Dhcp options sets and dns hostnames - Virtual Private Cloud

A Dynamic Host Configuration Protocol (DHCP) options set lets you configure the Domain Name System (DNS) server IP addresses and search domains for all Elastic Compute Service (ECS) instances in an associated virtual private cloud (VPC). Instead of relying on fixed IP addresses, instances can reach each other by hostname or fully qualified domain name (FQDN).

How it works

When an ECS instance starts, it uses the DHCP options set associated with its VPC to get its network configuration — specifically, the DNS server IP addresses and the search domain. This configuration is written into the instance's system files (for example, /etc/resolv.conf on Linux).

Step	Description
1	ECS instances use the DHCP options set to get their network configuration, including the domain name and DNS server IP address. This configuration is embedded into the system configuration of each ECS instance.
2	When an ECS instance queries the DNS server, it retrieves the IP address associated with a DNS hostname.
3	The instance connects to the target using the resolved IP address.

Search domains and hostname resolution

A complete private domain name consists of a hostname and a domain name. For example, in host01.host.prvz, host01 is the hostname and host.prvz is the domain name.

When you configure a domain name in a DHCP options set, every ECS instance in the associated VPC receives that domain name via DHCP and uses it as its DNS search domain (written to /etc/resolv.conf). Running ping host01 then resolves to host01.host.prvz automatically — no need to type the full domain name or configure each instance manually.

Choose a DNS approach

Use this table to pick the right approach before you configure anything.

Dimension	DNS hostnames (default)	Private zone	Self-managed DNS server
DHCP options set type	Default DHCP options set	Custom DHCP options set	Custom DHCP options set
Domain name	ECS built-in authoritative domain: `[regionID].ecs.internal`, default DNS servers	Custom domain name, default DNS servers	Custom domain name, self-managed DNS servers
Billing	Free	Based on number of domain names and DNS query volume (fees apply)	Free
Cross-VPC and hybrid cloud communication	Not supported	Supported	Supported

The performance of a DNS query depends on the DNS server used. For private zone query performance limits, see Limits of private zone.

Manage DHCP options sets

A DHCP options set stores two configurable parameters: Domain Name (the DNS search domain) and DNS Server IP (the DNS servers instances will query).

A DHCP options set can be associated with multiple VPCs in the same region. A VPC can be associated with only one DHCP options set at a time.

Create a DHCP options set

Console

Go to the VPC console - DHCP Options Sets page and click Create DHCP Options Set. Configure the Domain Name and DNS Server IP parameters.

When you enable DNS hostnames for a VPC in a region for the first time, a default DHCP options set is automatically created and associated with the VPC. The default DHCP options set cannot be modified.

API

Call CreateDhcpOptionsSet to create a DHCP options set.

Terraform

# Specify the region of the VPC.
provider "alicloud" {
  region = "cn-hangzhou"
}

# Create a DHCP options set.
resource "alicloud_vpc_dhcp_options_set" "test_dhcp_options_set" {
  dhcp_options_set_name = "test_dhcp_options_set_name"
  domain_name           = "example.com"                 # Specify the domain name.
  domain_name_servers   = "100.100.2.136,100.100.2.138" # Specify the DNS server IP addresses.
}

Resources: alicloud_vpc_dhcp_options_set

Associate a VPC

Console

Manage the association between a VPC and a DHCP options set from two places:

On the VPC details page, in the DHCP Options Set section: create, change, or remove the association.
On the DHCP options set details page or in the Actions column: select Associate VPC.

After an association changes, new ECS instances automatically use the updated configuration. For existing ECS instances, restart the DHCP process to apply the change:

sudo dhclient -r eth0 && sudo dhclient eth0

Commands to restart network services

Alternatively, restart the instance or its network service. Commands to restart network services by operating system:

Operating system	Version	Command
CentOS	6	`service network restart`
CentOS	7	`systemctl restart network`
CentOS	8	`systemctl restart NetworkManager`
Debian	8	`systemctl restart networking`
Debian	9	`systemctl restart networking`
Debian	10	`systemctl restart networking`
Ubuntu	14	`service networking restart`
Ubuntu	16	`systemctl restart networking`
Ubuntu	18	`systemctl restart systemd-networkd`
Ubuntu	20	`systemctl restart systemd-networkd`
Alibaba Cloud Linux 2	2	`systemctl restart network`
Alibaba Cloud Linux 3	3	`systemctl restart NetworkManager`

If an association is removed, Alibaba Cloud configures the default DNS servers for the ECS instances through DHCP. To ensure the new configuration takes effect on existing instances without affecting your services, you can restart the instances or their network services.

