Latest News
New version console, fully functionality upgrade for Private DNS
Learn more >Resource Records configuration supports graphical orchestration to optimize the operation experience
Learn more >Built-In Authoritative Module: DNS resolution based on weights or user-defined lines is supported
Learn more >Cache Module: The designated public network domain name is permanently cached, and it can still be resolved normally when the external third-party public network DNS is abnormal. Manual cache clearing is also supported In emergency.
Learn more >Forward Module: Forward DNS requests from VPCs to the external DNS for hybrid cloud scenarios
Learn more >Traffic Analysis: DNSLog analysis for tracing end-to-end DNS resolution path, and DNSLog can be transferred to SLS Logstore
Learn more >Service Address: Access PrivateZone based on VPC custom private IP addresses, which can avoid IP addresses conflict with 100.100.2.136 and 100.100.2.138.
Learn more >A Private DNS Platform for Integrated Scenarios of Multi-Cloud and Traditional IDC
Alibaba Cloud DNS PrivateZone is an easy-to-use DNS resolution service in corporate intranets. It can resolve internal and external domain names in corporate intranets, such as Alibaba Cloud VPCs and on-premises data centers. It allows you to define private authoritative domain names in corporate intranets, retain caches, clear caches, forward DNS requests, send recursive queries to the Internet, define DNS service IP addresses in VPC, and analyze traffic for DNS requests. This ensures faster and safer internal DNS resolution.
Device-Cloud Integration
Meet the DNS resolution requirements in the fully integrated scenario of devices, IDCs and cloud platforms, and achieve all products coverage for end-to-end DNS resolution path.
High Availability
The deployment of the resolution components uses a fully heterogeneous architecture, providing up to 99.99% and 99.9% level agreement (SLA) commitments in the central regions and local regions, respectively.
Visualization
Resource Records configuration supports graphical orchestration, providing a one-click batch configuration experience for all record types simultaneously. At the same time, it provides DNS resolution logs to analyze end-to-end DNS resolution path and behavior.
Features
Built-In Authoritative Module, Cache Module, Forward Module, Recursion Module, Service Address and Traffic Analysis Module
Built-In Authoritative Module
Define private authoritative zones within your internal networks (such as VPCs). Built-in authoritative zones are classified into regular zones and acceleration zones. For regular zones, the DNS requests from clients are not directly routed to the Built-In Authoritative Module. The DNS requests are firstly routed to the Cache Module and then routed to the regular zone Module if the cache is missed. Resource Records updates take effect with the TTL limit. For acceleration zones, the DNS requests from clients are directly responded to with the lowest latency. Resource Records real-time updates take effect with no TTL limit. Acceleration zones are an upgraded version of regular zones, and newly added features include DNS resolution based on weights and user-defined lines.
VPC Security Isolation
Private domain names can only be resolved in VPCs associated.
Unified DNS Management across Multiple Alibaba Cloud Accounts
Associate DNS Setting Data with VPCs of multiple Alibaba Cloud accounts and perform centralized DNS management in the same corporate intranet.
User-Defined Authoritative Zones
Define private authoritative zones, and support hosting zones and sub-zones.
Intelligent DNS Resolution
Support private intelligent DNS resolution based on request lines or weights in corporate intranets.
User-Defined Request Lines
Support defining inner request lines based on IP addresses and then define private DNS resource records for those lines.
Synchronization for ECS Hostnames
Support synchronization for ECS hostnames in presetting regions, and support manual synchronization and automatic synchronization (once every minute).
Recursive Resolution Proxy for Subdomain Names
Queries for non-existent sub domain names under the private zones are routed to the Forward Module and Recursive Module, which can achieve separation of private and public DNS resolutions.
IP Reverse Resolution
Support IP reverse resolution for translating IP addresses to domain names.
Secondary DNS
Support synchronizing built-in authoritative zone data from on-premises IDCs with AXFR or IXFR zone transfer protocols.
