I walked through the flow in both directions. For on-premises systems resolving Azure private endpoints, I described using an Azure Private DNS Resolver with an inbound endpoint, so on-premises DNS servers can forward queries into Azure rather than needing line-of-sight to Azure DNS directly. For Azure resources resolving on-premises hostnames, I described an outbound endpoint with a forwarding ruleset pointing at the on-premises DNS servers. I also covered how the Private DNS zones link to the VNet to make sure resolution works without any custom DNS hacks.