Azure Private DNS Zones enable name resolution for Azure PaaS services integrated with Private Endpoints by redirecting service FQDNs to a private DNS zone such as privatelink.database.windows.net. In Private Link–enabled environments, DNS queries from Azure Virtual Networks are resolved using the linked private DNS zone. However, if the required DNS record is unavailable—such as in multiregion, cross subscription, or hybrid connectivity scenarios—the resolver may return an NXDOMAIN response, resulting in application connectivity failures. Azure provides a native resolution policy called NxDomainRedirect (Enable fallback to internet), which allows unresolved DNS queries to be retried using Azure’s public recursive DNS resolvers. This enables seamless fallback to public endpoint resolution when a private DNS record is not found, without impacting existing network security controls. This configuration is applied at the virtual network link level of the private DNS zone.
Introduction
Azure Private Endpoint enables secure connectivity to Azure PaaS services such as:
- Azure SQL Managed Instance
- Azure Container Registry
- Azure Key Vault
- Azure Storage Account
through private IP addresses within a virtual network.
When Private Endpoint is enabled for a service, Azure DNS automatically changes the name resolution path using
CNAME Redirection
Example:
myserver.database.windows.net
↓
myserver.privatelink.database.windows.net
↓
Private IP
Azure Private DNS Zones are then used to resolve this Private Endpoint FQDN within the VNet.
However, this introduces a critical DNS limitation in:
- Hybrid cloud architectures (AWS → Azure SQL MI)
- Multiregion deployments (DR region access)
- Crosstenant / Crosssubscription access
- MultiVNet isolated networks
If the Private DNS zone does not contain a corresponding record, Azure DNS returns:
NXDOMAIN (NonExistent Domain)
When a DNS resolver receives a negative response (NXDOMAIN), it sends no DNS response to the DNS client and the query fails.
This results in:
❌ Application connectivity failure
❌ Database connection timeout
❌ AKS pod DNS resolution errors
❌ DR failover application outage
Problem statement
In traditional Private Endpoint DNS resolution:
- DNS query is sent from the application.
- Azure DNS checks linked Private DNS Zone.
- If no matching record exists: NXDOMAIN returned
DNS queries for Azure Private Link and network isolation scenarios across different tenants and resource groups have unique name resolution paths which can affect the ability to reach Private Linkenabled resources outside a tenant's control.
Azure does not retry resolution using public DNS by default.
Therefore:
- Public Endpoint resolution never occurs
- DNS query fails permanently
- Application cannot connect
Microsoft native solution
Fallback to internet (NxDomainRedirect)
Azure introduced a DNS resolution policy:
resolutionPolicy = NxDomainRedirect
This property enables public recursion via Azure’s recursive resolver fleet when an authoritative NXDOMAIN response is received for a Private Link zone.
When enabled:
✅ Azure DNS retries the query
✅ Public endpoint resolution occurs
✅ Application connectivity continues
✅ No custom DNS forwarder required
Fallback policy is configured at:
Private DNS Zone → virtualnetwork link
Resolution policy is enabled at the virtual network link level with the NxDomainRedirect setting.
In the Azure portal this appears as:
Enable fallback to internet
How it works
Without fallback:
Application → Azure DNS
→ Private DNS Zone
→ Record missing
→ NXDOMAIN returned
→ Connection failure
With fallback enabled:
Application → Azure DNS
→ Private DNS Zone
→ Record missing
→ NXDOMAIN returned
→ Azure recursive resolver
→ Public DNS resolution
→ Public endpoint IP returned
→ Connection successful
Azure recursive resolver retries the query using the public endpoint QNAME each time NXDOMAIN is received from the private zone scope
Real world use case
AWS Application Connecting to Azure SQL Managed Instance
You are running:
- SQL MI in Azure
- Private Endpoint enabled
- Private DNS Zone: privatelink.database.windows.net
AWS application tries to connect:
my-mi.database.windows.net
If DR region DNS record is not available:
Without fallback:
DNS query → NXDOMAIN → App failure
With fallback enabled:
DNS query → Retry public DNS → Connection success
Step-by-step configuration
Method 1 – Azure portal
- Go to:
- Private DNS Zones
- Select your Private Link DNS Zone:
Example:
privatelink.database.windows.net
- Select:
- Virtual network links
- Open your linked VNet
- Enable:
✅ Enable fallback to internet
- Click:
- Save
Method 2 – Azure CLI
You can configure fallback policy using:
az network private-dns link vnet update \
--resource-group RG-Network \
--zone-name privatelink.database.windows.net \
--name VNET-Link \
--resolution-policy NxDomainRedirect
Validation steps
Run from Azure VM:
nslookup my-mi.database.windows.net
Expected:
✔ Private IP (if available)
✔ Public IP (if fallback triggered)
Security considerations
Fallback to internet:
✅ Does NOT expose data
✅ Only impacts DNS resolution
✅ Network traffic still governed by:
- NSG
- Azure Firewall
- UDR
- Service Endpoint Policies
DNS resolution fallback only triggers on NXDOMAIN and does not change networklevel firewall controls.
When should you enable this?
Recommended in:
- Hybrid AWS → Azure connectivity
- Multiregion DR deployments
- AKS accessing Private Endpoint services
- CrossTenant connectivity
- Private Link + VPN / ExpressRoute scenarios
Conclusion
Fallback to Internet using NxDomainRedirect provides:
- Seamless hybrid connectivity
- Reduced DNS complexity
- No custom forwarders
- Improved application resilience
and simplifies DNS resolution for modern Private Endpointenabled architectures.
Microsoft