Edge Security Acceleration:Add DNS records

Usage notes

When you add or modify a DNS record, you need to check the values of the hostname and the origin:

• The value of the hostname cannot be the hostname or origin in another DNS record that has been added, and cannot be an origin in an origin pool.

• The value of the origin cannot be the hostname in another DNS record that has been added.

Manually add DNS records

1. Log on to the ESA console.

2. On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.

3. In the left-side navigation pane, choose DNS > Settings.

4. Click Add Record.

5. On the Add Record page, add a record as prompted.

   A/AAAA record

   You can add an A/AAAA record to point a domain name to an IPv4 or IPv6 address.

   

   If you set the Proxy Status parameter to Proxied, the requested domain name is used as the Host header in origin requests. For information about how to use other values, see Origin rules.

   

   Parameter	Description
   Record Type	Select A/AAAA from the drop-down list.
   Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain www.example.com, enter www for Hostname. If you want to add a record for the root domain example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.
   Proxy Status	If you proxy the record, client requests intended for the proxied domain go to ESA points of presence (POPs) for acceleration and protection. If you disable proxy for the record, ESA only resolves the record.
   Record Value	The record value can be one or more IPv4 or IPv6 addresses. Separate multiple IP addresses with commas (,). Example: 123.123.XXX.XXX,2001:0db8:86a3:08d3:1319:8a2e:0370:7344.
   Origin Host	The Origin Host parameter in an origin rule takes precedence over the Origin Host parameter in a DNS record. If you configure both the parameters, the value of the Origin Host parameter in the origin rule takes effect.
   TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto. Note You cannot adjust the TTL for proxied DNS records.
   Description	Optional. The custom description for the record.

   CNAME record

   You can create a CNAME record to point a domain name to another one that resolves an IP address.

   

   If you set the Proxy Status parameter to Proxied, the requested domain name is used as the Host header in origin requests. For information about how to use other values, see Origin rules.

   

   Parameter	Description
   Record Type	Select CNAME from the drop-down list.
   Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain www.example.com, enter www for Hostname. If you want to add a record for the root domain example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.
   Proxy Status	If you proxy the record, client requests intended for the proxied domain go to ESA points of presence (POPs) for acceleration and protection. If you disable proxy for the record, ESA only resolves the record.
   Record Value	Valid values are Domain Name, OSS, S3-ompatible, Load Balancer, and Origin Pool. Domain Name: You can configure a domain name as the origin address. Note The domain name that you specify must be different from your website domain name. Otherwise, a DNS resolution loop occurs and requests cannot be routed to the origin server. OSS: Make sure your resources have been stored in Alibaba Cloud Object Storage Service (OSS). You can select or enter the public domain name of an OSS bucket as the origin. Internal domain names such as ***.oss-cn-hangzhou.aliyuncs.com are not allowed. Note For information about OSS endpoints and domain names, see Endpoints and domain names. If OSS is selected as the origin, you can set Access Type to Public Access, Private Access (Same-account), or Private Access (Cross-account). If you select Private Access (Same-account) or Private Access (Cross-account) for Access Type, you must configure authentication settings. For more information, see Configure an OSS origin server. Preferential pricing for traffic from OSS to ESA Only when you select OSS as your origin, can you benefit from the preferential pricing for the traffic that is consumed to transfer data from OSS to ESA. For more information, visit the OSS pricing page. If you select Domain Name as your origin, Alibaba Cloud OSS identifies the traffic that is consumed to transfer data from OSS to ESA as outbound traffic over the Internet. This way, the unit price is higher. S3-compatible: You can configure the public address of an AWS S3 bucket as the origin address. Valid values of Access Type are Public Access and Private Access. If you select Private Access, you must configure authentication settings. For more information, see Configure an AWS S3 origin server. Load Balancer: You can select an existing load balancer from the drop-down list as the origin server. If no load balancers are available, create one by following instructions in Manage load balancers. Origin Pool: You can select an existing origin pool from the drop-down list as the origin. If no pools are available, create one by following instructions in Create an origin pool.
   Origin Host	When Record Value is set to Domain Name, Load Balancer, or Origin Pool: The value defaults to Match Requested Domain Name, which indicates that the client's requested domain name is used as the Host header in origin requests. When Record Value is set to OSS or S3-compatible: The value defaults to Match Origin's Domain Name, which indicates that the origin's domain name is used as the Host header in origin requests.
   TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto. Note You cannot adjust the TTL for proxied DNS records.
   Description	Optional. The custom description for the record.

