Alibaba Cloud DNS provides DNS resolution for corporate intranet scenarios within Alibaba Cloud virtual private clouds (VPCs).
Overview
Private Domain Name Resolution (Private Hosted Zone) is an upgrade of Alibaba Cloud DNS PrivateZone. It provides DNS resolution for corporate intranet scenarios within Alibaba Cloud VPCs, with modules for Private Zone, caching, forwarding, and recursion. In a VPC environment, you can define private authoritative domain names, accelerate resolution, forward DNS traffic between cloud and on-premises data centers (IDCs), and analyze resolution logs for clients such as ECS instances and containers.
Product capabilities
Alibaba Cloud DNS deploys proprietary DNS software in data centers worldwide to provide private DNS resolution for VPC environments. The service includes the following modules:
Private Zone
Built on the original Alibaba Cloud DNS PrivateZone service, this private authoritative DNS module lets you create domain names accessible only within your VPCs and resolve them to IP addresses. Use private authoritative records to manage resources such as ECS hostnames, SLB instances, and OSS buckets within a VPC. You can also connect VPCs to on-premises data centers through leased lines or VPNs, enabling resources in both environments to access each other using private domain names.
The Private Zone service is divided into acceleration regions and standard regions. Domain names from the original PrivateZone service are stored in standard regions. Acceleration regions store DNS records in high-speed memory closer to request sources, providing the lowest resolution latency. This makes them ideal for domain names that require low latency and high stability. Acceleration regions support split-zone DNS and weighted resolution. Standard regions do not support these features.
Cache
The cache module accelerates domain name resolution within a VPC by storing results in high-speed memory. The Time to Live (TTL) value determines how long results remain cached. You can enable cache retention to keep resolution results for key domain names in memory. If a request arrives after the TTL expires, the cached result is returned first while the system updates the record in the background. Cache retention improves resolution speed and prevents service interruptions caused by failures of the domain's public authoritative DNS service. For more information, see Cache.
Forwarding
The forwarding module (formerly Resolver in Alibaba Cloud DNS PrivateZone) lets you create forwarding rules and DNS outbound endpoints to route query traffic for specific domain names from your VPC to an external DNS system. This supports hybrid cloud and cloud-to-on-premises service calls. Forwarding management.
Recursion
The recursion module provides recursive resolution for Internet domain names for clients such as ECS instances within a VPC. This service is free by default for Alibaba Cloud VPC scenarios but does not include a Service-Level Agreement (SLA). If you change the default DNS server addresses (100.100.2.136/100.100.2.138) on an ECS instance to another provider, that instance loses access to Alibaba Cloud DNS private resolution.
Inbound endpoints
An inbound endpoint is the nameserver address of the private DNS resolution service. Configure it as the DNS address for cloud clients (ECS instances, containers) or as the destination IP for external clients (on-premises hosts, external DNS servers). Inbound endpoints are system-assigned or custom. The default addresses are 100.100.2.136 and 100.100.2.138, which serve all VPCs in all regions through anycast at no charge.
To use your own private IP addresses for DNS resolution within a VPC, create a custom inbound endpoint. Custom endpoints are billed on a pay-as-you-go basis. Inbound endpoints.
Traffic analysis
The traffic analysis module provides end-to-end visualization of DNS resolution traffic. It reconstructs the full path from query to acknowledgement and reports on resolution latency, request volume, cache hit rate, hot spot domain names, and hot spot request sources. Use this data to optimize your resolution settings.
Private DNS resolution rules apply only to clients within a VPC that use 100.100.2.136/100.100.2.138 or a custom inbound endpoint address as their DNS server. If you change the DNS settings of an ECS instance to another address, Alibaba Cloud DNS private resolution rules do not apply to that instance.
Resolution rule priority
In a corporate VPC scenario, when a DNS server receives a DNS query, it resolves the domain name according to the following priority rules:
Benefits
Rich product features
Split-zone DNS: Returns specific IP addresses based on the query source IP range. Supports Alibaba Cloud DNS lines and custom DNS lines.
Weighted resolution: Assign weights to multiple record values for the same hostname and request source. DNS responses distribute traffic based on preset weight ratios to achieve load balancing.
Cache retention: Keep DNS records for key domain names permanently cached. This improves resolution speed and prevents service interruptions from authoritative DNS provider failures.
Cache purge: Clear cached data for specific domain names from cache servers during emergency service changes when cache retention is enabled.
Forwarding management: Forward DNS query traffic for specific domain names in a VPC to an external DNS system. Supports hybrid cloud and cloud-to-on-premises service calls.