Cache Module
The results of DNS resolution response in corporate intranets are temporarily stored in the Cache Module if it is from the Built-In Authoritative Module for Regular Zones, Forward Module, or Recursion Module. It can accelerate the DNS resolution for the same domain names. We recommend enabling the cache retention feature for hotspots and important domain names to permanently store the DNS resolution results in the caches. This can accelerate the DNS resolution speed in intranet networks, and prevent DNS resolution failures for public domain names in intranet networks when DNS resolution services are down, which are provided by other authoritative DNS vendors.
Cache Retention for 100% Cache Hit
It supports enabling the cache retention feature for hotspots and important domain names to permanently store the DNS resolution results in the caches. This can accelerate the DNS resolution speed in intranet networks, and prevent DNS resolution failures for public domain name in intranet networks when DNS resolution services are down which are provided by other authoritative DNS vendors.
Clear Cache
In an emergency, clear DNS cache results from the Cache Module rapidly without TTL limitation.
Forward Module
You can create forward zone rules and outbound endpoints, which can forward DNS requests for the zone in VPCs to the external DNS. This is suitable for DNS resolution in hybrid cloud scenarios and DNS resolution between cloud and on-premises scenarios.
Outbound Endpoints
These are DNS forwarders in VPC networks, which can forward DNS requests for the zone in VPCs to the external DNS, to meet Cloud ECS or Containers' DNS resolution requirements to private domain names hosted in on-premises IDC DNS.
User-Defined Forward Zones
Support defining forward rules based on zones, and only permit DNS forward queries for those zones.
Recursion Module
If the query domain name is NOT hit in the Built-In Authoritative Module, Cache Module, and Forward Module, it will be routed to the Recursion Module to get responses from the Internet and then notify the Cache Module to update cached results.
Recursive Resolution
We provide the Recursion Module for free by default. It can serve all ECS instances, containers, and other clients hosted in Alibaba Cloud VPCs or your IDC intranet network. For the Recursion Module, we can't guarantee to give you a Service Level Agreement (SLA) but provide best-effort service because of external network instability.
Service Address
The Name Server addresses of the Private DNS resolution service, which can be configured as the DNS service address of terminals in the cloud (ECS or container), or can be used for terminals out of the cloud (external hosts or external DNS) to access the in-cloud DNS.
Inbound Endpoints
If you want to use your own planned private IP address in the VPC to provide Private DNS resolution services, you can customize Private DNS resolution IP addresses within a VPC by creating an Inbound Endpoint.
Traffic Analysis Module
We provide end-to-end, full-resolution path and visualized DNS traffic analysis service to profile entire processes, including receiving DNS requests, processing DNS resolution, and returning resolution results. We provide graphical charts for various statistical metrics to help users to view and make decisions to optimize their business.
Traffic Analysis
We provide data analysis in various dimensions (such as resolution delay, resolution volume, cache hit rate, hot domain names, and hot request sources), which can offer data references for business optimization.
DNSLog Transferred to SLS Logstore
DNSLog can be transferred to SLS Logstore. You must firstly open the traffic analysis service to gather DNS resolution logs to use this function.
Best Practice
Intelligent DNS Resolution for Private Networks
Challenges and Requirements
When enterprises prepare intranet resources, they divide resources according to different business departments. Each business department creates different accounts to manage different VPC networks. Intranet applications provide multi-tenant platform service capabilities for each business department, and provide service ingress endpoints through a unified domain name. It is necessary to achieve that the same service domain name can be resolved to different IP addresses in different VPC networks, and to achieve load balancing of multiple IP addresses based on weights.
Solutions and Values
Private DNS provides intelligent DNS resolution based on request lines or weights in corporate intranet.
Intelligent DNS Resolution
It supports intelligent DNS resolution based on request lines or weights, meeting the requirements of personalized customized resolution and nearby application access to reduce application access latency.
