使用 Azure DNS 的 DNS 區域委派Delegation of DNS zones with Azure DNS

Azure DNS 可讓您裝載 DNS 區域,並在 Azure 中管理網域的 DNS 記錄。Azure DNS allows you to host a DNS zone and manage the DNS records for a domain in Azure. 網域必須從父系網域委派給 Azure DNS,該網域的 DNS 查詢才能送達 Azure DNS。In order for DNS queries for a domain to reach Azure DNS, the domain has to be delegated to Azure DNS from the parent domain. 請記住,Azure DNS 不是網域註冊機構。Keep in mind Azure DNS is not the domain registrar. 本文說明網域委派的運作方式,以及如何將網域委派給 Azure DNS。This article explains how domain delegation works and how to delegate domains to Azure DNS.

DNS 委派的運作方式How DNS delegation works

網域和區域Domains and zones

網域名稱系統是網域階層。The Domain Name System is a hierarchy of domains. 階層從「根」網域開始,其名稱只是 '.'。The hierarchy starts from the 'root' domain, whose name is simply '.'. 下面接著最上層網域,例如 'com'、'net'、'org'、'uk' 或 'jp'。Below this come top-level domains, such as 'com', 'net', 'org', 'uk' or 'jp'. 最上層網域下面是第二層網域,例如 'org.uk' 或 'co.jp'。Below these top-level domains are second-level domains, such as 'org.uk' or 'co.jp'. 依此類推。And so on. DNS 階層中的網域裝載於個別的 DNS 區域。The domains in the DNS hierarchy are hosted using separate DNS zones. 這些區域遍布全球,由世界各地的 DNS 名稱伺服器所裝載。These zones are globally distributed, hosted by DNS name servers around the world.

DNS 區域 - 網域是網域名稱系統中的唯一名稱,例如 'contoso.com'。DNS zone - A domain is a unique name in the Domain Name System, for example 'contoso.com'. DNS 區域用來裝載特定網域的 DNS 記錄。A DNS zone is used to host the DNS records for a particular domain. 例如,網域 'contoso.com' 可能包含數筆 DNS 記錄,例如 'mail.contoso.com' (用於郵件伺服器) 和 'www.contoso.com' (用於網站)。For example, the domain 'contoso.com' may contain several DNS records such as 'mail.contoso.com' (for a mail server) and 'www.contoso.com' (for a website).

網域註冊機構 - 網域註冊機構是指可以提供網際網路網域名稱的公司。Domain registrar - A domain registrar is a company who can provide Internet domain names. 他們會驗證您想要使用的網際網路網域是否可用,並允許您購買。They verify if the Internet domain you want to use is available and allow you to purchase it. 一旦註冊網域名稱,您就成為該網域名稱的合法擁有者。Once the domain name is registered, you are the legal owner for the domain name. 如果您已經有網際網路網域,您將使用目前的網域註冊機構委派給 Azure DNS。If you already have an Internet domain, you will use the current domain registrar to delegate to Azure DNS.

若要了解誰擁有指定的網域名稱,或如需有關如何購買網域的詳細資訊,請參閱 Azure AD 中的網際網路網域管理To find out more information on who owns a given domain name, or for information on how to buy a domain, see Internet domain management in Azure AD.

解析和委派Resolution and delegation

有兩種類型的 DNS 伺服器:There are two types of DNS servers:

  • 授權 DNS 伺服器裝載 DNS 區域。An authoritative DNS server hosts DNS zones. 它只會回答這些區域中的 DNS 記錄查詢。It answers DNS queries for records in those zones only.
  • 遞迴 DNS 伺服器不裝載 DNS 區域。A recursive DNS server does not host DNS zones. 它會呼叫授權 DNS 伺服器來收集所需的資料,以回答所有 DNS 查詢。It answers all DNS queries by calling authoritative DNS servers to gather the data it needs.

Azure DNS 提供具權威性的 DNS 服務。Azure DNS provides an authoritative DNS service. 它不提供遞迴 DNS 服務。It does not provide a recursive DNS service. Azure 中的雲端服務和 VM 會自動設定為使用在 Azure 的基礎結構中個別提供的遞迴 DNS 服務。Cloud Services and VMs in Azure are automatically configured to use a recursive DNS service that is provided separately as part of Azure's infrastructure. 如需如何變更這些 DNS 設定的詳細資訊,請參閱 Azure 中的名稱解析For information on how to change these DNS settings, see Name Resolution in Azure.

電腦或行動裝置中的 DNS 用戶端,通常會呼叫遞迴 DNS 伺服器,以執行用戶端應用程式需要的任何 DNS 查詢。DNS clients in PCs or mobile devices typically call a recursive DNS server to perform any DNS queries the client applications need.