Traffic analysis: Provides end-to-end visualization of DNS resolution traffic with graphical reports. Adjust your service architecture based on resolution traffic trends.
Security isolation
Private DNS resolution provides complete data isolation between VPCs:
-
Zones cannot be queried from the Internet, preventing external probing of internal architecture.
-
Zones cannot be queried outside their effective scope, limiting core data access to the minimum required range.
-
Zone data is securely processed with network tunneling to prevent compromise.
Flexible control
Add or customize private zones without limitations:
-
Add any zone (such as
taobao.com) to override public DNS results within the configured scope.taobao.comin your private DNS overwrites Internet resolution results. -
Create custom domain names in a VPC that cannot be registered on the public Internet, such as
example.testandexample.abcd. -
Set different effective scopes for zones with the same name. This lets VPCs in different regions access different resources using the same domain name for nearest access. For example, queries for
test.example.comfrom VPCs in China (Huabei 2) and China (Hangdong 2) return the local resource addresses for each region.
System architecture
Private domain name resolution has two layers: control and resolution.
-
Control layer: Provides services through the console and OpenAPI. Handles CRUD and storage for DNS records, configuration data, and log data. Located in China (Zhangjiakou) and China (Hangzhou).
-
Resolution layer: Runs on server clusters deployed in regions worldwide. Receives DNS records distributed from the control layer and responds to queries. Covers all regions and zones where Alibaba Cloud services are publicly available.
Scenarios
Hostname management
Standardize ECS hostname naming and use the hostname record feature to automatically synchronize resolution records. This lets you access ECS instances by hostname.
For example, a company (example.com) has 50 ECS instances in a VPC in Zone E of China (Huabei 2): 20 for the website, 20 for the mobile app, and 10 for testing. Plan hostnames as follows:
-
Website: web01.huabei2-e.example.com to web20.huabei2-e.example.com
-
App: m01.huabei2-e.example.com to m20.huabei2-e.example.com
-
Test: test01.huabei2-e.example.com to test10.huabei2-e.example.com
After this configuration, you can define a private domain name using the Private Zone service and enable the automatic synchronization of ECS hostname records. This lets you access ECS instances by hostname in a specific VPC network, which improves the convenience of daily host management.
Split-zone DNS
The original PrivateZone service did not support split-zone DNS, custom lines, or Alibaba Cloud lines. The upgraded service supports split-zone DNS, which identifies the visitor's source and returns different IP addresses accordingly. Only private domain names in a Private Zone acceleration region support split-zone DNS, including Alibaba Cloud lines and custom DNS lines.
Weighted resolution
If a zone has multiple A, AAAA, or CNAME records with the same hostname and DNS line, set weights for each record value to distribute traffic during service migrations. Only private domain names in a Private Zone acceleration region support weighted resolution.
Cloud service instantiation
Cloud services often need to access each other. Use private resolution to assign a domain name to each cloud service within a VPC and resolve it to a specific internal IP address. This greatly reduces development changes when service IP addresses change.
For example, a company's (example.com) internal API system uses a private IP address because it handles sensitive data.
Assign account.inner.example.com to this API and resolve it to 10.23.45.67. If the address changes to 10.45.67.89, update only the DNS record.
Domain name resolution acceleration and disaster recovery
Cross-enterprise domain name access is common, creating service dependencies. If a dependent domain's DNS service has high latency or outages, your services are affected.
Use the Cache feature to improve resolution speed and protect against DNS provider outages. With cache retention enabled, cached records are never automatically cleared, achieving a 100% cache hit rate. After TTL expiry, a query triggers a background update. If the public authoritative DNS is unavailable, the system continues to serve the cached result, providing disaster recovery.
Data exchange for resolution between cloud and on-premises environments
During gradual cloud adoption, migrating DNS resolution between cloud VPCs and on-premises data centers is often challenging. Before cloud adoption, enterprises typically have their own DNS service with private domain names for internal access. After migration, cloud services must still resolve those original private domain names.
Use Forwarding management (Resolver) to forward DNS queries for specific domain names within a VPC to your on-premises DNS. This preserves the original resolution logic for private domain names, ensuring a smooth cloud migration.
Use Inbound endpoints to forward DNS queries from on-premises to the VPC. Customize the destination IP to avoid address conflicts with your on-premises network. This lets you maintain a single DNS system for both environments, reducing O&M workload.
Traffic analysis
Private DNS resolution was previously a black box with limited visibility. The upgraded service provides end-to-end visualization of DNS resolution traffic. It reconstructs the full path from query to acknowledgement and reports on latency, request volume, cache hit rate, hot spot domains, and hot spot sources. Use this data to adjust your service architecture based on resolution trends.