Configure reverse DNS for services hosted in Azure
Note
We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.
This article explains how to configure reverse DNS lookups for services hosted in Azure.
Services in Azure use IP addresses assigned and owned by Azure. These reverse DNS records (PTR records) must be created in the corresponding Azure-owned reverse DNS lookup zones.
This scenario differs from the ability to host the reverse DNS lookup zones for your assigned IP ranges in Azure DNS. In this case, the IP ranges represented by the reverse lookup zone must be assigned to your organization, typically by your ISP.
Before reading this article, you should familiarize yourself with reverse DNS in Azure DNS.
In Azure DNS, compute resources such as virtual machines, virtual machine scale sets, and Service Fabric clusters have public IP addresses. Reverse DNS lookups are configured using the 'ReverseFqdn' property of the public IP address.
Reverse DNS is currently not supported for the Azure App Service and Application Gateway.
Validation of reverse DNS records
A third party shouldn't have access to create reverse DNS records for Azure service mapping to your DNS domains. That's why Azure only allows you to create a reverse DNS record if a forward DNS lookup resolves to the same public IP address, or to names that are defined in your subscription. See the following example. This restriction also applies to Cloud Service.
Validation is only done when the reverse DNS record is set or modified. Periodic revalidation isn't done.
For example, suppose the public IP address resource has the DNS name contosoapp1.chinaeast.cloudapp.chinacloudapi.cn
and IP address 23.96.52.53
. The reverse FQDN for the public IP address can be specified as:
- The DNS name for the public IP address:
contosoapp1.chinaeast.cloudapp.chinacloudapi.cn
. - The DNS name for a different PublicIpAddress in the same subscription, such as:
contosoapp2.chinaeast.cloudapp.chinacloudapi.cn
. - A vanity DNS name, such as:
app1.contoso.com
. As long as the name is first configured as a CNAME pointing tocontosoapp1.chinaeast.cloudapp.chinacloudapi.cn
. The name can also be pointed to a different Public IP address in the same subscription. - A vanity DNS name, such as:
app1.contoso.com
. As long as this name is first configured as an A record pointing to the IP address 23.96.52.53. The name can also be pointed to another IP address in the same subscription.
The same constraints apply to reverse DNS for Cloud Services.
Reverse DNS for public IP address resources
This section provides detailed instructions for how to configure reverse DNS for public IP address resources in the Resource Manager deployment model. You can use either Azure PowerShell, Azure classic CLI, or Azure CLI to accomplish this task. Configuring reverse DNS for a public IP address resource is currently not supported in the Azure portal.
Azure currently supports reverse DNS only for public IPv4 address resources.
Important
New or updated PTR records must pass validation. If the PTR for a public IP address doesn't currently exist, you must specify the hostname using DomainNameLabel (Azure PowerShell), the -d parameter (Azure Classic CLI), or the --dns-name parameter (Azure CLI) as shown in the following examples.
Configure reverse DNS for a public IP address with an existing name
Use the following procedures if a public IP address already has a defined name in your subscription or via forward DNS lookup. After updating or adding a PTR to your existing public IP address, view and verify that the correct PTR is configured.
Azure PowerShell
To update reverse DNS on a public IP address with an existing PTR:
$pip = Get-AzPublicIpAddress -Name "PublicIp" -ResourceGroupName "MyResourceGroup"
$pip.DnsSettings.ReverseFqdn = "contosoapp1.chinaeast.cloudapp.chinacloudapi.cn."
Set-AzPublicIpAddress -PublicIpAddress $pip
To add reverse DNS to a public IP address that doesn't already have a PTR, you must specify the DomainNameLabel:
$pip = Get-AzPublicIpAddress -Name "PublicIp" -ResourceGroupName "MyResourceGroup"
$pip.DnsSettings = New-Object -TypeName "Microsoft.Azure.Commands.Network.Models.PSPublicIpAddressDnsSettings"
$pip.DnsSettings.DomainNameLabel = "contosoapp1"
$pip.DnsSettings.ReverseFqdn = "contosoapp1.chinaeast.cloudapp.chinacloudapi.cn."
Set-AzPublicIpAddress -PublicIpAddress $pip
Azure Classic CLI
To update reverse DNS on a public IP address with an existing PTR:
azure network public-ip set -n PublicIp -g MyResourceGroup -f contosoapp1.chinaeast.cloudapp.chinacloudapi.cn.
To add reverse DNS to a public IP address that doesn't already have a PTR, you must specify the DNS name (-d):
azure network public-ip set -n PublicIp -g MyResourceGroup -d contosoapp1 -f contosoapp1.chinaeast.cloudapp.chinacloudapi.cn.
Azure CLI
To update reverse DNS on a public IP address with an existing PTR:
az network public-ip update --resource-group MyResourceGroup --name PublicIp --reverse-fqdn contosoapp1.chinaeast.cloudapp.chinacloudapi.cn.