當遞迴 DNS 伺服器收到 DNS 記錄的查詢時,例如 'www.contoso.com',就必須先找到裝載 'contoso.com' 網域的區域的名稱伺服器。When a recursive DNS server receives a query for a DNS record such as 'www.contoso.com', it first needs to find the name server hosting the zone for the 'contoso.com' domain. 若要尋找名稱伺服器,它會從根名稱伺服器開始,尋找裝載 'com' 區域的名稱伺服器。To find the name server, it starts at the root name servers, and from there finds the name servers hosting the 'com' zone. 然後,查詢 'com' 名稱伺服器,尋找裝載 'contoso.com' 區域的名稱伺服器。It then queries the 'com' name servers to find the name servers hosting the 'contoso.com' zone. 最後,就能夠向這些名稱伺服器查詢 'www.contoso.com'。Finally, it is able to query these name servers for 'www.contoso.com'.

此程序稱為 DNS 名稱解析。This procedure is called resolving the DNS name. 嚴格來說,DNS 解析還有其他步驟,例如追蹤 CNAME,但這對於了解 DNS 委派的運作方式並不重要。Strictly speaking, DNS resolution includes additional steps such as following CNAMEs, but that's not important to understanding how DNS delegation works.

上層區域如何「指向」子區域的名稱伺服器?How does a parent zone 'point' to the name servers for a child zone? 作法是使用一種特殊的 DNS 記錄,稱為 NS 記錄 (NS 代表「名稱伺服器」)。It does this using a special type of DNS record called an NS record (NS stands for 'name server'). 例如,根區域包含 'com' 的 NS 記錄,並且會顯示 'com' 區域的名稱伺服器。For example, the root zone contains NS records for 'com' and shows the name servers for the 'com' zone. 接著,'com' 區域包含 'contoso.com' 的 NS 記錄,其中顯示 'contoso.com' 區域的名稱伺服器。In turn, the 'com' zone contains NS records for 'contoso.com', which shows the name servers for the 'contoso.com' zone. 在上層區域中設定子區域的 NS 記錄,稱為委派網域。Setting up the NS records for a child zone in a parent zone is called delegating the domain.

下圖顯示 DNS 查詢範例。The following image shows an example DNS query. contoso.net 和 partners.contoso.net 都是 Azure DNS 區域。The contoso.net and partners.contoso.net are Azure DNS zones.

Dns-nameserver

  1. 用戶端會向其本機 DNS 伺服器要求 www.partners.contoso.netThe client requests www.partners.contoso.net from their local DNS server.
  2. 本機 DNS 伺服器沒有記錄,因此會對其根名稱伺服器提出要求。The local DNS server does not have the record so it makes a request to their root name server.
  3. 根名稱伺服器沒有記錄,但知道 .net 名稱伺服器的位址,所以會將該位址提供給 DNS 伺服器The root name server does not have the record, but knows the address of the .net name server, it provides that address to the DNS server
  4. DNS 會將要求傳送至 .net 名稱伺服器,而它沒有記錄,但是知道 contoso.net 名稱伺服器的位址。The DNS sends the request to the .net name server, it does not have the record but does know the address of the contoso.net name server. 在此情況下,這是在 Azure DNS 中託管的 DNS 區域。In this case it is a DNS zone hosted in Azure DNS.
  5. contoso.net 區域沒有記錄,但知道 partners.contoso.net 的名稱伺服器並以該名稱伺服器回應。The zone contoso.net does not have the record but knows the name server for partners.contoso.net and responds with that. 在此情況下,這是在 Azure DNS 中託管的 DNS 區域。In this case it is a DNS zone hosted in Azure DNS.
  6. DNS 伺服器會向partners.contoso.net 區域要求 partners.contoso.net 的 IP 位址。The DNS server requests the IP address of partners.contoso.net from the partners.contoso.net zone. 它包含 A 記錄並以此 IP 位址回應。It contains the A record and responds with the IP address.
  7. DNS 伺服器會將此 IP 位址提供給用戶端The DNS server provides the IP address to the client
  8. 用戶端會連線至網站www.partners.contoso.netThe client connects to the website www.partners.contoso.net.

每個委派實際上有兩份 NS 記錄:一份在上層區域中指向子區域,另一份在子區域本身。Each delegation actually has two copies of the NS records; one in the parent zone pointing to the child, and another in the child zone itself. 'contoso.net' 區域包含 'contoso.net' 的 NS 記錄 (除了 'net' 中的 NS 記錄之外)。The 'contoso.net' zone contains the NS records for 'contoso.net' (in addition to the NS records in 'net'). 這些記錄稱為授權 NS 記錄,位於子區域的頂點。These records are called authoritative NS records and they sit at the apex of the child zone.

後續步驟Next steps

了解如何將您的網域委派給 Azure DNSLearn how to delegate your domain to Azure DNS