Set up Azure DNS zone file transfer

This guide explains the technical steps to allow you to share your organisation’s domains and subdomains with the Government Digital Service (GDS) using the Azure DNS service.

Connecting GDS to Azure DNS

GDS will only have access to your DNS zones in your Azure account. They will not have access to any other information and you can revoke this access at any time.

You need to configure Azure Lighthouse to grant the GDS team read-only access to your DNS zones and share the details with them.

How to set up your Azure Lighthouse configuration

Step 1

Copy and paste the code below into a plain text file (.txt).

{  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "mspOfferName": {
      "type": "string",
      "metadata": {
        "description": "Specify a unique name for your offer"
      },
      "defaultValue": "AzureZoneFileTransfer"
    },
    "mspOfferDescription": {
      "type": "string",
      "metadata": {
        "description": "Name of the Managed Service Provider offering"
      },
      "defaultValue": "A request to grant this Azure tenant access to another tenant's Azure DNS zones"
    }
  },
  "variables": {
    "mspRegistrationName": "[guid(parameters('mspOfferName'))]",
    "mspAssignmentName": "[guid(parameters('mspOfferName'))]",
    "managedByTenantId": "60a7d561-9cb2-469d-b7f9-5fa96814828c",
    "authorizations": [
      {
        "principalId": "11f1ba1d-ad53-46b9-8adf-8b9e39cb5ffb",
        "roleDefinitionId": "befefa01-2a29-4197-83a8-272ff33ce314",
        "principalIdDisplayName": "CDDO DNS Zone Reader"
      }
    ]
  },
  "resources": [
    {
      "type": "Microsoft.ManagedServices/registrationDefinitions",
      "apiVersion": "2020-02-01-preview",
      "name": "[variables('mspRegistrationName')]",
      "properties": {
        "registrationDefinitionName": "[parameters('mspOfferName')]",
        "description": "[parameters('mspOfferDescription')]",
        "managedByTenantId": "[variables('managedByTenantId')]",
        "authorizations": "[variables('authorizations')]"
      }
    },
    {
      "type": "Microsoft.ManagedServices/registrationAssignments",
      "apiVersion": "2020-02-01-preview",
      "name": "[variables('mspAssignmentName')]",
      "dependsOn": [
        "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
      ],
      "properties": {
        "registrationDefinitionId": "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
      }
    }
  ],
  "outputs": {
    "mspOfferName": {
      "type": "string",
      "value": "[concat('Managed by', ' ', parameters('mspOfferName'))]"
    },
    "authorizations": {
      "type": "array",
      "value": "[variables('authorizations')]"
    }
  }
}

Step 2

Navigate to Azure Lighthouse in your Azure portal and select ‘View service provider offers’.

Step 3

Navigate to the ‘Service provider offers’ tab and use the dropdown menu. Choose ‘Add offer,’ then select ‘Add via template’ and upload the .txt file containing the code you saved earlier.

Share Azure DNS details with GDS

When you have configured your Azure DNS to share your domains, send an email to support@domains.gov.uk

Your email must include:

Confirmation you have configured access and you approve the zone ingest.
The resource group name and subscription ID for your DNS zones: these are shown in the ‘DNS zone’ overview in Azure DNS.
Domain patterns for your domains, for example, a domain pattern of ‘test.com’ would ingest all subdomains of test.com.
All the top-level domains you want ingested.

Contact us

If you need more information email support@domains.gov.uk