress there are multiple SEO plugins offering support by adding a META Tag to the code. If you care about the performance, this probably should not be the preferred choice.

Have you considered (Azure) DNS for the domain verification? It only requires a TXT (Google, Yandex) or CNAME (Bing) record, and makes the code mentioned above obsolete. The same webmaster tools offer this verification method. For more details on the configuration, you can follow this great guide created by Brian Jackson.

Our switch to DNS verification only required a few minutes. Don’t forget to remove the part from the plugin/code to realize the performance benefits. Note, as all search engines periodically check, you should not remove the records later on.

There’s just one more thing…

As mentioned above, Azure DNS supports PowerShell for configuration and management activities. I recently read a blog post from Sven Meury, who describes a solution using Azure Functions to build a DDNS in Azure. The script used in the blog post is very easily adaptable and allows you to automatically update a record in case the IP Address has changed.

I would extend the solution using Azure Key Vault (AKV), to protect the username and password, but besides that, the script could be used as-is.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.