You can use private domain names for network connections between Elastic Compute Service (ECS) instances in the same virtual private cloud (VPC) to prevent service access issues caused by IP address changes, simplify the management of large-scale internal networks, and maintain isolation of internal networks from the Internet. This enhances security and isolation for internal communications.
The ECS private DNS resolution service is in invitational preview.
ECS private domain name
An ECS private domain name is an internal domain name assigned to an ECS instance in a VPC. The domain name is used to identify and access the ECS instance in the VPC.
Composition of an ECS private domain name
An ECS private domain name is a four-level domain name. The levels are separated by periods (.). Examples: i-8psi44j4o4yqoh2b****.ap-southeast-3.ecs.internal and ip-172-16-0-89.ap-southeast-3.ecs.internal. An ECS private domain name contains the following subdomain names:
Top-level domain name (.internal): the internal domain name in ECS, which is used in the internal network.
Second-level domain name (.ecs): the ECS service identifier.
Subdomain name (.regionID): the ID of the region in which an ECS instance resides. You must replace regionID with the actual ID of the region in which the ECS instance resides. For example, if you select the Malaysia (Kuala Lumpur) region, set regionID to ap-southeast-3. For more information, see the Supported regions and zones section of the "Regions and zones" topic.
Hostname identifier: specifies an ECS instance. The hostname can be set to the primary private IP address or instance ID of an ECS instance.
IP address-based hostname: specifies the primary private IPv4 address. Example: ip-171-16-0-89, which indicates the primary private IPv4 address of an instance.
Instance ID-based hostname: specifies the instance ID. Example: i-8ps2h6dsc74cuktb****. When you use IPv6 for communications, you can specify the instance ID-based hostname.
Limits
Instances in the classic network do not support ECS private domain names.
ECS private domain names can be used for communications within a VPC, not across VPCs.
A private domain name can be resolved only to the primary private IP address of the primary elastic network interface (ENI) but not to a secondary private IPv4 address.
The resolution speed on an ECS instance in a VPC can reach up to 5,000 DNS requests per second. If the upper limit is exceeded on an instance, throttling may be triggered. In this case, the 99.99% service availability in the Service Level Agreement (SLA) may not be guaranteed.
Scenarios
Host management: After you enable the ECS private DNS resolution service that uses the IP address-based or instance ID-based hostname for an ECS instance in a VPC, you can use the hostname to access the instance, which facilitates routine host management.
Cloud service instantiation: Services deployed on the cloud need to access each other. You can use the ECS private DNS resolution service to generate an internal authoritative domain name for each instantiated service and resolves the domain names of the service instances to private IP addresses in a VPC. This significantly reduces the complexity of business configuration modifications caused by IP address changes.
Private DNS resolution service
The ECS private DNS resolution service can generate and resolve private domain names. The DNS resolution service is a network service that converts domain names into IP addresses. The ECS private DNS resolution service depends on the Alibaba Cloud Private DNS (PrivateZone) service. The IP addresses of the private DNS (PrivateZone) server are 100.100.2.136 and 100.100.3.138, which are automatically allocated by the system.
DNS records
DNS records are data entries that are generated when a DNS server maps domain names to IP addresses. When a user attempts to access a domain name, the DNS resolution service searches for the DNS record that matches the domain name and converts the domain name into the corresponding IP address.
Time-to-live (TTL) of a DNS record: The TTL (in seconds) specifies the validity period of a cached DNS record. When a DNS record is queried and cached, the TTL value determines how long the DNS record can be retained in the cache of a DNS server. The default TTL of private DNS records is 1 minute.
Type of a DNS record: The ECS private DNS resolution service can generate different types of DNS records. The following table describes the types of DNS records.
Type
Description
Private domain name format
Example
Scenario
DNS Resolution from the IP Address-based Hostname to the Instance Primary Private IPv4 Address (A Record)
Maps the private domain name that contains the IP address-based hostname of an instance to the primary private IPv4 address of the instance.
ip-[Primary private IPv4 address-based hostname].[regionID].[ecs.internal]
ip-192-168-1-1.region-name.ecs.internal is resolved to 192.168.1.1.
