Use redundant DNS servers

March 21, 2025 ยท View on GitHub

SYNOPSIS

Virtual networks (VNETs) should have at least two DNS servers assigned.

DESCRIPTION

Virtual networks (VNETs) should have at least two (2) DNS servers assigned. Using a single DNS server may indicate a single point of failure where the DNS IP address is not load balanced.

RECOMMENDATION

Virtual networks should have at least two (2) DNS servers set when not using Azure-provided DNS.

EXAMPLES

Configure with Azure template

To deploy Virtual Networks that pass this rule:

  • Set properties.dhcpOptions.dnsServers to at least two DNS server addresses. OR
  • Use the default Azure DNS servers.

For example:

{
  "type": "Microsoft.Network/virtualNetworks",
  "apiVersion": "2023-05-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "addressSpace": {
      "addressPrefixes": [
        "10.0.0.0/16"
      ]
    },
    "dhcpOptions": {
      "dnsServers": [
        "10.0.1.4",
        "10.0.1.5"
      ]
    }
  }
}

Configure with Bicep

To deploy Virtual Networks that pass this rule:

  • Set properties.dhcpOptions.dnsServers to at least two DNS server addresses. OR
  • Use the default Azure DNS servers.

For example:

resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
  name: name
  location: location
  properties: {
    addressSpace: {
      addressPrefixes: [
        '10.0.0.0/16'
      ]
    }
    dhcpOptions: {
      dnsServers: [
        '10.0.1.4'
        '10.0.1.5'
      ]
    }
  }
}