{"results":[{"id":"aks-system-vs-user-node-pools","text":"AKS distinguishes system node pools (hosting critical system pods like CoreDNS, konnectivity) from user node pools (hosting application workloads).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-zero-trust-infrastructure-inheritance","text":"AKS in custom VNet inherits the full Azure zero-trust infrastructure stack: control plane NSG rules (TCP 443, 4443, 9988) operate within a dual-layer filtering model where the foundational infrastructure IP 168.63.129.16 — serving both DNS resolution and health probes — must be preserved while all other traffic defaults to deny, creating a four-layer dependency chain from infrastructure IP through network filtering to control plane access.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appgw-dns-name-stable-for-lifetime","text":"Application Gateway DNS name is stable for the gateway's lifetime — use a CNAME alias pointing to it.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appgw-use-cname-for-dns","text":"A CNAME alias should be used for Application Gateway's DNS name because it does not change over the gateway's lifecycle.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-cross-vnet-dns-requires-fqdn","text":"Cross-VNet DNS resolution requires using FQDNs; hostname-only queries are insufficient for resolving names across peered or linked VNets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-168-63-129-16-foundational-dependency","text":"The Azure DNS virtual IP 168.63.129.16 is a foundational dependency that must be preserved in custom configurations — it serves as the recursive resolver for all VNets, bypasses NSG rules as a host node IP, and must be explicitly included when VPN Gateway uses custom DNS servers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-cname-restrictions","text":"CNAME records cannot coexist with other record sets of the same name and cannot be created at the zone apex.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-complete-hybrid-resolution","text":"Azure DNS provides complete hybrid name resolution without VM-based forwarders: Private Resolver handles bidirectional on-premises/Azure resolution, and private zone data is globally resilient across regions — enabling a fully managed DNS architecture for hybrid environments.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-cross-vnet-requires-fqdn","text":"Cross-VNet DNS resolution requires using FQDNs — hostname alone is insufficient.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-custom-must-specify-one-server","text":"Must specify at least one DNS server IP when configuring custom DNS; otherwise Azure falls back to Azure-provided name resolution.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-custom-placeholder-reddog","text":"When custom DNS is configured, Azure provides `reddog.microsoft.com` as the placeholder DNS suffix instead of `internal.cloudapp.net`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-default-limits","text":"Default Azure DNS limits: 250 public DNS zones per subscription, 10,000 record sets per zone, 20 records per record set.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-dhcp-renew-after-change","text":"After DNS setting changes, the DHCP lease must be renewed on affected VMs for the new settings to take effect.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-dhcp-renewal-after-dns-change","text":"After changing VNet DNS settings, DHCP leases must be renewed on all affected VMs for the new settings to take effect.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-dhcp-renewal-required-after-dns-change","text":"After changing VNet DNS server settings, DHCP leases must be renewed on all affected VMs for the new settings to take effect.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-disable-reverse-dns-empty-arpa-zone","text":"To disable default reverse DNS, create an empty Private DNS `in-addr.arpa` zone and link it to the VNet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-etag-concurrency","text":"Azure DNS uses Etags for optimistic concurrency control on zones and record sets; PowerShell enforces Etag checks by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-five-distinct-services","text":"Azure DNS encompasses five distinct services: Public DNS, Private DNS, DNS Private Resolver, Traffic Manager, and DNS Security Policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-five-services","text":"Azure DNS encompasses five distinct services: Public DNS, Private DNS, DNS Private Resolver, Traffic Manager, and DNS Security Policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-dns-four-resolution-methods","text":"Azure supports four DNS resolution methods: Azure Private DNS zones (preferred), Azure-provided name resolution, customer-managed DNS servers, and Azure DNS Private Resolver.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":92,"limit":20,"offset":0}