ECS instance access: You can configure this type of DNS record to map the IP address-based hostname of an instance to the primary private IPv4 address of the instance. This facilitates service discovery and communication within Alibaba Cloud.
DNS Resolution from the Instance ID-based Hostname to the Instance Primary Private IPv4 Address (A Record)
Maps the private domain name that contains the instance ID-based hostname of an instance to the primary private IPv4 address of the instance.
[Instance ID-based hostname].[regionID].[ecs.internal]
i-bp1hs9xdprd7xq4p****.region-name.ecs.internal is resolved to 192.168.xx.xx.
Automated deployment and management: The IP addresses of ECS instances may change due to frequent creation, releases, or migration. You can configure this type of DNS record to map the instance ID-based hostname of an instance to the most recent primary private IPv4 address of the instance. This simplifies configuration management and O&M.
Security and isolation: In specific environments, strict security policies are used to prevent the direct use of IP addresses, such as for external access. In this case, you can use instance ID-based hostnames and private DNS (PrivateZone) resolution to provide secure access control over cloud resources and maintain network isolation.
DNS Resolution from the Instance ID-based Hostname to the Instance Primary Private IPv6 Address (AAAA Record)
ImportantThis type of DNS record is available when Assign IPv6 Address is selected.
Maps the private domain name that contains the instance ID-based hostname of an instance to the primary private IPv6 address of the instance.
[Instance ID-based hostname].[regionID].[ecs.internal]
i-bp1hs9xdprd7xq4p****.region-name.ecs.internal is resolved to 2408:xxxx:17:8aff:7833:3724:xxxx:xxxx.
IPv6 network connectivity: When a host or service supports IPv4 and IPv6, you can configure an AAAA record to support IPv6 connections. This helps leverage the larger IPv6 address space and improves communication efficiency.
Reverse DNS Resolution from the Instance Primary Private IPv4 Address to the IP Address-based Hostname (PTR Record)
Maps the primary private IPv4 address of an instance to the private domain name that contains the IP address-based hostname of the instance.
ip-[Primary private IPv4 address-based hostname].[regionID].[ecs.internal]
192.168.0.1 is resolved to ip-192-168-0-1.cn-hangzhou.ecs.internal.
Spam filtering: Email servers can use reverse DNS to check the validity of the server from which emails are sent. If an IP address cannot be resolved back to a domain name or the domain name does not match the HELO or Extended Hello (EHLO) identifier of the server from which an email is sent, the email may be marked as potential spam or rejected.
Log analysis and tracing: In network security and system management, reverse DNS queries can be used to convert IP addresses into domain names for log analysis and source tracing, such as when you check for abnormal traffic or intrusion attempts or analyze user behaviors.
Network diagnostics and troubleshooting: If you want to identify the server or service associated with a specific IP address, reverse DNS resolution can help you quickly obtain the corresponding domain name, especially when you handle issues related to interaction with a specific server.
Configure ECS private DNS resolution
Enable or disable the DNS hostname feature in a VPC
Before you can use the ECS private DNS resolution feature for ECS instances in a VPC, you must enable the DNS hostname feature for the VPC. After the DNS hostname feature is enabled in a VPC, the ECS private DNS resolution feature can be used for ECS instances in the VPC. After the DNS hostname feature is disabled in a VPC, the ECS private DNS resolution feature becomes invalid for ECS instances in the VPC.
Enable the DNS hostname feature: After you enable the DNS hostname feature for a VPC, the DNS resolution service generates a built-in authoritative zone in the [regionID].ecs.internal format. For example, if you create a VPC in the Malaysia (Kuala Lumpur) region and enable the DNS hostname feature, a built-in authoritative zone named ap-southeast-3.ecs.internal is generated, which is in effect only within the VPC. For more information, see Enable DNS hostname for ECS private domain name access in VPC.
ImportantAfter the DNS hostname feature is enabled for a VPC, the ECS private DNS resolution feature that you configure for an ECS instance in the VPC can take effect.
Disable the DNS hostname feature: After you disable the DNS hostname feature for a VPC, the built-in authoritative zone associated with the VPC is deleted, and the private domain names of the ECS instances in the VPC become invalid and cannot be resolved to the primary private IP addresses of the instances.
ImportantIf your application uses a private domain name instead of an instance IP address to access cloud resources, your application may fail to access the resources after the DNS hostname feature is disabled.
Configure the private DNS resolution feature in ECS
The mapping generated as a DNS record between the private domain name of an ECS instance and the primary private IP address of the instance must be configured on an ECS instance. You can enable or disable the mapping when or after you purchase the instance. Perform the following operations.
Configure the ECS private DNS resolution feature on the ECS instance buy page
Procedure
Go to the ECS instance buy page.
Click the Custom Launch tab.
Configure parameters, such as Billing Method, Region, Instance Type, and Image, based on your business requirements.
For information about each parameter on the Custom Launch tab, see the Parameters section of this topic.
In the lower part of the ECS instance buy page, click Advanced Settings(Optional) and configure parameters in the Private DNS Resolution section.
Select the mapping between the private domain name and the primary private IP address in the Private DNS Resolution section based on your business scenario. You can select multiple options. For information about DNS records, see the DNS records section of this topic.
Configure the ECS private DNS resolution feature by modifying instance attributes
Procedure
Log on to the ECS console.
In the left-side navigation pane, choose .
Find the ECS instance whose attributes you want to modify and choose
> Instance Attributes > Modify Instance Attribute in the Actions column. The Modify Instance Attributes dialog box appears. Select the mapping between the private domain name and the primary private IP address in the Private DNS Resolution section based on your business scenario. You can select multiple options. For information about DNS records, see the DNS records section of this topic.
Click Confirm.
After you enable the DNS hostname feature for the VPC and configure a private domain name for the ECS instance, you can access the instance by using the private domain name from another ECS instance in the same VPC. For more information, see the Access by using an IP address-based domain name tab in the "Communication between ECS instances by using private domain names" section of this topic.
Query ECS private DSN resolution information in the ECS console
You can view the resolution of the private domain name of an ECS instance on the instance details page in the ECS console. Perform the following steps:
Log on to the ECS console.
In the left-side navigation pane, choose .
Find the ECS instance that you want to query and click the instance ID.
Click the Instance Details tab. In the Other Information section, find the Private DNS Records field to view the number of private DNS records.
Move the pointer over the number of private DNS records to view the mapping between the private domain names and IP addresses configured for the current ECS instance.
Verify the ECS private DNS resolution feature
You can run a command to check whether the private DNS resolution feature is in effect on an ECS instance on which the private DNS records are configured or on another ECS instance in the same VPC that is connected to the ECS instance over the internal network. The operations vary based on the operating system.
After private DNS records are updated, the effective time of the records is determined by the TTL. For more information, see the TTL of a DNS record part of the "DNS records" section of this topic.
Run the host command to query the DNS records of an instance
The host command is used to query DNS information in Linux. The command allows you to query the mapping between domain names and IP addresses and perform reverse DNS lookups to query the domain names based on IP addresses.
Install the host tool. By default, Linux instances do not support the host command. To install the host tool, run the
sudo yum install bind-utilscommand.Example of querying DNS information:
NoteIn this example, the following information is used for the instance for which the private DNS resolution feature is enabled. Replace the IP address and instance ID with the actual IP address and instance ID.
Instance ID: i-8psi44j4o4yqoh2b****
Region ID: ap-southeast-3
IPv4 address: 172.16.0.89
IPv6 address: 240b:xxxx:41:b200:1ca9:f9bb:ae4:1ea0
Connect to a Linux instance.
For more information, see Connect to a Linux instance by using a password or key.