   MX record

   You can add a mail exchanger (MX) record to point a domain name to a mail server address.

   

   Parameter	Description
   Record Type	Select MX from the drop-down list.
   Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain www.example.com, enter www for Hostname. If you want to add a record for the root domain example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.
   Priority	Enter the priority according to the requirements of the email registrar. A lower value indicates a higher priority.
   Mail Server	Enter the domain name of your mail server. Example: mx.example.com.
   TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
   Description	Optional. The custom description for the record.

   TXT record

   You can add a TXT record to associate human-readable text, such as public information or verification information, with a domain name.

   

   Parameter	Description
   Record Type	Select TXT from the drop-down list.
   Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain www.example.com, enter www for Hostname. If you want to add a record for the root domain example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.
   Record Value	Enter the text that you want to associate with the domain name.
   TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
   Description	Optional. The custom description for the record.

   NS record

   If you want to delegate your domain to other DNS providers for resolution, you can add a nameserver (NS) record.

   

   Parameter	Description
   Record Type	Select NS from the drop-down list.
   Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain www.example.com, enter www for Hostname. If you want to add a record for the root domain example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.
   Record Value	Enter the domain name of the authoritative server that you want to point to, such as ns1.example.com.
   TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
   Description	Optional. The custom description for the record.

   SRV record

   If you want to point a domain name to a server that provides specific services, such as directory management of Microsoft systems, you can add an SRV record.

   

   Parameter	Description
   Record Type	Select SRV from the drop-down list.
   Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain www.example.com, enter www for Hostname. If you want to add a record for the root domain example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.
   Priority	The priority of the record. A lower value indicates a higher priority.
   Weight	The weight of the server, which controls the volume of traffic received by the server. A smaller value indicates a higher weight and more traffic received by the server.
   Port	The network port for listening.
   Target	The domain name of the server. Example: srvhosname.example.com.
   TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
   Description	Optional. The custom description for the record.

   CAA record

   Certification Authority Authorization (CAA) records are used to specify which certificate authorities (CAs) are allowed to issue SSL certificates for a domain. By configuring a CAA record, you can prevent unauthorized CAs from issuing certificates for your domain.

   

   Parameter	Description
   Record Type	Select CAA from the drop-down list.
   Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain www.example.com, enter www for Hostname. If you want to add a record for the root domain example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.
   Flag	An 8-bit unsigned integer that controls how CAs process the CAA record. The most commonly used value is 0.
   Tag	The behavior associated with the record. Common tags: issue: authorizes a specified CA to issue certificates for your domain. issuewild: authorizes a specified CA to issue wildcard certificates for your domain. iodef: specifies an email address or URI where a CA can report policy violations. This tag is typically used to collect information about unauthorized certificate issuance.
   CA Domain Name	The value of Tag. In most cases, the value is the domain name of the CA or the report URI.
   TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
   Description	Optional. The custom description for the record.

   CERT record

   If you want to point a domain name to the location where a public-key certificate is stored, you can add a CERT record. CERT records can be used by clients and other services for authentication.

   

   Parameter	Description
   Record Type	Select CERT from the drop-down list.
   Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain www.example.com, enter www for Hostname. If you want to add a record for the root domain example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.
   Certificate Type	Different values correspond to different certificate types. Examples: 0: a reserved field. 1: PKIX (X.509). 2: Simple public key infrastructure (SPKI). 3: PGP (OpenPGP). 4: IPKIX (IPsec End Entity). 5: ISPKI (IPsec-trusted third party). 6: IPGP (IPsec OpenPGP Key). 7: ACPKIX (PKIX Attribute Certificate). 8: IACPKIX (PKIX IPSEC Attribute Certificate). 252: URI. 253: Object Identifier (OID). We list only some common certificate types. For complete definitions and the latest updates, refer to the relevant RFC documentation or other authoritative sources.
   Key Tag	The tag related to the certificate.
   Algorithm	The algorithm that is used to encrypt the public key, which is represented by digits. Examples: 0: a reserved field. 1: RSA. 2: MD2/RSA. 3: MD4/RSA. 4: MD5/RSA. 5: SHA-1/RSA. 6: Digital Signature Algorithm (DSA). 7: Elliptic Curve Digital Signature Algorithm (ECDSA). 8: SHA-256/RSA. 9: SHA-384/RSA. 10: SHA-512/RSA. 11: SHA-224/RSA. 12: a not commonly used algorithm. The preceding mappings are only for common reference and may vary with different standards and implementations. In practice, make sure that you refer to authoritative documentation of the specific protocol.
   Certificate (Base64-encoded)	The Base64-encoded certificate file.
   TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
   Description	Optional. The custom description for the record.