User-Defined Request Lines
It supports dividing different service areas based on IP addresses, and then customizing personalized resolution for different service areas.
Unified Management and Authorization
It supports making the same DNS zone data copies to take effect in multiple accounts and multiple VPCs at the same time, and support RAM hierarchical authorization to meet the requirements of centralized unified management and improve management efficiency.
Operation Guide
Third-Party Public Domain Name Resolution Optimization
Challenges and Requirements
The multi-cloud deployment architecture of enterprise IT resources has become the norm. Service integration in the Alibaba Cloud VPC environment often requires access to public domain names provided by third-party service providers. The DNS in the cloud cannot normally access the authoritative DNS server of the third-party public domain name occasionally because of the Internet's unstable working characteristics. As a result, the ECS or container environment on the cloud cannot access the public domain name normally, causing serious business interruption.
Solutions and Values
Private DNS provides stable DNS resolution results. Even if the authoritative DNS server of the third-party public domain name is abnormal, it can still respond through historical cache data.
Cache Retention
It enables cache retention for hot access and key protection domain names. The resolution results will not be cleared in the cache, which improves the internal network resolution speed of domain names, especially for external public domain names. It can be resolved to the historical resolution result data in the Cache Module, which can eliminate the impact of resolution interruption caused by authoritative DNS vendor service failure.
Cache Clearing
When the external domain name resolution result cache is abnormal, the cache data can be forcibly cleared, thereby triggering a new external DNS query to update the resolution result data.
Operation Guide
Interconnection between In-Cloud DNS and Out-Cloud DNS
Challenges and Requirements
Applications within the cloud and outside the cloud need to call each other in a hybrid cloud scenario. The ECS hosts in the VPC network within the cloud need to resolve the intranet domain name configured in the on-premises IDC DNS server. At the same time, the hosts in the on-premises IDC intranet need to resolve the intranet domain name configured in the VPC Private DNS server on the cloud.
Solutions and Values
Private DNS provides the ability to forward DNS queries by domain names, enabling hybrid cloud interconnection.
Access from Cloud to On-Premises IDC
There is no need to modify the DNS nameserver addresses of the ECS hosts within the cloud. You can create an Outbound Endpoint to implement the DNS forwarding function, and configure the domain name forwarding policy to out-cloud DNS servers. When ECS on the cloud requests a domain name out of the cloud, it will firstly request the in-cloud DNS, then match the forwarding policy, and forward it directly to the out-cloud DNS for resolution.
Access from On-Premises IDC to Cloud
There is no need to modify the DNS nameserver addresses of the hosts within on-premises IDC. You can configure the domain name forwarding policy for the on-premises IDC DNS. When a host in the on-premises IDC requests a domain name on the cloud, it will firstly request the on-premises IDC DNS, then match the forwarding policy, and forward it directly to the in-cloud DNS for resolution (You can assign a custom in-cloud VPC intranet DNS resolution service IP address by creating an Inbound Endpoint, which need to be connected through a dedicated line or VPN or SDWAN between VPC network in cloud and IDC network out of cloud).
DNS Traffic Analysis and DNSLog Transferring
Challenges and Requirements
For security audits, application anomaly access diagnosis and performance optimization, enterprises need to conduct statistics and analysis on DNS traffic logs from intranet terminals and intranet domain names to find abnormal events and system vulnerabilities and then fix them and optimize.
Solutions and Values
Private DNS provides traffic analysis functions based on DNS resolution logs, and provides comprehensive query and response behavior indicators to help enterprise DNS managers analyze business and propose effective system improvement strategies.
Diversified Analysis Dimensions
For specific analysis object indicators, changes in business access can be quickly discovered based on the DNS access volume curve and comparative changes during the same period. For specific DNS modules, it not only provides overall statistical analysis from a global perspective, but also supports drill-down filtering analysis based on specific terminal IP addresses, specific domain names, and specific time windows. It also supports downloading of domain name lists with no resolution within 7 days to assist operators in executing the business offline processes smoothly.