Run the
hostcommand to query DNS information based on the private DNS record.Query the IPv4 address mapped to the IP address-based domain name. This step is suitable for an ECS instance for which Enable DNS Resolution from the IP Address-based Hostname to the Instance Primary Private IPv4 Address (A Record) is selected.
host ip-172-16-0-89.ap-southeast-3.ecs.internal
Query the IP address mapped to the instance ID-based domain name. This step is suitable for an ECS instance for which Enable DNS Resolution from the Instance ID-based Hostname to the Instance Primary Private IPv4 Address (A Record) is selected.
host i-8psi44j4o4yqoh2b****.ap-southeast-3.ecs.internal
Query the IPv6 address mapped to the instance ID-based domain name. This step is suitable for an ECS instance for which Enable DNS Resolution from the Instance ID-based Hostname to the Instance Primary Private IPv6 Address (AAAA Record) is selected.
host -t AAAA i-8psi44j4o4yqoh2b****.ap-southeast-3.ecs.internal
Perform a reverse DNS lookup to query the domain name generated based on the IP address-based hostname. This step is suitable for an ECS instance for which Enable Reverse DNS Resolution from the Instance Primary Private IPv4 Address to the IP Address-based Hostname (PTR Record) is selected.
host 172.16.0.89
Run the nslookup command to query the DNS records of an instance
nslookup is a pre-installed tool in Windows that can be used to query DNS information.
Example of querying DNS information:
NoteIn this example, the following information is used for the instance for which the private DNS resolution feature is enabled. Replace the IP address and instance ID with the actual IP address and instance ID.
Instance ID: i-8ps2h6dsc74cfy02ithz
Region ID: ap-southeast-3
IPv4 address: 172.16.0.91
IPv6 address: 240b:400e:41:b200:1ca9:f9bb:ae4:1e9a
Connect to a Windows instance.
For more information, see Connect to a Windows instance by using a password or key.
Run the nslookup command to query DNS information based on a type of private DNS record.
Query the IP address mapped to the IP address-based domain name. This step is suitable for an ECS instance for which Enable DNS Resolution from the IP Address-based Hostname to the Instance Primary Private IPv4 Address (A Record) is selected.
nslookup ip-172-16-0-91.ap-southeast-3.ecs.internal
Query the IP address mapped to the instance ID-based domain name. This step is suitable for an ECS instance for which Enable DNS Resolution from the Instance ID-based Hostname to the Instance Primary Private IPv4 Address (A Record) is selected.
nslookup i-8ps2h6dsc74cfy02****.ap-southeast-3.ecs.internal
Query the IPv6 address mapped to the instance ID-based domain name. This step is suitable for an ECS instance for which Enable DNS Resolution from the Instance ID-based Hostname to the Instance Primary Private IPv6 Address (AAAA Record) is selected.
nslookup -type=AAAA i-8ps2h6dsc74cfy02****.ap-southeast-3.ecs.internal
Perform a reverse DNS lookup to query the domain name generated based on the IP address-based hostname. This step is suitable for an ECS instance for which Enable Reverse DNS Resolution from the Instance Primary Private IPv4 Address to the IP Address-based Hostname (PTR Record) is selected.
nslookup 172.16.0.91
Communication between ECS instances by using private domain names
Purchase two ECS instances, ECS1 and ECS2, in the same VPC for which the DNS hostname feature is enabled. Enable the ECS private DNS resolution feature on ECS1 and run the ping <Private domain name of ECS1> command on ECS2.
In this example, the following basic information about ECS1 is provided. Replace the IP address and instance ID with the actual IP address and instance ID based on your environment.
Instance ID: i-8psi44j4o4yqoh2b****
Primary private IPv4 address: 172.16.0.89
IPv6 address: 240b:xxxx:41:b200:1ca9:f9bb:ae4:1ea0
Make sure that ECS1 and ECS2 that reside in the same VPC can communicate with each other over the internal network. In this example, the two instances are in the same security group and can communicate with each other. If the two instances that you want to test are in different security groups, follow the procedure described in the Security group rules for allowing instances in different security groups to communicate with each other over the internal network section of the "Security groups for different use cases" topic.
If you want to test IPv6 access, you must enable and assign IPv6 addresses to ECS1 and ECS2. For more information, see Manage IPv6 addresses.
