Blacklist/Whitelist

How it works

Resolution requests are checked against the whitelist first, then the blacklist. An empty whitelist allows all domains through. A non-empty whitelist blocks any domain not listed. Blacklisted domains are denied resolution regardless.

• Both lists empty: all domains resolve normally.

• Whitelist only: only whitelisted domains resolve.

• Blacklist only: all domains resolve except blacklisted ones.

• Both lists populated: only domains on the whitelist but not the blacklist resolve. Domains on both lists are denied.

  Important

  The Blacklist/Whitelist feature does not support unencrypted access methods that bind the source IP of a resolution request to a network egress.

Add to Blacklist/Whitelist

1. Log on to the Alibaba Cloud DNS - HTTPDNS console.

2. Navigate to the Blacklist/Whitelist tab.

3. Click Whitelist or Blacklist, click Add Zone, and enter the domain names.

   Note

   • The Domain Name (Exclude Subdomain Names) type applies the Blacklist/Whitelist rule to that exact domain only. To include all subdomains, select Zone (Include All Subdomain Names).

   • Each batch supports up to 50 entries, all of the same type (domain or zone).

   • The Whitelist and Blacklist each support a maximum of 100 entries (domains or zones).

4. Newly added domains default to Disable. Click Enable in the Actions column to activate the rule.

   Warning

   • After you enable a rule, the Blacklist/Whitelist feature takes effect immediately. Verify your configuration before proceeding.

   • If you use DoH and aliyun.com is not whitelisted, or aliyun.com is blacklisted, you cannot access the Alibaba Cloud DNS console from a DoH-configured browser. Disable DoH in the browser first, then adjust the Blacklist/Whitelist configuration.

   • In SDK integrations, the SDK retrieves the Blacklist/Whitelist policy on startup, reducing resolution requests to HTTPDNS and lowering costs. The Blacklist/Whitelist policy syncs from HTTPDNS to the SDK. A few unexpected domain requests may occur during initialization before the sync completes. This is expected.

   • For DoH connections, the Blacklist/Whitelist policy is enforced on HTTPDNS. The policy applies only after the request reaches HTTPDNS and is counted, so this method does not reduce DoH request volume or costs.

Batch operations

The Blacklist/Whitelist feature supports Batch Disable, Batch Enable, and Batch Delete. Use the fuzzy search to locate specific domains.