To add reverse DNS to a public IP address that doesn't already have a PTR, you must specify the DNS name (--dns-name):
az network public-ip update --resource-group MyResourceGroup --name PublicIp --reverse-fqdn contosoapp1.chinaeast.cloudapp.chinacloudapi.cn --dns-name contosoapp1
Create a public IP address with reverse DNS
Note
If the public IP address already exists in your subscription, see Configure reverse DNS for a public IP address with an existing name
To create a new PublicIpAddress with the reverse DNS property already specified:
Azure PowerShell
New-AzPublicIpAddress -Name "PublicIp" -ResourceGroupName "MyResourceGroup" -Location "China East" -AllocationMethod Dynamic -DomainNameLabel "contosoapp2" -ReverseFqdn "contosoapp2.chinaeast.cloudapp.chinacloudapi.cn."
Azure Classic CLI
azure network public-ip create -n PublicIp -g MyResourceGroup -l chinaeast -d contosoapp3 -f contosoapp3.chinaeast.cloudapp.chinacloudapi.cn.
Azure CLI
az network public-ip create --name PublicIp --resource-group MyResourceGroup --location chinaeast --dns-name contosoapp1 --reverse-fqdn contosoapp1.chinaeast.cloudapp.chinacloudapi.cn
View reverse DNS for an existing public IP address
To view the configured reverse DNS value for an existing PublicIpAddress:
Azure PowerShell
Get-AzPublicIpAddress -Name "PublicIp" -ResourceGroupName "MyResourceGroup"
Azure Classic CLI
azure network public-ip show -n PublicIp -g MyResourceGroup
Azure CLI
az network public-ip show --name PublicIp --resource-group MyResourceGroup
Remove reverse DNS from an existing public IP address
To remove a reverse DNS property from an existing PublicIpAddress:
Azure PowerShell
$pip = Get-AzPublicIpAddress -Name "PublicIp" -ResourceGroupName "MyResourceGroup"
$pip.DnsSettings.ReverseFqdn = ""
Set-AzPublicIpAddress -PublicIpAddress $pip
Azure Classic CLI
azure network public-ip set -n PublicIp -g MyResourceGroup –f ""
Azure CLI
az network public-ip update --resource-group MyResourceGroup --name PublicIp --reverse-fqdn ""
Configure reverse DNS for Cloud Services
This section provides detailed instructions for how to configure reverse DNS for Cloud Services in the Classic deployment model, using Azure PowerShell. Configuring reverse DNS for Cloud Services isn't supported via the Azure portal, Azure classic CLI, or Azure CLI.
Add reverse DNS to existing Cloud Services
To add a reverse DNS record to an existing Cloud Service:
Set-AzureService –ServiceName "contosoapp1" –Description "App1 with Reverse DNS" –ReverseDnsFqdn "contosoapp1.chinacloudapp.cn."
Create a Cloud Service with reverse DNS
To create a new Cloud Service with the reverse DNS property already specified:
New-AzureService –ServiceName "contosoapp1" –Location "China East" –Description "App1 with Reverse DNS" –ReverseDnsFqdn "contosoapp1.chinacloudapp.cn."
View reverse DNS for existing Cloud Services
To view the reverse DNS property for an existing Cloud Service:
Get-AzureService "contosoapp1"
Remove reverse DNS from existing Cloud Services
To remove a reverse DNS property from an existing Cloud Service:
Set-AzureService –ServiceName "contosoapp1" –Description "App1 with Reverse DNS" –ReverseDnsFqdn ""
FAQ
How much do reverse DNS records cost?
They're free! There's no extra cost for reverse DNS records or queries.
Do my reverse DNS records resolve from the internet?
Yes. Once you set the reverse DNS property for your Azure service, Azure manages all the DNS delegations and DNS zones needed to ensure it resolves for all internet users.
Are default reverse DNS records created for my Azure services?
No. Reverse DNS is an opt-in feature. No default reverse DNS records are created if you choose not to configure them.
What is the format for the fully qualified domain name (FQDN)?
FQDNs are specified in forward order, and must be terminated by a dot (for example, "app1.contoso.com.").
What happens if the validation check for the specified reverse DNS entry fails?
If the reverse DNS validation check fails, the operation to configure the reverse DNS record fails. Correct the reverse DNS value as required and retry.
Can I configure reverse DNS for Azure App Service?
No. Reverse DNS isn't supported for the Azure App Service.
Can I configure multiple reverse DNS records for my Azure service?
No. Azure supports a single reverse DNS record for each Azure Cloud Service or PublicIpAddress.
Can I configure reverse DNS for IPv6 PublicIpAddress resources?
Yes. See Azure support for reverse DNS.
Can I send emails to external domains from my Azure Compute services?
The technical ability to send email directly from an Azure deployment depends on the subscription type. No matter the subscription type, Azure recommends using trusted mail relay services to send outgoing mail. For more information, see Enhanced Azure Security for sending Emails – November 2017 Update.
Next steps
- For more information on reverse DNS, see reverse DNS lookup on Wikipedia.
- Learn how to host the reverse lookup zone for your ISP-assigned IP range in Azure DNS.