Access by using an IP address-based domain name
Select Enable DNS Resolution from the IP Address-based Hostname to the Instance Primary Private IPv4 Address (A Record) for ECS1. For more information, see the Configure the private DNS resolution feature in ECS section of this topic.
Connect to ECS2 and run the following command to access ECS1 by using the IP address-based private domain name of ECS1.
NoteFor information about how to connect to a Linux instance, see Connect to a Linux instance by using a password or key.
For information about how to connect to a Windows instance, see Connect to a Windows instance by using a password or key.
You can query the domain name of ECS1 in the ECS console. For more information, see the Query ECS private DSN resolution information in the ECS console section of this topic.
ping <IP address-based private domain name of ECS1>Sample command:
ping ip-172-16-0-89.ap-southeast-3.ecs.internalThe following command output indicates that the private domain name is resolved to the primary private IPv4 address of ECS1.
Access by using an instance ID-based domain name
Select Enable DNS Resolution from the Instance ID-based Hostname to the Instance Primary Private IPv4 Address (A Record) for ECS1. For more information, see the Configure the private DNS resolution feature in ECS section of this topic.
Connect to ECS2 and run the following command to access ECS1 by using the instance ID-based private domain name of ECS1.
NoteFor information about how to connect to a Linux instance, see Connect to a Linux instance by using a password or key.
For information about how to connect to a Windows instance, see Connect to a Windows instance by using a password or key.
You can query the domain name of ECS1 in the ECS console. For more information, see the Query ECS private DSN resolution information in the ECS console section of this topic.
ping <Instance ID-based private domain name of ECS1>Sample command:
ping i-8psi44j4o4yqoh2b****.ap-southeast-3.ecs.internalThe following command output indicates that the private domain name is resolved to the primary private IPv4 address of ECS1.
Access by using an instance ID-based domain name (IPv6)
Select Enable DNS Resolution from the Instance ID-based Hostname to the Instance Primary Private IPv6 Address (AAAA Record) for ECS1. For more information, see the Configure the private DNS resolution feature in ECS section of this topic.
Connect to ECS2 and run the following command to access ECS1 by using the instance ID-based private domain name of ECS1.
NoteFor information about how to connect to a Linux instance, see Connect to a Linux instance by using a password or key.
For information about how to connect to a Windows instance, see Connect to a Windows instance by using a password or key.
You can query the domain name of ECS1 in the ECS console. For more information, see the Query ECS private DSN resolution information in the ECS console section of this topic.
ping6 <Instance ID-based private domain name of ECS1>Sample command:
ping6 i-8psi44j4o4yqoh2b****.ap-southeast-3.ecs.internalThe following command output indicates that the private domain name is resolved to the primary private IPv6 address of ECS1.
Impacts of different operations on ECS private DNS resolution
Change the VPC of an instance
If the private DNS resolution feature is enabled for an ECS instance, check whether the DNS hostname feature is enabled for the new VPC to which the ECS instance is migrated.
Change the primary private IP address of an instance
The private DNS resolution service automatically performs remapping. If the primary private IPv4 or IPv6 address of your instance changes, such as when you change the IP address by following the procedure described in the Modify the private IP address of an instance topic, the existing private DNS record that matches the original IP address is deleted, and a new DNS record that matches the new IP address is generated.
Release an instance
After an instance is released, all DNS records related to the instance in the built-in authoritative zone of the VPC to which the instance belongs are deleted. The instance and the services on the instance cannot be accessed by using the private domain name.
References
You can use the private DNS resolution service to configure more DNS resolution features, such as DNS forwarding and recursive resolution features. For more information, see What is Private DNS?
Alibaba Cloud provides the public authoritative DSN resolution feature to provide a secure, fast, and stable DNS service. For more information, see Public Authoritative DNS Resolution.
To use public recursive resolution capabilities for mobile applications or IoT, you can configure the Alibaba Cloud public DNS resolution feature to help your terminals resolve domain names in a fast and secure manner. For more information, see What is Alibaba Cloud Public DNS?