If the VPC has the shared VPC feature enabled, the DHCP options set also applies to ECS instances within the shared VPC.

API

AttachDhcpOptionsSetToVpc — attach a DHCP options set to a VPC
DetachDhcpOptionsSetFromVpc — detach a DHCP options set from a VPC
ReplaceVpcDhcpOptionsSet — change the DHCP options set associated with a VPC

Terraform

# Associate the DHCP options set with a VPC.
resource "alicloud_vpc_dhcp_options_set_attachment" "test_attachment_vpc" {
  vpc_id              = "vpc-8vbg******"                                       # Specify the ID of the VPC to associate.
  dhcp_options_set_id = alicloud_vpc_dhcp_options_set.test_dhcp_options_set.id # Specify the ID of the DHCP options set to associate.
}

Resources: alicloud_vpc_dhcp_options_set_attachment

Modify a DHCP options set

Only custom DHCP options sets can be modified. You can update the domain name and DNS server IP addresses.

After a modification, new ECS instances in the associated VPC automatically use the new configuration. For existing instances, restart their DHCP process or network service to apply the change.

Console

On the DHCP options set details page or in the Actions column, click Edit.

API

Call UpdateDhcpOptionsSetAttribute to modify the configuration.

Delete a DHCP options set

Disassociate the DHCP options set from all VPCs first. Then, in the Actions column or on the details page, click Delete.

API

Call DeleteDhcpOptionsSet to delete the set.

Enable DNS hostnames

DNS hostnames let ECS instances in a VPC reach each other using private domain names automatically managed by Alibaba Cloud. The VPC is associated with a default DHCP options set that assigns each instance an ECS built-in authoritative domain name in the format [regionID].ecs.internal.

When you enable DNS hostnames for a VPC in a region for the first time, a default DHCP options set is automatically created and associated with the VPC. For additional VPCs in the same region, the system reuses the same default DHCP options set.

If a VPC is already associated with a custom DHCP options set, enabling DNS hostnames does not replace that association. Update the association manually if needed.

Cross-VPC and hybrid cloud communication using private domain names is not supported with the default DHCP options set.

Console

Enable DNS hostnames

Go to the VPC console. On the Basic Information page of the target VPC, click Enable next to DNS Hostname.
Go to the ECS console to configure private domain resolution for each ECS instance.
- New instances: When creating an instance, expand Advanced (Optional) and configure Private DNS Resolution. Select whether to resolve an IP-formatted hostname or an instance ID-formatted hostname to the primary private IPv4 address. > Note: Instance IDs cannot be changed. If an instance's IP address changes, the DNS record updates automatically to map the new IP-formatted hostname to the new address. After an IPv6 address is assigned, you can also resolve an instance ID-formatted hostname to the primary private IPv6 address.
- Existing instances: In the Actions column, choose > Instance Properties > Edit Instance Properties, then select the mapping between the private domain name and the IP address.

Disable DNS hostnames

On the Basic Information page of the target VPC, click Disable next to DNS Hostname. The Alibaba Cloud-assigned domain name is disabled and the private domain names of ECS instances can no longer be resolved.

The system automatically disassociates the VPC from the default DHCP options set but does not delete it. To delete the set, disassociate it from all VPCs first.

API

Set the EnableDnsHostname parameter in ModifyVpcAttribute to enable or disable DNS hostnames for an existing VPC.
When creating a VPC with CreateVpc, set EnableDnsHostname to enable DNS hostnames from the start.
When creating an instance with RunInstances, specify PrivateDnsNameOptions to configure private domain resolution.
Update PrivateDnsNameOptions in ModifyInstanceAttribute to change private domain resolution for an existing instance.

Terraform

Terraform does not support configuring private domain resolution for ECS instances. This example only enables DNS hostnames for a VPC.

# Specify the region where you want to create the VPC.
provider "alicloud" {
  region = "cn-hangzhou"
}

# Create a VPC with DNS hostnames enabled.
resource "alicloud_vpc" "test_vpc" {
  vpc_name            = "test_vpc_name"
  cidr_block          = "10.0.0.0/16"
  dns_hostname_status = "ENABLED" # Enable DNS hostnames.
}

Resources: alicloud_vpc, alicloud_vswitch

Data sources: alicloud_zones

Use custom domain names

The private domain names generated by DNS hostnames ([regionID].ecs.internal) are managed by Alibaba Cloud and cannot be customized. To use your own domain names, use Alibaba Cloud Private DNS (private zone) or a self-managed DNS server.

Use private zone

Alibaba Cloud Private DNS (private zone) manages DNS records for your ECS instances and supports cross-VPC communication. This is a paid service; fees are based on the number of domain names and DNS query volume.

