![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 39%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 25%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Hi, if your on-prem DNS sometimes resolves an Azure Private Endpoint to a public IP, it’s likely because you’re forwarding only the privatelink. sub-zone (e.g. privatelink.database.windows.net) to Azure. But clients usually query the public FQDN (like myserver.database.windows.net), which is a CNAME that ultimately points to the private IP. If your DNS resolves the public name through the Internet first, it caches the public A record, and future lookups “flip” to the wrong IP.
-Fix-
Delete the conditional forwarder for privatelink.database.windows.net and instead create a forwarder for the parent zone database.windows.net, pointing it to your Azure DNS Private Resolver’s inbound endpoint (e.g. 10.1.0.4). Then flush DNS on your servers and clients.
This change ensures every step of the CNAME chain stays inside Azure, and your DNS will always return the correct private IP.
-Checklist-
– Private DNS zone is linked to the right VNet
– Inbound endpoint is reachable from on-prem
– No 8.8.8.8 or public resolvers in the forwarder list
– TTL is default (10 min)
– All on-prem DNS servers use the same forwarder
After that, everything will resolve consistently to the private IP, no more flapping.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)