Comprehensive Coverage of Analytical Indicators
We provide analysis of minute-level DNS resolution request volume, DNS resolution delay, TOP requests zone list, TOP requests subdomain name list, TOP requests network list, and TOP requests client IP list, etc.
One-Click Performance Optimization and Resolution Disaster Recovery Protection Operations
It can quickly discover external public domain names with high access delays, and provide one-click activation of the cache retention function to accelerate the resolution of this domain name. It can quickly find hot accessed cached domain names and recursive domain names, and provide one-click activation of the cache retention function to protect them from resolution exceptions caused by abnormal Internet.
Fast Abnormal Location and Handling
It can quickly discover abnormally high-frequency access domain names and abnormal terminal IP addresses, and quickly locate and handle abnormalities. We provide the access source IP address that triggers the speed limit alarm, generate the speed limit alarm event, quickly locate the host based on the IP address, and perform targeted performance optimization.
Operation Guide
Typical Scenarios
Intelligent DNS resolution based on request lines or weights, public domain name resolution optimization, hybrid interconnection in and out of the cloud, and full resolution path visualized DNS traffic analysis
-
Intelligent DNS Resolution Based on Request Lines
Identify visitors based on the request source IP address, and intelligently return different application IP addresses for different visitors, and improve website access speed.
-
Intelligent DNS Resolution Based on Weights
When responding to DNS queries, all addresses are returned according to weight calculation proportions, and application traffic is distributed to different servers to achieve load balancing.
-
Public Domain Name Resolution Acceleration and Disaster Recovery Protection
Using the cache retention function can significantly improve the resolution speed of public domain names and ensure that the domain name can still be resolved normally, even if the DNS service provider for the domain name fails.
-
Traffic Visualization Based on DNSLog
We provide traffic analysis services based on DNS resolution logs, completely restoring the entire process path from receiving resolution requests to intermediate processing and returning resolution results.
-
Application Interconnection between In-Cloud and Out-Cloud
Applications in Alibaba Cloud VPC and on-premises IDC need to make inter-business calls through DNS queries.
-
Smooth Migration to the Cloud for Enterprises
Avoid modifying application codes, reduce application modifications, and reduce cloud migration risks.
-
ECS Access Cloud Product Instances
DNS queries within the private network are responded to in real time without the need for public network access.
-
Intranet Security Audit
We gather the DNS resolution logs deployed in the enterprise's private network (such as Alibaba Cloud VPC) to help enterprises understand the usage of intranet domain names.
-
VPC Intranet Private DNS Resolution
We provide private domain name resolution services for terminals and servers within the VPC network.
-
Unified Domain Name Access Both in Production and Testing Environments
Services in the production environment and testing environment use the same domain name to provide external services. Clients in different environments use the same domain name connection string for service access, avoiding modification of clients' codes to adapt to different environments.
-
ECS Hostname Management
You can plan the hostname based on the location, purpose, owner and other information of the cloud server, and use the hostname to add intranet private resolution records to the cloud server.
-
Access the Cloud Server through the Domain Name
Create an intranet domain name for each cloud server in the VPC and add it to the resolution of the corresponding private network IP to enable mutual access between cloud servers using the intranet domain name.
Related DNS Products
![]()
Alibaba Cloud DNS - Public Authoritative
Alibaba Cloud DNS - Public Authoritative
The authoritative DNS resolution service of the public network can help enterprises and developers convert domain names that are easy to manage and identify into digital IP addresses used by computers for interconnection communications, thereby routing user access to the corresponding website or application server.
![]()
Global Traffic Manager
Global Traffic Manager
Global Traffic Manager (GTM) can realize nearby access and multi-address load balancing of application services through DNS. At the same time, it can perform DNS Failover based on health checks to achieve multi-active fault isolation and remote disaster recovery of application services in the same city.
