Announcing: Reverse DNS for Azure Cloud Services

iStock_000019090350Small

We are happy to announce that Azure Cloud Services now support reverse DNS records for all PaaS and IaaS Cloud Services. This support is backwards compatible with all existing Cloud Services, and is being offered at no additional cost. This feature is currently supported in the Service Management API, and through PowerShell.

What are reverse DNS records?

Reverse DNS records are used in a variety of situations to weakly authenticate the caller. For example, reverse DNS records are widely used in combatting email spam through by verifying that the sender of an email message did so from a host for which there was a reverse DNS record, and optionally, where that host was recognized as one that was authorized to send email from the originating domain.

Reverse DNS records, or PTR records, are DNS record types that enable the translation of an IP back to a name. In DNS, names, such as app1.contoso.com, are resolved to IPs in a process that is called forward resolution. With reverse DNS, this process is reversed to enable the resolution of the name given the IP.

For more information on Reverse DNS records, please see here.

How does Azure support reverse DNS records?

Azure allows the specification of a custom fully-qualified domain name (FQDN). This enables you to specify either the cloud service address (e.g., “contosoapp1.cloudapp.net.”), or a vanity name within your own domain (e.g., “app1.contoso.com.”).

Validation of reverse DNS records

To ensure a third party can’t create reverse DNS records mapping to your DNS domains, Azure only allows the creation of a reverse DNS record where one of the following is true:

  • The reverse DNS FQDN is the name of the Cloud Service for which it has been specified, or any Cloud Service name within the same subscription e.g., reverse DNS is “contosoapp1.cloudapp.net.”.
  • The reverse DNS FQDN forward resolves to the name or IP of the Cloud Service for which it has been specified, or to any Cloud Service name or IP within the same subscription e.g., reverse DNS is “app1.contoso.com.” which is a CName alias for contosoapp1.cloudapp.net.

Validation checks are only performed when the reverse DNS property for a Cloud Service is set or modified. Periodic re-validation is not performed.

Getting started

To get started with Azure PowerShell, see How to Install and Configure Azure PowerShell.  Please note that you’ll need to use version 0.8.5 or higher. You can also manage reverse DNS records for your Cloud Services using the Azure Service Management API.

Adding reverse DNS to existing Cloud Services

You can add reverse DNS to an existing Cloud Service using the “Set-AzureService” cmdlet:

PS C:\> Set-AzureService –ServiceName “contosoapp1” –Description “App1 with Reverse DNS” –ReverseDnsFqdn “contosoapp1.cloudapp.net.”

Creating a new Cloud Service with reverse DNS

You can add a new Cloud Service with the reverse DNS property specified using the “Set-AzureService” cmdlet:

PS C:\> New-AzureService –ServiceName “contosoapp1” –Location “West US” –Description “App1 with Reverse DNS” –ReverseDnsFqdn “contosoapp1.cloudapp.net.”

Viewing the reverse DNS for an existing Cloud Service

You can view the configured value for an existing Cloud Service using the “Get-AzureService” cmdlet:

PS C:\> Get-AzureService "contosoapp1"

Removing reverse DNS from existing Cloud Services

You can remove a reverse DNS property from an existing Cloud Service using the “Set-AzureService” cmdlet. This is done by setting the reverse DNS property value to blank:

PS C:\> Set-AzureService –ServiceName “contosoapp1” –Description “App1 with Reverse DNS” –ReverseDnsFqdn “”

FAQ

How much do reverse DNS records cost?
They’re free!  There is no additional cost for reverse DNS records or queries.

Will my reverse DNS records resolve from the internet?
Yes. Once you set the reverse DNS property for your Cloud Service, Azure manages all the DNS delegations and DNS zones required to ensure that reverse DNS record resolves for all internet users.

Will a default reverse DNS record be created for my Cloud Services?
No. Reverse DNS will be an opt-in feature. No default reverse DNS record will be created if you choose not to configure one.

What is the format for the fully-qualified domain name (FQDN)?
FQDNs are specified in forward order, and must be terminated by a dot (e.g., “app1.contoso.com.”).

What happens if the validation checks for the reverse DNS I’ve specified fail?
Where the validation for reverse DNS checks fail, the service management operation will fail. Please correct the reverse DNS value as required, and retry.

Can I manage reverse DNS for my Azure Website?
Reverse DNS is not supported for Azure Websites. Reverse DNS is supported for Azure PaaS roles and IaaS virtual machines.

Can I configure multiple reverse DNS records for my Cloud Service?
No. Azure supports a single reverse DNS record for each Azure Cloud Service. Each Azure Cloud Service however can have their own reverse DNS record.