   SMIMEA record

   SMIMEA records associate Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates with domain names. S/MIME is a widely used standard for email encryption and digital signing. It uses public key infrastructure (PKI) to encrypt and sign email messages.

   

   Parameter	Description
   Record Type	Select SMIMEA from the drop-down list.
   Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain www.example.com, enter www for Hostname. If you want to add a record for the root domain example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.
   Usage	The purpose of the certificate. Different values correspond to different purposes. Examples: 0: a reserved field. 1: used for S/MIME end-to-end encryption. The certificate is used to encrypt a message sent to the recipient to ensure that only the recipient can decrypt and read the message. 2: used by an S/MIME intermediary. The certificate is typically used by enterprise mail servers, which can be used to check, filter, or archive messages before forwarding them to the final recipient. 3: used for S/MIME signature validation. The certificate is used to verify the digital signature of the sender on the message to ensure the authenticity and integrity of the message.
   Selector	Specifies which part of the certificate is included in the record. Different values correspond to different meanings. Examples: 0: the entire certificate (X.509). 1: only the public key (SubjectPublicKeyInfo).
   Match Type	The match type associated with the certificate. Examples: 0: The entire certificate is stored in the record. 1: The SHA-256 hash of the certificate is stored in the record. 2: The SHA-512 hash of the certificate is stored in the record.
   Certificate (Hexadecimal)	The Base64-encoded certificate data.
   TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
   Description	Optional. The custom description for the record.

   SSHFP record

   SSHFP records store SSH public key fingerprints. SSH clients can use SSHFP records to verify the identity of a remote server, enhancing the security of SSH connections.

   

   Parameter	Description
   Record Type	Select SSHFP from the drop-down list.
   Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain www.example.com, enter www for Hostname. If you want to add a record for the root domain example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.
   Algorithm	The algorithm of the SSH key. Examples: 0: a reserved field. 1: RSA. 2: DSA. 3: ECDSA. 4: Ed25519 (EdDSA).
   Type	The fingerprint type. The fingerprint of an SSH public key allows the client to verify the server identity by cross-referencing the public key fingerprint of the server with the one stored in DNS. Examples: 0: a reserved field. 1: The fingerprint generated by using SHA-1. 2: The fingerprint generated by using SHA-256.
   Fingerprint (Hexadecimal)	The Base64-encoded fingerprint.
   TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
   Description	Optional. The custom description for the record.

   TLSA record

   A TLS Authentication (TLSA) record allows you to associate a TLS certificate with the specific service and port of a domain name.

   

   Parameter	Description
   Record Type	Select TLSA from the drop-down list.
   Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain www.example.com, enter www for Hostname. If you want to add a record for the root domain example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.
   Usage	The usage of the TLSA record. Examples: 0: PKIX-TA, indicating that the TLS certificate is validated by using a CA certificate chain, and the CA certificate serves as the trust anchor. 1: PKIX-EE, indicating that the TLS certificate is validated by using a CA certificate chain and the final entity certificate of the server is validated. 2: DANE-TA, indicating that the TLS certificate is validated by using DNSSEC and the public key in the TLSA record is the trust anchor. 3: DANE-EE, indicating that the TLS certificate is validated by using DNSSEC and the final entity certificate of the server is validated.
   Selector	Specifies which part of the certificate is included in the record. Different values correspond to different meanings. Examples: 0: the entire certificate (X.509). 1: only the public key (SubjectPublicKeyInfo).
   Match Type	The match type associated with the certificate. Examples: 0: The entire certificate is stored in the record. 1: The SHA-256 hash of the certificate is stored in the record. 2: The SHA-512 hash of the certificate is stored in the record.
   Certificate (Hexadecimal)	The Base64-encoded certificate data.
   TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
   Description	Optional. The custom description for the record.

