What it is
A Private DNS zone (Microsoft.Network/privateDnsZones) with no virtual network links attached to it. A private zone only resolves names for the VNets that are linked to it, so a zone with zero links answers nothing for anyone. It still bills the per-zone base charge for as long as it exists.
Why it happens
Private DNS zones and their VNet links are separate resources with independent lifecycles. Link a zone to a VNet, then later tear down or migrate that VNet, and the zone survives with its link count quietly dropping to zero. Private Endpoint tear-downs are a common trigger: the auto-created privatelink.* zones often outlive the endpoints that spawned them.
Nothing in Azure flags a zone that has stopped resolving. It is not misconfigured in any way Azure treats as an error, so it never surfaces in a review. It just sits in the resource group as a base charge with no VNet on the other end of it.
What it costs / blast radius
A single private zone is roughly $0.50/month at list price, plus query charges you will never incur because nothing queries it. (List price; your contract may differ.) One zone is a rounding error. The real footgun is accumulation: a few years of Private Endpoint churn leaves a scatter of orphaned privatelink.blob.core.windows.net and privatelink.database.windows.net zones across subscriptions, and the base charges add up while the DNS clutter makes the next person's troubleshooting harder.
See it
Resources
| where type =~ 'microsoft.network/privatednszones'
| extend linkCount = toint(properties.numberOfVirtualNetworkLinks)
| where isnull(linkCount) or linkCount == 0
| project name, resourceGroup, subscriptionId, linkCount// A zero-link zone resolves nothing. Confirm no VNet should be attached,
// then remove it. (Re-link instead if a VNet was torn down by mistake.)
az network private-dns zone delete \
--name privatelink.blob.core.windows.net \
--resource-group rg-networking --yesHow StratoLens helps
StratoLens inventories every private DNS zone across every subscription, flags the ones with zero VNet links, and keeps the change history so you can see when the last link was removed and what it pointed at. The orphans stop hiding in networking resource groups nobody opens, and you run the check once instead of remembering to.