It is possible to add resource locks to individual records in private DNS zones. A scenario for this could be a critical or central A record that you don't want to be changed by mistake while still allowing for ongoing updates to the private DNS zone as part of daily operations.
If you have a centralized private DNS zone setup with Azure policy handling the DNS record creation and you also use private endpoints (PE), then there is a (perhaps small) risk that A records can be overwritten. This is the case if someone creates a new PE and associates with the same resource. The DeployIfNotExist policy will run on PE creation and replace the existing record and so that the PaaS service will resolve to a new local IP (note that if you delete the new PE again, the A record will also be deleted and the original PE will no longer have an A record and so will have to be recreated or the A record re-added).
Adding locks to individual records is described in further detail here. Note that this can currently only be done using PowerShell and can't be done via the Azure portal.
The example from MSFT looks like below:
An actual example is shown below:
# Lock a
DNS record set
$lvl = "ReadOnly"
$lnm =
"dontChangeMe"
$rsc =
"privatelink.blob.core.windows.net/testaccountdelete001"
$rty =
"Microsoft.Network/privateDNSZones/A"
$rsg =
"rg-dns-conn-001"
New-AzResourceLock
-LockLevel $lvl -LockName $lnm -ResourceName $rsc -ResourceType $rty
-ResourceGroupName $rsg
See example below for when lock is applied: