Use KQL dnsresource not return new record

Question

Use KQL dnsresource not return new record

Binh Nguyen 20

dnsresources

| where id contains '/dnsZones/a.com'

| project name, id, properties

| order by name asc

I've been using dnsresource, but I've found that it has eventual consistency issues. I've created a new record set, but when I query it, It doesn't return results immediately like using the kql dnszone resource query. It takes a very long time. Does anyone know how to fix this? Please share your solution with me.

Binh Nguyen 20 Reputation points

2026-03-30T07:18:55.8166667+00:00

Hi @Venkatesan S

I tried querying rrset in privatednszone using dnsresources, and it immediately returned results containing the record I just created. However, with dnszone, I waited over 3 hours and still didn't see the new record in dnsresources. This is quite unusual. I wonder if there's a different mechanism between dnszone and privatednszone when creating an index in dnsresources? I need this information to convince my client. Please provide more details. Thank you so much!
Venkatesan S 7,175 Reputation points Microsoft External Staff Moderator

2026-03-30T07:27:47.9733333+00:00

Hi

Are you trying the query for public dns zone?
Binh Nguyen 20 Reputation points

2026-03-30T07:57:17.2533333+00:00

Hi, yes, I'm trying it with a public DNS zone.
Binh Nguyen 20 Reputation points

2026-03-30T08:00:21.32+00:00

Hi, yes, I'm trying it with a public DNS zone. I have waited over 3 hour return result not containing the record I just created. In private dns zone, it immediately returned results containing the record I just created.
Venkatesan S 7,175 Reputation points Microsoft External Staff Moderator

2026-03-30T08:02:44.6266667+00:00

Hi Binh Nguyen

You can see the document they clearly told only private DNS used to query and public DNS zone are not applicable here.

https://learn.microsoft.com/en-us/azure/dns/private-dns-arg
Binh Nguyen 20 Reputation points

2026-03-30T08:07:21.6566667+00:00

Yes, I've looked through the documentation, but

Because when I query the dnsresource table, I found the rrSet data of the previous public dnszone. That confused me. Thank you.
Venkatesan S 7,175 Reputation points Microsoft External Staff Moderator

2026-03-30T08:09:29.9833333+00:00

Hi Binh Nguyen,

Updated in answer.

Please do not forget to and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer accepted by question author

1 additional answer

Your answer

Binh Nguyen 20 Reputation points

2026-03-30T07:18:55.8166667+00:00

Hi @Venkatesan S

I tried querying rrset in privatednszone using dnsresources, and it immediately returned results containing the record I just created. However, with dnszone, I waited over 3 hours and still didn't see the new record in dnsresources. This is quite unusual. I wonder if there's a different mechanism between dnszone and privatednszone when creating an index in dnsresources? I need this information to convince my client. Please provide more details. Thank you so much!
Venkatesan S 7,175 Reputation points Microsoft External Staff Moderator

2026-03-30T07:27:47.9733333+00:00

Hi

Are you trying the query for public dns zone?
Binh Nguyen 20 Reputation points

2026-03-30T07:57:17.2533333+00:00

Hi, yes, I'm trying it with a public DNS zone.
Binh Nguyen 20 Reputation points

2026-03-30T08:00:21.32+00:00

Hi, yes, I'm trying it with a public DNS zone. I have waited over 3 hour return result not containing the record I just created. In private dns zone, it immediately returned results containing the record I just created.
Venkatesan S 7,175 Reputation points Microsoft External Staff Moderator

2026-03-30T08:02:44.6266667+00:00

Hi Binh Nguyen

You can see the document they clearly told only private DNS used to query and public DNS zone are not applicable here.

https://learn.microsoft.com/en-us/azure/dns/private-dns-arg
Binh Nguyen 20 Reputation points

2026-03-30T08:07:21.6566667+00:00

Yes, I've looked through the documentation, but

Because when I query the dnsresource table, I found the rrSet data of the previous public dnszone. That confused me. Thank you.
Venkatesan S 7,175 Reputation points Microsoft External Staff Moderator

2026-03-30T08:09:29.9833333+00:00

Hi Binh Nguyen,

Updated in answer.

Please do not forget to and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 1

Hi Binh Nguyen,

Thanks for reaching out in Microsoft Q&A forum,

The dnsresources table in Azure Resource Graph is eventually consistent, so newly created record-sets can take several minutes (typically up to 10–15 minutes) to show up in your KQL queries. Unfortunately there’s no “tweak” you can do in your dnsresources query to force it to be real-time.

Here are a couple of options to get immediate visibility on your new record set:

Use the Azure DNS data-plane APIs (or CLI/PowerShell) to fetch the record directly from ARM

Azure CLI example:

     az network dns record-set A show   
       --resource-group MyRG \  
       --zone-name a.com \  
       --name myrecord

PowerShell example:

     Get-AzDnsRecordSet -ResourceGroupName MyRG -ZoneName a.com -Name myrecord -RecordType A

These calls hit the DNS service directly and are always current.

If you need to continue using Resource Graph, you’ll have to wait for the resource graph cache to update. There isn’t an API or query hint today to force an immediate refresh.
(Alternative) Enable DNS diagnostics and send record-set change logs into Log Analytics or Storage. Then query the Log Analytics tables for record changes – those logs arrive in near-real time.

Hope that helps!

Update:

You can see the document they clearly told only private DNS used to query and public DNS zone are not applicable here.

https://learn.microsoft.com/en-us/azure/dns/private-dns-arg

User's image

Reference list

Kindly let us know if the above helps or you need further assistance on this issue.

Please do not forget to and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

dnsresources is backed by the Azure Resource Graph index, which is eventually consistent. New or updated DNS record sets (Microsoft.Network/dnsZones/A and others) can take time to appear in Resource Graph queries, while control-plane APIs or direct DNS zone queries may show them sooner.

There is no configuration switch or KQL change that forces dnsresources to return newly created records immediately. The behavior is by design:

dnsresources queries the indexed resource metadata, not the live DNS zone.
Indexing latency can cause delays between creating a record set and seeing it in dnsresources.

Workarounds and operational guidance:

For near-real-time verification of new records, use the Azure DNS control plane (for example, Azure Portal DNS zone view or management APIs) instead of dnsresources.
Allow for propagation time in any automation that relies on dnsresources; add retries with backoff before assuming a record is missing.
If a record never appears in dnsresources after a reasonable period while it is visible in the DNS zone, open a support case, as that indicates an indexing issue rather than KQL behavior.

The DNS resource types and properties (such as Microsoft.Network/dnsZones/A with RecordSetProperties and ARecords) are correctly surfaced through Resource Graph once indexing completes, but the platform does not provide a way to bypass eventual consistency.

References:

Share via

Use KQL dnsresource not return new record

1 additional answer

Your answer