Authoritative DNS Resolution Agent

Authoritative DNS Resolution Agent proxies DNS queries through Alibaba Cloud infrastructure, providing DDoS protection, access acceleration, and disaster recovery without complex migration.

Benefits

DDoS caching: Caches DNS responses to protect authoritative servers from DDoS attacks and reduce load.
Access acceleration: Routes queries through Alibaba Cloud's global POPs for faster, nearby resolution.
Service backup: Serves cached data if your authoritative server fails, reducing downtime.
Cost savings: Reduces bandwidth and costs for self-hosted DNS.

Limits

If a primary domain and its subdomains both use Alibaba Cloud DNS, Authoritative DNS Resolution Agent cannot be used for the subdomains.
Authoritative DNS Resolution Agent does not support smart DNS.
Authoritative DNS Resolution Agent does not support DNSSEC.

Create Authoritative Domain Name

Go to Public Authoritative Firewall.
Switch to the Authoritative DNS Resolution Agent tab.

Click Create Authoritative Domain Name, and configure the parameters.

Parameter	Description
Authoritative Zone Name	The service domain name that requires the Authoritative DNS Resolution Agent.
Service Instance	Select and attach a purchased Authoritative DNS Resolution Agent instance. Note If the list is empty, purchase an instance first.
Running Mode	Proxy Mode: Returns cached records for DNS queries. On cache miss, queries the origin server, returns the result, and caches it.
Minimum TTL Period of Back-to-origin Cached Data, Maximum TTL Period of Back-to-origin Cached Data	Cache TTL range for Authoritative Zone Name DNS records, in seconds. Valid values: 30 to 86400. Note After connecting to Authoritative DNS Resolution Agent, local DNS query TTL follows Authoritative DNS Resolution Agent settings. If a carrier forcibly extends the TTL, contact the carrier.
Back-to-origin DNS Query Protocol	Sends DNS queries to the authoritative server over UDP. Note Currently, only UDP is supported. EDNS Client Subnet: If your authoritative server supports EDNS, enable this option. During recursive queries, if the local DNS also supports EDNS, Authoritative DNS Resolution Agent forwards the client's egress IP from the local DNS query to your origin server.
Origin DNS Servers	One or more origin DNS server addresses. The default port is 53. Change the port number as needed to match your origin DNS server.

Query cached data

Caching mechanism

If the origin server uses smart DNS, origin-fetch records for the Authoritative Zone Name are cached according to the matched rule.
Authoritative DNS Resolution Agent uses a cache reserve mechanism. Unexpired records are served directly from cache. When a record expires, the next query triggers an origin fetch and updates the cache. If the origin fetch fails, expired data continues to be served until the record is purged due to infrequent requests.

Procedure

Go to Public Authoritative Firewall.
Switch to the Authoritative DNS Resolution Agent tab.
For the target domain, click Cached Data in the Actions column.
Note
- Cached Data supports three line types: carrier, outside mainland China, and Alibaba Cloud.
- Carrier lines: categorized by China Telecom, China Unicom, and China Mobile. Select a province on the map to view.
- Outside mainland China: categorized by continent (Asia, Europe, North America, South America, Africa, Oceania). Select a country to view.
- Alibaba Cloud lines: Cached Data is displayed by region.