Console

Go to Private Zone and click Add Zone. Configure a custom domain name and set the Effective Scope to the target VPC. On the zone details page, go to the ECS Hostname tab and click Add ECS Hostname. The system automatically adds DNS records for the hostnames and IP addresses of ECS instances in the selected region.
DNS records are not automatically updated when a hostname changes. Enable Auto Sync to have the system add and synchronize DNS records every minute. To add a custom domain prefix, go to the DNS Records tab and add a Host Record.
Go to the VPC console - DHCP Options Sets page and click Create DHCP Options Set. Set Domain Name to the private zone domain name.
In the Actions column of the new DHCP options set, select Associate VPC. ECS instances with DNS records can then be reached by hostname or host record from other instances in the associated VPC.

API

Call AddZone to add a private zone.
Call the API to add a DNS record, or call UpdateSyncEcsHostTask to configure hostname synchronization.
Call CreateDhcpOptionsSet to create a DHCP options set.
Call AttachDhcpOptionsSetToVpc to associate the DHCP options set with the VPC.

Terraform

Automatic addition of ECS hostname records is not supported. Add custom DNS records one by one.

# Specify the region of the target VPC.
provider "alicloud" {
  region = "cn-hangzhou"
}

# Configure a private zone.
resource "alicloud_pvtz_zone" "test_pvtz_zone" {
  zone_name = "example.com"
}

# Set the scope of the domain name.
resource "alicloud_pvtz_zone_attachment" "test_pvtz_zone_attachment" {
  zone_id = alicloud_pvtz_zone.test_pvtz_zone.id
  vpc_ids = ["vpc-8vba******"] # Specify the ID of the VPC where the domain name takes effect.
}

# Add a DNS record.
resource "alicloud_pvtz_zone_record" "test_pvtz_zone_record" {
  zone_id = alicloud_pvtz_zone.test_pvtz_zone.id
  rr      = "abc"         # Specify the host record.
  type    = "A"           # Specify the DNS record type.
  value   = "192.168.0.4" # Specify the DNS record value.
}

# Create a DHCP options set.
resource "alicloud_vpc_dhcp_options_set" "test_dhcp_options_set" {
  dhcp_options_set_name = "test_dhcp_options_set_name"
  domain_name           = "example.com"                 # Specify the domain name.
  domain_name_servers   = "100.100.2.136,100.100.2.138" # Specify the Alibaba Cloud default DNS server IP addresses.
}

# Associate the DHCP options set with a VPC.
resource "alicloud_vpc_dhcp_options_set_attachment" "test_attachment_vpc" {
  vpc_id              = "vpc-8vba******"                                       # Specify the ID of the VPC to associate.
  dhcp_options_set_id = alicloud_vpc_dhcp_options_set.test_dhcp_options_set.id # Specify the ID of the DHCP options set to associate.
}

Resources: alicloud_pvtz_zone, alicloud_pvtz_zone_attachment, alicloud_pvtz_zone_record, alicloud_vpc_dhcp_options_set, alicloud_vpc_dhcp_options_set_attachment

Use a self-managed DNS server

A self-managed DNS server gives you full control over DNS resolution logic — for example, dynamically returning the optimal IP address based on geographic location, network quality, or server load. You are responsible for maintaining DNS records and ensuring service reliability.

The following example deploys a self-managed DNS service using BIND and configures a DHCP options set to point instances at it.

Rules and considerations

Before specifying DNS server IP addresses in a custom DHCP options set, note the following:

Place the self-managed DNS server IP address first. If the Alibaba Cloud default DNS server IPs (100.100.2.136 and 100.100.2.138) are listed first, they return an NXDOMAIN response for custom domain names, and the system treats the query as complete without querying subsequent servers. As a result, custom domain names cannot be resolved.
Keep the Alibaba Cloud default DNS server IPs in the list. The console pre-populates these IPs. Removing them may cause loss of access to basic Alibaba Cloud services. If using the API, include them explicitly.
Allow traffic to the self-managed DNS server. Add inbound rules to the security group and network ACL (if configured) of the associated VPC to permit traffic to the self-managed DNS server IP address. Without these rules, DNS queries will fail.
IPv6 addresses are not supported for custom DNS server IPs in a DHCP options set.

Deploy a self-managed DNS server using BIND

Deploy BIND on an ECS instance in the same VPC:

Install BIND:
```
yum install -y bind bind-utils
```

Edit the main configuration file:

vim /etc/named.conf

Set the following options:

listen-on port 53 { any; };  # Listen on port 53 of all network interfaces.
allow-query     { any; };    # Allow DNS queries from any IP address.

