Blog Post

Azure Networking Blog
3 MIN READ

DNS best practices for implementation in Azure Landing Zones

AshishRana's avatar
AshishRana
Icon for Microsoft rankMicrosoft
Jun 12, 2025

In this blog post, we’ll demystify the various DNS components available in Azure - such as Private DNS Zones, DNS Private Resolvers, DNS Forwarding Rulesets, and Conditional Forwarders and explain how they fit into a well-architected landing zone. There is often confusion around what custom DNS settings virtual networks should use: should they point to on-premises domain controllers, to Azure DNS Private Resolvers endpoints? we'll walk through common design patterns and provide guidance on how to structure DNS in a scalable and secure way for enterprise-grade Azure deployments.

Why DNS architecture matters in Landing Zone A well-designed DNS layer is the glue that lets workloads in disparate subscriptions discover one another quickly and securely. Getting it right during ...
Updated Jun 11, 2025
Version 1.0
azure networking
emvar's avatar
emvar
Copper Contributor
Jun 26, 2025

Thank you, but for the Security subscription in the landing zone is there an official guidance? i agree with a dedicated subscription, but should it be in the platform mgmt group? A guess at least when there is only 1 instance or where there is a central instance (like global SOC)