Use local DNS servers
March 21, 2025 ยท View on GitHub
SYNOPSIS
Virtual networks (VNETs) should use DNS servers deployed within the same Azure region.
DESCRIPTION
Virtual networks allow one or more custom DNS servers to be specified. These DNS servers are inherited by connected services such as virtual machines.
When configuring custom DNS server IP addresses, these servers must be accessible for name resolution to occur. Connectivity between services may be impacted if DNS server IP addresses are temporarily or permanently unavailable.
Avoid taking a dependency on external DNS servers for local communication such as those deployed on-premises. This can be achieved by using DNS services deployed into the same Azure region.
Where possible consider deploying:
- Azure DNS Private Resolver.
- Azure Private DNS Zones.
Alternatively, redundant virtual machines (VMs) can be deployed into Azure to perform DNS resolution.
RECOMMENDATION
Consider deploying redundant DNS services within a connected Azure VNET.
EXAMPLES
Configure with Azure template
To deploy Virtual Networks that pass this rule:
- Set
properties.dhcpOptions.dnsServersto an IP address within the same or peered network within Azure. OR - Use the default Azure DNS servers.
For example:
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2023-05-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"dhcpOptions": {
"dnsServers": [
"10.0.1.4",
"10.0.1.5"
]
}
}
}
Configure with Bicep
To deploy Virtual Networks that pass this rule:
- Set
properties.dhcpOptions.dnsServersto an IP address within the same or peered network within Azure. OR - Use the default Azure DNS servers.
For example:
resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
name: name
location: location
properties: {
addressSpace: {
addressPrefixes: [
'10.0.0.0/16'
]
}
dhcpOptions: {
dnsServers: [
'10.0.1.4'
'10.0.1.5'
]
}
}
}
NOTES
This rule applies when analyzing resources deployed to Azure (in-flight).
When deploying Active Directory Domain Services (ADDS) within Azure, you may decide to:
- Deploy an Identity subscription aligned to the Cloud Adoption Framework (CAF) Azure landing zone architecture.
- Host DNS services on the same VMs as ADDS, located in a separate VNET spoke for the Identity subscription.
When you do this, this rule may report a false positive by default.
If you are using this configuration, we recommend you set the configuration option AZURE_VNET_DNS_WITH_IDENTITY to true.
For example:
configuration:
AZURE_VNET_DNS_WITH_IDENTITY: true