Alibaba Cloud DNS PrivateZone

It is a Private DNS Service designed for corporate intranets, and serves terminals hosted in Alibaba Cloud VPC networks or on-premises datacenter networks, such as containers, ECS and physical machines.

Latest News

New Console

New version console, fully functionality upgrade for Private DNS

Learn more >
New Experience

Resource Records configuration supports graphical orchestration to optimize the operation experience

Learn more >
New Function

Built-In Authoritative Module: DNS resolution based on weights or user-defined lines is supported

Learn more >
New Function

Cache Module: The designated public network domain name is permanently cached, and it can still be resolved normally when the external third-party public network DNS is abnormal. Manual cache clearing is also supported In emergency.

Learn more >
New Function

Forward Module: Forward DNS requests from VPCs to the external DNS for hybrid cloud scenarios

Learn more >
New Function

Traffic Analysis: DNSLog analysis for tracing end-to-end DNS resolution path, and DNSLog can be transferred to SLS Logstore

Learn more >
New Function

Service Address: Access PrivateZone based on VPC custom private IP addresses, which can avoid IP addresses conflict with and

Learn more >

A Private DNS Platform for Integrated Scenarios of Multi-Cloud and Traditional IDC

Alibaba Cloud DNS PrivateZone is an easy-to-use DNS resolution service in corporate intranets. It can resolve internal and external domain names in corporate intranets, such as Alibaba Cloud VPCs and on-premises data centers. It allows you to define private authoritative domain names in corporate intranets, retain caches, clear caches, forward DNS requests, send recursive queries to the Internet, define DNS service IP addresses in VPC, and analyze traffic for DNS requests. This ensures faster and safer internal DNS resolution.

Device-Cloud Integration

Device-Cloud Integration

Meet the DNS resolution requirements in the fully integrated scenario of devices, IDCs and cloud platforms, and achieve all products coverage for end-to-end DNS resolution path.

High Availability

High Availability

The deployment of the resolution components uses a fully heterogeneous architecture, providing up to 99.99% and 99.9% level agreement (SLA) commitments in the central regions and local regions, respectively.



Resource Records configuration supports graphical orchestration, providing a one-click batch configuration experience for all record types simultaneously. At the same time, it provides DNS resolution logs to analyze end-to-end DNS resolution path and behavior.


Built-In Authoritative Module, Cache Module, Forward Module, Recursion Module, Service Address and Traffic Analysis Module

Built-In Authoritative Module

Define private authoritative zones within your internal networks (such as VPCs). Built-in authoritative zones are classified into regular zones and acceleration zones. For regular zones, the DNS requests from clients are not directly routed to the Built-In Authoritative Module. The DNS requests are firstly routed to the Cache Module and then routed to the regular zone Module if the cache is missed. Resource Records updates take effect with the TTL limit. For acceleration zones, the DNS requests from clients are directly responded to with the lowest latency. Resource Records real-time updates take effect with no TTL limit. Acceleration zones are an upgraded version of regular zones, and newly added features include DNS resolution based on weights and user-defined lines.

VPC Security Isolation

Private domain names can only be resolved in VPCs associated.

Unified DNS Management across Multiple Alibaba Cloud Accounts

Associate DNS Setting Data with VPCs of multiple Alibaba Cloud accounts and perform centralized DNS management in the same corporate intranet.

User-Defined Authoritative Zones

Define private authoritative zones, and support hosting zones and sub-zones.

Intelligent DNS Resolution

Support private intelligent DNS resolution based on request lines or weights in corporate intranets.

User-Defined Request Lines

Support defining inner request lines based on IP addresses and then define private DNS resource records for those lines.

Synchronization for ECS Hostnames

Support synchronization for ECS hostnames in presetting regions, and support manual synchronization and automatic synchronization (once every minute).

Recursive Resolution Proxy for Subdomain Names

Queries for non-existent sub domain names under the private zones are routed to the Forward Module and Recursive Module, which can achieve separation of private and public DNS resolutions.

IP Reverse Resolution

Support IP reverse resolution for translating IP addresses to domain names.

Secondary DNS

Support synchronizing built-in authoritative zone data from on-premises IDCs with AXFR or IXFR zone transfer protocols.

Cache Module

The results of DNS resolution response in corporate intranets are temporarily stored in the Cache Module if it is from the Built-In Authoritative Module for Regular Zones, Forward Module, or Recursion Module. It can accelerate the DNS resolution for the same domain names. We recommend enabling the cache retention feature for hotspots and important domain names to permanently store the DNS resolution results in the caches. This can accelerate the DNS resolution speed in intranet networks, and prevent DNS resolution failures for public domain names in intranet networks when DNS resolution services are down, which are provided by other authoritative DNS vendors.

Cache Retention for 100% Cache Hit

It supports enabling the cache retention feature for hotspots and important domain names to permanently store the DNS resolution results in the caches. This can accelerate the DNS resolution speed in intranet networks, and prevent DNS resolution failures for public domain name in intranet networks when DNS resolution services are down which are provided by other authoritative DNS vendors.