   URI record

   A URI record maps a domain name to a URI. Defined in RFC 7553, this record type enables DNS to participate in URI resolution and can link to the locations of various services, information, and resources.

   

   Parameter	Description
   Record Type	Select URI from the drop-down list.
   Hostname	The prefix of the subdomain. For example, if you want to add a record for the subdomain www.example.com, enter www for Hostname. If you want to add a record for the root domain example.com, enter @ for Hostname. If you want to match all subdomains under example.com, enter *.
   Priority	A smaller value indicates a higher priority.
   Weight	The relative weight for records with the same priority. A higher value means more preferred.
   Target	The target URI. Example: https://example.com/service.
   TTL	A time to live (TTL) value specifies how long the record is valid. A smaller value indicates less time required to apply record updates. Default value: Auto.
   Description	Optional. The custom description for the record.

6. Click Next.

7. If you set Record Type to A/AAAA or CNAME and turn on the Proxy Status switch, select an acceleration scenario and then click OK.

   Scenario	Description
   Web	Suitable for websites that integrate both static and dynamic resources, such as small files and API requests. Examples: personal blog websites, small UGC platforms, and small independent e-commerce websites.
   API	Suitable for accelerating dynamic API operations. Generally, such operations do not require caching. Examples: account and password verification, order payment, log upload, and real-time data synchronization.
   Image/Video	Suitable for accelerating the delivery of static files. Examples: a large number of image downloads, video on demand, and delivery of game installation packages.

Import DNS records at a time

1. Log on to the ESA console.

2. On the Websites page, find the website that you want to manage, and click the website name or View Details in the Actions column.

3. In the left-side navigation pane, choose DNS > Records.

4. Click Import.

5. On the Import page, click Download Template. Then modify the downloaded template as needed. Example:

   ;Host TTL IN RecordType RecordValue
   
   $ORIGIN example.com.
   
   ; A record
   1.example.com.   600 IN  A   8.8.8.8
   
   ; AAAA record
   2.example.com.   600 IN  AAAA		2400:cb00:2049:1::a29f:f9
   
   ; CNAME record
   2.example.com.   600 IN  CNAME     example.com.
   
   ; MX record
   4.example.com.    600 IN  MX	15 mailhost.example.com.
   
   ; TXT record
   4.example.com.   600 IN  TXT	xxxxxxxxxxxxxxxxxxx
   
   ; NS record
   4.example.com.    600 IN  NS	ns.example.com.
   
   ; SRV record
   _sip._tcp.example.com.   600 IN  SRV	1 5 7001 srvhostname.example.com.
   
   ; CAA record
   hostname.example.com.    600 IN  CAA	0 issue example.com
   
   ; CERT record
   cert.example.com.	1	IN	CERT	0 0 0 VEVwQk5GWXlUR3RXVVZwc1RIcGFhMGh0UVhWUGQweFJFZENNM0JSVFROV2JVd3lWbFJOTkVSS1dnPT0=
   
   ; SMIMEA record
   smimea.example.com.	1	IN	SMIMEA	12 12 12 436c6f7564666c61726520444e53
   
   ; SSHFP record
   sshfp.example.com.	1	IN	SSHFP	12 12 436C6F7564666C61726520444E53
   
   ; TLSA record
   tlsa.example.com.	1	IN	TLSA	12 12 12 436c6f7564666c61726520444e53
   
   ; URI record
   uri.example.com.	1	IN	URI	12 12 "http://www.example.com/service"

6. Click Select File to import the DNS records.

   Note

   After the import, A and AAAA records that correspond to the same hostname are collectively referred to as one A/AAAA record.

7. After the records are imported, enable ESA proxy for the domain name as needed and select a business scenario.

   

   Note

   • We recommend that you enable proxy for A/AAAA and CNAME records to benefit from acceleration and security provided by ESA.

   • Select an appropriate business scenario to further improve the acceleration performance.

8. Click OK.

What to do next

The subsequent steps vary based on the DNS setup option that you select.

• CNAME setup: After you configure DNS records, you must add a CNAME record to the DNS records of your domain name. This allows client requests to be forwarded to ESA POPs, which helps achieve global acceleration, edge computing, and security protection. For more information, see Add a CNAME record to enable proxy.

Record types

The following table describes the DNS record types supported by ESA.