Every Azure architect I know has a Private DNS war story. The resolution worked fine in dev. It worked in the single-hub staging environment. Then it silently broke the moment the topology got complicated — a second region, an on-prem conditional forwarder, a partner tenant, or a new spoke that someone wired in slightly differently than the others. Private DNS in Azure looks simple on the surface. A zone, a link, a record. But the failure modes are non-obvious, the defaults w