Clear Cache

In an emergency, clear DNS cache results from the Cache Module rapidly without TTL limitation.

Forward Module

You can create forward zone rules and outbound endpoints, which can forward DNS requests for the zone in VPCs to the external DNS. This is suitable for DNS resolution in hybrid cloud scenarios and DNS resolution between cloud and on-premises scenarios.

Outbound Endpoints

These are DNS forwarders in VPC networks, which can forward DNS requests for the zone in VPCs to the external DNS, to meet Cloud ECS or Containers' DNS resolution requirements to private domain names hosted in on-premises IDC DNS.

User-Defined Forward Zones

Support defining forward rules based on zones, and only permit DNS forward queries for those zones.

Recursion Module

If the query domain name is NOT hit in the Built-In Authoritative Module, Cache Module, and Forward Module, it will be routed to the Recursion Module to get responses from the Internet and then notify the Cache Module to update cached results.

Recursive Resolution

We provide the Recursion Module for free by default. It can serve all ECS instances, containers, and other clients hosted in Alibaba Cloud VPCs or your IDC intranet network. For the Recursion Module, we can't guarantee to give you a Service Level Agreement (SLA) but provide best-effort service because of external network instability.

Service Address

The Name Server addresses of the Private DNS resolution service, which can be configured as the DNS service address of terminals in the cloud (ECS or container), or can be used for terminals out of the cloud (external hosts or external DNS) to access the in-cloud DNS.

Inbound Endpoints

If you want to use your own planned private IP address in the VPC to provide Private DNS resolution services, you can customize Private DNS resolution IP addresses within a VPC by creating an Inbound Endpoint.

Traffic Analysis Module

We provide end-to-end, full-resolution path and visualized DNS traffic analysis service to profile entire processes, including receiving DNS requests, processing DNS resolution, and returning resolution results. We provide graphical charts for various statistical metrics to help users to view and make decisions to optimize their business.

Traffic Analysis

We provide data analysis in various dimensions (such as resolution delay, resolution volume, cache hit rate, hot domain names, and hot request sources), which can offer data references for business optimization.

DNSLog Transferred to SLS Logstore

DNSLog can be transferred to SLS Logstore. You must firstly open the traffic analysis service to gather DNS resolution logs to use this function.

Best Practice

Typical Scenarios

Intelligent DNS resolution based on request lines or weights, public domain name resolution optimization, hybrid interconnection in and out of the cloud, and full resolution path visualized DNS traffic analysis

  • Intelligent DNS Resolution Based on Request Lines

    Identify visitors based on the request source IP address, and intelligently return different application IP addresses for different visitors, and improve website access speed.

  • Intelligent DNS Resolution Based on Weights

    When responding to DNS queries, all addresses are returned according to weight calculation proportions, and application traffic is distributed to different servers to achieve load balancing.

  • Public Domain Name Resolution Acceleration and Disaster Recovery Protection

    Using the cache retention function can significantly improve the resolution speed of public domain names and ensure that the domain name can still be resolved normally, even if the DNS service provider for the domain name fails.

  • Traffic Visualization Based on DNSLog

    We provide traffic analysis services based on DNS resolution logs, completely restoring the entire process path from receiving resolution requests to intermediate processing and returning resolution results.

  • Application Interconnection between In-Cloud and Out-Cloud

    Applications in Alibaba Cloud VPC and on-premises IDC need to make inter-business calls through DNS queries.

  • Smooth Migration to the Cloud for Enterprises

    Avoid modifying application codes, reduce application modifications, and reduce cloud migration risks.

  • ECS Access Cloud Product Instances

    DNS queries within the private network are responded to in real time without the need for public network access.

  • Intranet Security Audit

    We gather the DNS resolution logs deployed in the enterprise's private network (such as Alibaba Cloud VPC) to help enterprises understand the usage of intranet domain names.

  • VPC Intranet Private DNS Resolution

    We provide private domain name resolution services for terminals and servers within the VPC network.

  • Unified Domain Name Access Both in Production and Testing Environments

    Services in the production environment and testing environment use the same domain name to provide external services. Clients in different environments use the same domain name connection string for service access, avoiding modification of clients' codes to adapt to different environments.

  • ECS Hostname Management

    You can plan the hostname based on the location, purpose, owner and other information of the cloud server, and use the hostname to add intranet private resolution records to the cloud server.

  • Access the Cloud Server through the Domain Name

    Create an intranet domain name for each cloud server in the VPC and add it to the resolution of the corresponding private network IP to enable mutual access between cloud servers using the intranet domain name.

Related DNS Products

Alibaba Cloud DNS - Public Authoritative

The authoritative DNS resolution service of the public network can help enterprises and developers convert domain names that are easy to manage and identify into digital IP addresses used by computers for interconnection communications, thereby routing user access to the corresponding website or application server.

Global Traffic Manager

Global Traffic Manager (GTM) can realize nearby access and multi-address load balancing of application services through DNS. At the same time, it can perform DNS Failover based on health checks to achieve multi-active fault isolation and remote disaster recovery of application services in the same city.

phone Contact Us