Skip to main content
Back to the Azure Footguns Database
CostGovernanceLowOccasionalAZF-0019

A Private DNS zone with zero VNet links resolves nothing and still bills

A Private DNS zone needs a virtual network link to answer queries. With zero links it resolves nothing, yet it keeps billing its per-zone base charge.

Footgun ID
AZF-0019 (Azure Footgun No. 19)
Azure service
Azure DNS (Private)
Resource type
Microsoft.Network/privateDnsZones
Updated
July 1, 2026

What it is

A Private DNS zone (Microsoft.Network/privateDnsZones) with no virtual network links attached to it. A private zone only resolves names for the VNets that are linked to it, so a zone with zero links answers nothing for anyone. It still bills the per-zone base charge for as long as it exists.

Impact (cost)
~$0.50/month per zone at list price, plus query charges, while resolving nothing
Basis: Azure list price. Figures are estimates, not measurements.

Why it happens

Private DNS zones and their VNet links are separate resources with independent lifecycles. Link a zone to a VNet, then later tear down or migrate that VNet, and the zone survives with its link count quietly dropping to zero. Private Endpoint tear-downs are a common trigger: the auto-created privatelink.* zones often outlive the endpoints that spawned them.

Nothing in Azure flags a zone that has stopped resolving. It is not misconfigured in any way Azure treats as an error, so it never surfaces in a review. It just sits in the resource group as a base charge with no VNet on the other end of it.

What it costs / blast radius

A single private zone is roughly $0.50/month at list price, plus query charges you will never incur because nothing queries it. (List price; your contract may differ.) One zone is a rounding error. The real footgun is accumulation: a few years of Private Endpoint churn leaves a scatter of orphaned privatelink.blob.core.windows.net and privatelink.database.windows.net zones across subscriptions, and the base charges add up while the DNS clutter makes the next person's troubleshooting harder.

See it

Find them: private DNS zones with zero VNet links across every subscription
Resources
| where type =~ 'microsoft.network/privatednszones'
| extend linkCount = toint(properties.numberOfVirtualNetworkLinks)
| where isnull(linkCount) or linkCount == 0
| project name, resourceGroup, subscriptionId, linkCount
Fix: confirm nothing should be linked, then delete the zone
// A zero-link zone resolves nothing. Confirm no VNet should be attached,
// then remove it. (Re-link instead if a VNet was torn down by mistake.)
az network private-dns zone delete \
  --name privatelink.blob.core.windows.net \
  --resource-group rg-networking --yes

How StratoLens helps

StratoLens inventories every private DNS zone across every subscription, flags the ones with zero VNet links, and keeps the change history so you can see when the last link was removed and what it pointed at. The orphans stop hiding in networking resource groups nobody opens, and you run the check once instead of remembering to.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.