![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 98%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIR%3C/text%3E%3C/svg%3E)
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 21%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 52%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Thanks for reaching out in Microsoft Q&A forum,
Azure Private DNS Zones fully support WSFC Cluster Name Objects (CNO) and Availability Group (AG) listener name resolution, including Distributed Network Name (DNN) listeners, in domain-independent setups on Azure SQL VMs with Hub-and-Spoke topologies.
1.Whether Azure Private DNS Zones can be reliably used for WSFC and AG listener name resolution. Yes, Azure Private DNS Zones provide reliable name resolution for WSFC Cluster Name Objects (CNO) and Availability Group (AG) listeners, including Distributed Network Name (DNN) listeners, in domain-independent Windows Server Failover Clusters on Azure SQL VMs. They support dynamic A-record registration and updates when zones are linked to all relevant virtual networks, working effectively in Hub-and-Spoke topologies via VNet peering.
2.If there are any known limitations, unsupported scenarios, or recommended alternatives.
Limitations include no support for single-label zones or NS delegations, potential VNet peering propagation delays in Hub-and-Spoke, and dynamic update issues if cluster permissions conflict with Azure DNS security. Unsupported scenarios involve auto-registration limits (one VNet per zone) and complex on-premises hybrids without testing; pre-stage records manually as an alternative. Test failover thoroughly in staging for production reliability.
3.Microsoft‑recommended DNS patterns for WSFC and AG listeners in a Hub‑and‑Spoke model (e.g., Azure‑provided DNS, custom DNS servers, or hybrid forwarding).
Microsoft recommends starting with Azure-provided DNS (168.xx.1x9.1x) for baseline resolution, enhanced by Private DNS Zones linked to each VNet for custom control. In Hub-and-Spoke, use Azure DNS Private Resolver in the Hub VNet for cross-spoke forwarding, or deploy custom DNS servers with conditional forwards to Azure DNS; avoid public exposure.
Also if we are using DNN Listener in case of automatic failover of AG how the behaviour of DNN Listener will be.
In automatic failover, the DNN listener updates its A-record to the new primary's IP instantly from cluster scope, with clients resolving via cached TTL (set to 60s recommended). No load balancer needed; traffic shifts seamlessly across subnets in multi-replica setups.
Official Documentation:
- Azure Private DNS Zone Overview | Microsoft Learn
- Overview of SQL Server Always on Availability Groups - SQL Server on Azure VMs | Microsoft Learn
- Quickstart - Create an Azure private DNS zone using the Azure portal | Microsoft Learn
Kindly let us know if the above helps or you need further assistance on this issue.
Please do not forget to 
and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