Configure the zone file:

vim /etc/named.rfc1912.zones

// Custom domain name
zone "example.com" IN {
      type master;
      file "example.com.zone";
};

zone "0.168.192.in-addr.arpa" IN {
      type master;
      file "0.168.192.zone";
};

Configure the forward DNS lookup file:

cp -p /var/named/named.localhost /var/named/example.com.zone
vim /var/named/example.com.zone

$TTL 1D
@       IN      SOA     example.com.  admin.example.com. (
                                                           1       ; serial
                                                           1D      ; refresh
                                                           1H      ; retry
                                                           1W      ; expire
                                                           3H )    ; minimum

              NS      dns.example.com.
Web01         A       192.168.0.2;
Web02         A       192.168.0.3;

Configure the reverse DNS lookup file:

cp -p /var/named/named.empty /var/named/0.168.192.zone
vim /var/named/0.168.192.zone

$TTL 3H
@       IN      SOA     0.168.192.in-addr.arpa. admin.zjq.com. (
                                                           1       ; serial
                                                           1D      ; refresh
                                                           1H      ; retry
                                                           1W      ; expire
                                                           3H )    ; minimum

              NS      dns.example.com.
2            PTR     Web01.example.com.
3            PTR     Web02.example.com.

Restart the BIND service:
```
systemctl restart named
```

Configure forwarding rules

To use both your self-managed DNS server and the Alibaba Cloud DNS service, configure forwarding rules on your BIND server to forward queries for other domain names to the Alibaba Cloud default DNS servers:

vim /etc/named.conf

// Default forwarding: Forward other requests to the default DNS servers.
options {
    forwarders { 100.100.2.136; 100.100.2.138; };  # Alibaba Cloud VPC default DNS servers
    forward only;
};
// Configure authoritative DNS resolution for the self-managed DNS server. Replace "example.com" with your custom domain name.
zone "example.com" {
    type master;
    file "example.com.zone";  # DNS record configuration file
};

Console

Go to the VPC console - DHCP Options Sets page and click Create DHCP Options Set. Set Domain Name to your custom domain name, click Custom Server IP, and place the self-managed DNS server IP address first in the list.
In the Actions column, select Associate VPC. ECS instances with configured DNS records can then be reached by hostname from other instances in the associated VPC.

API

Call CreateDhcpOptionsSet to create a custom DHCP options set with the domain name and self-managed DNS server IP address.
Call AttachDhcpOptionsSetToVpc to associate the DHCP options set with the VPC.

Terraform

# Specify the region of the VPC.
provider "alicloud" {
  region = "cn-hangzhou"
}

# Create a DHCP options set with a self-managed DNS server.
resource "alicloud_vpc_dhcp_options_set" "test_dhcp_options_set" {
  dhcp_options_set_name = "test_dhcp_options_set_name"
  domain_name           = "example.com"                              # Specify the domain name.
  domain_name_servers   = "192.168.0.10,100.100.2.136,100.100.2.138" # Place the self-managed DNS server IP first.
}

# Associate the DHCP options set with a VPC.
resource "alicloud_vpc_dhcp_options_set_attachment" "test_attachment_vpc" {
  vpc_id              = "vpc-8vbg******"                                       # Specify the ID of the VPC to associate.
  dhcp_options_set_id = alicloud_vpc_dhcp_options_set.test_dhcp_options_set.id # Specify the ID of the DHCP options set to associate.
}

Resources: alicloud_vpc_dhcp_options_set, alicloud_vpc_dhcp_options_set_attachment

Limits

Limit	Details
DHCP options sets per account	10 (default DHCP options sets do not count toward this limit; not adjustable)
VPCs per DHCP options set	10
DHCP options sets per VPC	1
Domain names per DHCP options set	1
DNS server IPs per DHCP options set	4
Default DHCP options set	Cannot be modified
IPv6 DNS server IPs	Not supported in custom DHCP options sets
Cross-VPC and hybrid cloud communication	Not supported with the default DHCP options set; use private zone or a self-managed DNS server

More information

Billing

The DHCP options set feature is free of charge.

Supported regions

Area	Regions
Asia Pacific - China	China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Guangzhou), China (Chengdu), and China (Hong Kong)
Asia Pacific - Others	Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok)
Europe & Americas	Germany (Frankfurt), UK (London), US (Silicon Valley), US (Virginia), and Mexico
Middle East	UAE (Dubai) and SAU (Riyadh - Partner Region) Important The SAU (Riyadh - Partner Region) region is operated by a partner.