Skip to main content
Private DNS Zones provide internal name resolution for resources inside your Azure virtual networks. This guide explains how Azure Private DNS Zones resolve names, common scenarios where they simplify networking, and a critical Azure reserved IP address you must never block.

How internal name resolution works

  1. A VM inside your virtual network issues a DNS query for a name such as sql.kodekloud.com.
  2. Azure DNS checks the appropriate Private DNS Zone for that record and returns the corresponding private IP (for example, 10.0.0.4).
  3. The VM connects to the resource using the returned private IP, keeping traffic internal to Azure.
  4. Applications and VMs receive the correct internal addresses automatically, so you don’t need to expose internal services with public IPs.
Think of Azure Private DNS Zones as an internal phone book for your resources. Instead of hard-coding IPs, you use names that are resolvable within your VNets. Private DNS Zones integrate with Azure VMs, AKS clusters, and Private Endpoints to provide secure, private access using friendly names.
A diagram titled "Private Zone Scenarios" showing two VMs querying Azure Private DNS to resolve a hostname (kodekloud.com) to internal IP addresses (10.0.0.4 / 10.0.0.5) with VNet resolution. The right side lists use cases: internal backend resolution, DNS for hybrid environments, and Private Link DNS aliasing.
This flexibility helps you build secure, scalable, hybrid-ready environments without the DNS headaches common in traditional networking setups.

Key scenarios and benefits

ScenarioBenefitExample / Action
Shared resolution across VNetsCentralized name resolution for multiple VNetsLink multiple VNets to a single Private DNS Zone so resources in different VNets can resolve each other’s names.
Hybrid DNS integrationOn-premises systems can resolve Azure private namesConfigure conditional forwarding from on-premises DNS servers to Azure Private DNS Zones.
Private Endpoint DNSPrivate access to PaaS services with private DNS recordsPrivate Endpoints can auto-create records in your private zone so services stay private and resolvable by name.
Virtual Network Links are required: a Private DNS Zone must be linked to the virtual networks that need to resolve names from that zone. Without linking, VMs in a VNet cannot resolve records from the Private DNS Zone.

The special Azure reserved IP: 168.63.129.16

Azure exposes a fixed, well-known IP address — 168.63.129.16 — that is reachable from all VMs and platform resources inside Azure (it is not reachable from the public internet). This address is used by several platform services, including:
  • VM agent communication: the Azure VM Agent reports status and health to the Azure platform via this IP.
  • DNS resolution: by default, VMs use this IP for DNS if no custom DNS server is configured at the VNet or NIC level.
  • DHCP metadata: VMs obtain private IP and network configuration via DHCP interactions with this address.
  • Health probes and load balancer interactions: Azure platform health probes and other services may rely on it.
For details, see: https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16
Never block 168.63.129.16. Blocking this address can break DNS, VM agent reporting, DHCP, health probes, and other core Azure platform services.

Using custom DNS servers

If you prefer not to use the platform DNS at 168.63.129.16, configure a custom DNS server at the VNet or NIC level. Typical options include: Ensure your custom DNS servers are reachable from the VNet and are configured for resolution and conditional forwarding to Azure Private DNS Zones when needed.

Next steps

  • Configure DNS settings for your VNets (VNet-level or NIC-level DNS server settings).
  • Create Private DNS Zones and link the appropriate VNets.
  • Use Private Endpoints to automatically populate DNS records in your Private DNS Zone.
  • Implement conditional forwarding between on-premises DNS and Azure for hybrid name resolution.

Watch Video