DNS OverDoS: Are Private Endpoints Too Private?

This Unit 42 report describes a design/configuration weakness in Azure Private Link where linking Private DNS zones to virtual networks can cause forced name resolution to private endpoints that lack A records, producing DNS failures and partial denial-of-service for Azure resources (notably storage accounts, Key Vault, CosmosDB, ACR, Function Apps, and OpenAI). The authors quantify exposure (over 5% of storage accounts susceptible), explain attack/accidental scenarios (internal, vendor, malicious), provide detection queries (Azure Resource Graph) and recommend mitigations including DNS fallback to internet and manual DNS record creation.