All Products
Search

This Product

    Alibaba Cloud DNS:Subdomain recursive resolution proxy

    Document Center

    Alibaba Cloud DNS:Subdomain recursive resolution proxy

    Last Updated:Nov 07, 2023

    Important

    After you enable the subdomain recursive resolution proxy, Private DNS does not support intranet wildcard Domain Name System (DNS) records. If you disable the subdomain recursive resolution proxy, Private DNS supports intranet wildcard DNS records.

    Overview

    Private DNS supports the subdomain recursive resolution proxy. After you enable this feature for a zone, when clients that reside in virtual private clouds (VPCs) within the effective scope of the zone initiate DNS requests for the domain names that are not hosted in the zone, Private DNS recursively sends the DNS requests to the Internet and returns the DNS resolution results to the clients.

    For example, the zone name is aliyun.com and three DNS records are configured for aliyun.com. The following table lists the configurations of the DNS records.

    Hostname

    Record type

    TTL

    Record value

    host01

    A

    60

    10.0.0.1

    host02

    A

    60

    10.0.0.2

    host03

    A

    60

    10.0.0.3

    • When a client initiates a DNS request for the domain name host01.aliyun.com, host02.aliyun.com, or host03.aliyun.com within the effective scope of the zone, the record value 10.0.0.1, 10.0.0.2, or 10.0.0.3 is returned.

    • When a client initiates a DNS request for the public domain name www.aliyun.com, api.aliyun.com, or rds.aliyun.com within the effective scope of the zone, Private DNS recursively sends the DNS request to the Internet and returns the DNS resolution result obtained from the Internet.

    Enable the subdomain recursive resolution proxy

    You can enable the subdomain recursive resolution proxy when you add a built-in authoritative zone. If the feature is not enabled, you can click the ID of the built-in authoritative zone and enable this feature on the Zone Settings page.

    Enable the subdomain recursive resolution proxy when you add a built-in authoritative zone

    1. Log on to the Alibaba Cloud DNS console.

    2. In the left-side navigation pane, click Private DNS (PrivateZone). In the upper-right corner of the Private DNS (PrivateZone) page, click Configuration Mode. On the Built-in Authoritative Module tab, click User Defined Zones.

    3. On the User Defined Zones tab, click Add New Zone. In the Add Built-in Authoritative Zone panel, turn on Recursive Resolution Proxy for Subdomain Names.

      image.png

    Click the ID of a built-in authoritative zone to enable the subdomain recursive resolution proxy

    1. Log on to the Alibaba Cloud DNS console.

    2. In the left-side navigation pane, click Private DNS (PrivateZone). In the upper-right corner of the Private DNS (PrivateZone) page, click Configuration Mode. On the Built-in Authoritative Module tab, click User Defined Zones.

    3. On the User Defined Zones tab, click the ID of the desired zone. On the page that appears, click the Zone Settings tab and turn on Recursive Resolution Proxy for Subdomain Names.

      image.png
      image.png
      Note

      After the subdomain recursive resolution proxy is enabled, the existing DNS resolution results of the zone are not affected.

    Disable the subdomain recursive resolution proxy

    1. Log on to the Alibaba Cloud DNS console.

    2. In the left-side navigation pane, click Private DNS (PrivateZone). In the upper-right corner of the Private DNS (PrivateZone) page, click Configuration Mode. On the Built-in Authoritative Module tab, click User Defined Zones.

    3. On the User Defined Zones tab, click the ID of the desired zone. On the page that appears, click the Zone Settings tab and turn off Recursive Resolution Proxy for Subdomain Names.image.png

    Process of intranet DNS resolution

    • After a client in an intranet initiates a DNS request for a domain name, the system first searches the built-in authoritative module for a DNS record of the domain name. If a DNS record is matched, the system returns the DNS record. If the DNS record contains a canonical name (CNAME), the system continues to initiate a DNS request for the CNAME.

    • If no DNS record is matched for the DNS request in the built-in authoritative module, the system determines whether the DNS request matches a forwarding rule in the forward module. If so, the system forwards the DNS request to the external DNS system. If the DNS record contains a CNAME, the system continues to initiate a DNS request for the CNAME.

    • If the DNS request does not match a forwarding rule, the system recursively forwards the DNS request to the Internet to obtain a DNS record. If the DNS record contains a CNAME, the system continues to initiate a DNS request for the CNAME.

      image.png
      Note

      If the DNS resolution result of the CNAME is the same as the DNS resolution result of the domain name, the system returns the DNS record.