Cloud Firewall supports three domain name identification modes for outbound access control policies. Each mode determines how Cloud Firewall matches traffic against domain name destinations — either by inspecting packet headers, resolving DNS, or both. Understanding how each mode works helps you choose the right one and avoid common configuration pitfalls.
Domain name identification modes
When you set the destination to a domain name or domain name address book in an outbound policy for the Internet firewall, NAT firewall, or VPC firewall, select one of the following identification modes.
FQDN-based dynamic resolution (Extract Host and SNI fields)
Cloud Firewall extracts the Host field from HTTP packets or the SNI (Server Name Indication) field from HTTPS packets, and matches traffic directly against the domain name — without looking up IP addresses.
Supported application types: HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, IMAPS
These application types all carry a Host or SNI field in their packet headers, which is why they are supported. Protocols that do not include this information cannot be identified by this mode.
Because this mode identifies the domain name from the packet itself rather than its resolved IP, it can distinguish between two domain names that share the same IP address. This makes it the right choice when multiple services share an IP, or when you need wildcard domain name matching.
Wildcard domain names (for example, *.example.com) and wildcard domain name address books are supported only in this mode.
DNS-based dynamic resolution
Cloud Firewall resolves the domain name to IP addresses using DNS, then applies access control to those IP addresses. This mode works with any application type.
A single domain name can resolve to up to 500 IP addresses. Cloud Firewall refreshes the resolved IP addresses every 5 minutes to keep policies current as DNS records change.
Cloud Firewall supports two DNS resolution methods:
Default DNS resolution — uses Alibaba Cloud DNS Private DNS. The server IP addresses are
100.100.2.136and100.100.2.138.Private DNS resolution — uses a self-managed DNS server or Alibaba Cloud DNS Private DNS with custom records. See Private DNS for setup instructions.
Private DNS requirements:
| DNS server type | Requirement |
|---|---|
| Alibaba Cloud DNS Private DNS | Add DNS records; default server IPs are 100.100.2.136 and 100.100.2.138 |
| Self-managed with a public IP | The business VPC must have a NAT gateway so the synchronization node can reach the DNS server |
| Self-managed with a private IP | The business VPC and DNS server must be able to communicate, and the synchronization node must be able to reach the DNS server |
To use private DNS, create a synchronization node in the Cloud Firewall console. For details, see Private DNS.
For CDN domain names or other frequently changing domain names, combine DNS-based dynamic resolution with FQDN-based or FQDN and DNS-based identification to improve policy hit rates.
FQDN and DNS-based dynamic resolution
This mode combines both approaches. Cloud Firewall prioritizes identifying the Host or SNI field in the traffic, combined with DNS dynamic resolution results. If either match is successful, the domain name condition is considered met for access control.
Supported application types: HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, IMAPS
This mode requires enabling strict mode on the access control engine.
In loose mode, traffic of the supported application types that does not carry domain name information is allowed through without identification when matching FQDN domain names.
In strict mode, Cloud Firewall performs DNS dynamic resolution even when packets lack domain name information, ensuring more precise control.
For details, see Configure the mode of the access control engine.
Choosing an identification mode
| Mode | How it identifies the domain | Supports wildcards | Application type restriction |
|---|---|---|---|
| FQDN-based dynamic resolution | Reads Host or SNI field from the packet | Yes | HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, IMAPS |
| DNS-based dynamic resolution | Resolves domain name to IP addresses | No | None |
| FQDN and DNS-based dynamic resolution | Reads Host/SNI first; falls back to DNS | No | HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, IMAPS |
Use FQDN-based dynamic resolution when:
Traffic uses HTTP, HTTPS, or other supported application types
Multiple domain names share the same IP address and you need to distinguish them
You need wildcard domain name matching
Use DNS-based dynamic resolution when:
Traffic does not carry Host or SNI information
You need to cover application types beyond the seven listed above
Use FQDN and DNS-based dynamic resolution when:
Traffic uses supported application types, but some requests do not carry Host or SNI fields
Usage notes
DNS resolution limitations
DNS resolution is not supported in the following cases:
Inbound traffic — DNS resolution applies only to outbound policies on the Internet boundary.
Wildcard domain names as destination — for example,
*.example.comcannot be resolved to a specific IP address.Exact-match domain name address books containing wildcard entries — when a policy references an exact-match domain name address book with an identification mode specified, the address book cannot include wildcard domain names.
Shared IP addresses
If multiple domain names resolve to the same IP address, the policy may apply to traffic from all those domain names, not just the intended one.
For example, if both example.aliyundoc.com and demo.aliyundoc.com resolve to 1.1.XX.XX, a policy that allows HTTP traffic to example.aliyundoc.com also allows HTTP traffic to demo.aliyundoc.com. To avoid this, use FQDN-based dynamic resolution, which matches on the domain name in the packet header rather than the IP address.
Automatic policy updates
When DNS records change, Cloud Firewall updates the resolved IP addresses in the access control policy automatically, every 5 minutes. For example, if example.aliyundoc.com changes from 1.1.XX.XX to 2.2.XX.XX, the policy takes effect on 2.2.XX.XX after the next refresh.
Custom DNS resolution for Elastic Compute Service (ECS) instances
By default, ECS instances use the Alibaba Cloud DNS server at 100.100.2.136 and 100.100.2.138 to resolve external domain names. To use custom DNS settings, add a self-managed DNS server or Alibaba Cloud DNS Private DNS server through the Private DNS feature.
Quota calculation for DNS-based policies
The quota consumed by policies with Destination Type set to Domain Name and Domain Name Identification Mode set to DNS-based dynamic resolution or FQDN and DNS-based dynamic resolution is calculated per firewall boundary as follows:
If the total quota across all such policies on a boundary is 200 or fewer, the actual consumed quota equals the total quota.
If the total quota exceeds 200, the actual consumed quota = 200 + (excess quota × 10).
Example: You have one policy that consumes 185 quota units, and you add another that consumes 16. The total is 201, which exceeds 200 by 1. The actual consumed quota = 200 + (201 − 200) × 10 = 210.
For how quota is calculated per policy, see Quota consumed by access control policies.