Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
756 questions
How to configure a third-party DNS for apex domain on Azure Front Page?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 2%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Ali Reaziat
0
Reputation points
I am configuring custom domains on Azure front door and the DNS service is not hosted on Azure (therefore using “all other DNS services” option when adding the custom domains.
I configure the following in the DMS zone file for the domain (propagation is complete)
A record for apex domain: [IP Address of the AFD hostname]
CNAME record for www: http://myazurefrontdoor-abcdefghijk.a00.azurefd.net
However in the DNS state under domains I still see “CNAME/alias record is not currently detected” for the apex domain! (The www is fine: “Traffic is delivered securely”)
I understand that Front Door's domain validation is expecting a CNAME (or alias) record pointing to the Front Door hostname, but it isn't finding one in our case.
We handle thousands of domains for our clients registered on various DNS providers. Most providers DO NOT allow for creating a CNAME record at the zone apex because it would conflict with other critical records!
We cannot move the domains over to Azure DNS or any other DNS that supports CNAME Flattening due to the sheer number of domains we handle.
My questions:
1- Is there any other way to configure the DNS so that Azure Front Door would detect and validate the record for apex domain?
2- Is there any way that we don’t require the apex domain to be configured on front door? (Only have the www record configured, which verifies on AFD, and somehow force the apex domain to go through www)
3- It seems that even though the status is “CNAME/alias record is not currently detected”, the traffic still routes through AFD. What if we leave it as is? Will we face problems (such as SSL certificates not renewing) down the road?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 17%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Rohith Vinnakota 2,735 Reputation points Microsoft Vendor2025-02-21T00:16:00.3033333+00:00 Hi @Ali Reaziat
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
1- Is there any other way to configure the DNS so that Azure Front Door would detect and validate the record for apex domain?
Currently, there was no option to configure the DNS so that Azure Front Door would detect and validate the record for apex domain. Either you can use Azure DNS zone with alias record set for apex domains to map on Azure front door or try to leverage the CNAME flattening option on other DNS service provider.
2- Is there any way that we don’t require the apex domain to be configured on front door? (Only have the www record configured, which verifies on AFD, and somehow force the apex domain to go through www)?
Use DNS-level redirects (if supported by your DNS provider). Some providers allow "URL forwarding" for the apex (e.g., redirect azureonline.xyz→ www.azureonline.xyz. This is not a DNS record but a service offered by the provider. In short, you need to force the apex domain to go through www and map the www domain to the Azure Front door with CNAME record which is the preferred method.
3- It seems that even though the status is “CNAME/alias record is not currently detected”, the traffic still routes through AFD. What if we leave it as is? Will we face problems (such as SSL certificates not renewing) down the road?
Azure Front Door doesn't expose the frontend public IP address associated with your Azure Front Door endpoint on portal. So, you can't map an apex domain to an Azure Front Door IP address.
Apex domains don't have a CNAME record pointing to an Azure Front Door endpoint, so the autorotation for managed certificate fails until the domain ownership is revalidated.
Select the Pending revalidation link and then select the Regenerate button to regenerate the TXT token. After that, add the TXT token to the DNS provider settings.
Refer this link:
https://learn.microsoft.com/en-us/azure/frontdoor/apex-domain#dns-cname-flattening
I hope this has been helpful!
Your feedback is important so please take a moment to accept answers. If you still have questions, pleaslet us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
-
Ali Reaziat 0 Reputation points
2025-02-22T00:21:44.6533333+00:00 Thank you @Rohith Vinnakota I believe given the large number of domains we have to manage, the only viable option would be to use Azure DNS and create alias records as you'd suggested. However we ran out of quota very quickly: "maximum number of aliases to a single target reached"
Can the quota be increased? or another solution to overcome this?Also, can we assume that using this setup the SSL certificates can auto-rotate?
Thanks
Sign in to comment
Sign in to answer