You can use the DNS Boundary Firewall for fine-grained control over outbound traffic from your Virtual Private Cloud (VPC) resources to specific domains. When enabled, the DNS Boundary Firewall inspects DNS queries originating from your VPC. Based on access control policies and Cloud Firewall's threat intelligence, it blocks unauthorized requests.
Prerequisites
The DNS Boundary Firewall is currently in public preview. To use this feature, you must contact your account manager to apply for access.
During the public preview period, the Ultimate edition of Cloud Firewall supports a maximum of 3 DNS Boundary Firewalls. If you need a higher quota, contact your account manager.
Only the Ultimate edition of Cloud Firewall supports the DNS Boundary Firewall.
If your current Cloud Firewall edition does not meet this requirement, you can upgrade it. For more information, see Upgrade.
Currently, you can create a DNS Boundary Firewall only for VPCs in the following regions: China (Hangzhou), China (Shanghai), China (Shenzhen), China (Beijing), China (Chengdu), and China (Hong Kong).
Create a DNS Boundary Firewall
Each DNS Boundary Firewall protects one VPC. If you have multiple VPCs in your account, you can create a separate DNS Boundary Firewall for each VPC as needed.
Log on to the Cloud Firewall console. In the left navigation bar, click Firewall.
On the DNS Firewall tab, click Create DNS Firewall.
In the Create DNS Firewall dialog box, configure the DNS firewall.
Parameter
Description
Name
Enter a custom name for the DNS Boundary Firewall.
Region
Select the region where your VPC is located.
VPC
Select the instance ID of the VPC that you want to protect.
UID
Automatically populated with the Alibaba Cloud account ID of the VPC owner.
DNS Server
Specifies the DNS server. Currently, only the default DNS resolver is supported, which uses the IP addresses 100.100.2.136 and 100.100.2.138.
vSwitch
Select a creation mode for the firewall vSwitch.
automatic: Cloud Firewall automatically creates a vSwitch and associates it with a custom route table.
manual: Select an existing vSwitch in the VPC to use for the DNS Boundary Firewall.
If a vSwitch has not been created for this VPC, you can click Go to the VPC console to manually create a vSwitch to create a vSwitch and bind it to a custom route table. For detailed steps, see Create and manage vSwitches.
ImportantDo not connect any cloud resources, such as ECS, RDS, or SLB instances, to the vSwitch used by the DNS Boundary Firewall. Also, do not add custom route entries to its route table.
Click OK to create the DNS Boundary Firewall.
The creation process takes about two minutes. After the firewall is created, it is enabled by default.
What to do next
Configure an access control policy
If you have not configured a DNS boundary access control policy, Cloud Firewall allows all traffic by default. To configure a policy, navigate to the page. For detailed instructions, see Configure a DNS boundary access control policy.
View the vSwitch list
Go to the page. In the upper-right corner of the DNS Boundary Firewall list, click Firewall vSwitch List to view detailed information about the vSwitches where the created DNS Boundary Firewalls and secure forward proxies are located.
Disable or delete a DNS Boundary Firewall
Go to the page. In the Switch column, turn off the DNS firewall, or in the Actions column, click the 
icon and then click Delete.
Disabling the DNS Boundary Firewall can cause brief traffic interruptions.
Throughput limits and overages
If your traffic volume exceeds the processing capacity of your Cloud Firewall subscription, the service level agreement (SLA) is not guaranteed. This condition can trigger throttling rules. For example, Cloud Firewall might disable security features like access control, IPS, and log auditing; deactivate the firewall for high-traffic assets; or initiate rate limiting and packet dropping.
If you anticipate exceeding your subscription limit, learn about pay-as-you-go for elastic throughput.