All Products
Search
Document Center

Cloud Firewall:Private DNS

Last Updated:Apr 14, 2026

In complex network architectures, business systems may rely on a private DNS service, such as Alibaba Cloud PrivateZone or a self-managed DNS server, to resolve internal domain names. These domain names typically resolve to internal IP addresses or specific service nodes. However, Cloud Firewall uses the Alibaba Cloud DNS servers at 100.100.2.136 and 100.100.2.138 for dynamic resolution by default. This discrepancy can cause domain-based access control policies to fail. Enabling the private DNS synchronization feature lets you configure Cloud Firewall to get domain name resolution results from your PrivateZone or self-managed DNS server. This topic describes how to synchronize private DNS in Cloud Firewall.

Limitations

Private DNS synchronization is effective only when an access control policy's domain identification mode is set to DNS-based Dynamic Resolution or FQDN and DNS-based Dynamic Resolution.

Solution overview

Before synchronization

After synchronization

Business systems rely on private DNS for outbound domain resolution, while Cloud Firewall uses the default Alibaba Cloud DNS servers (100.100.2.136 and 100.100.2.138). When the same domain is resolved by different DNS servers, the results may be inconsistent, causing domain-based access control policies to fail.

To address policy failures caused by inconsistent DNS resolution, Cloud Firewall provides a solution based on synchronization nodes. This mechanism lets Cloud Firewall automatically fetch resolution results from PrivateZone or a self-managed DNS server. This ensures consistent results across DNS servers and prevents policy failures.

Procedure

Before you begin, identify your DNS server type.

  • If you use PrivateZone, ensure that the necessary resolution records are configured.

  • If you use a self-managed DNS server, ensure that the domain-to-IP mappings are configured on the server.

To configure private DNS synchronization, follow these three steps:

Step 1: Create a synchronization node

A synchronization node includes an endpoint, a vSwitch, and an endpoint ENI.

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Prevention Configuration > Address Book > Sync Nodes.

  2. On the Sync Nodes > Private DNS page, click Create.

  3. Configure the synchronization node with the following parameters.

    Parameter

    Description

    Synchronization Node Name

    Enter a custom name for the synchronization node.

    Private DNS Type

    If you use PrivateZone, the default DNS servers are 100.100.2.136 and 100.100.2.138.

    If you use a self-managed DNS server, you must specify the primary DNS server address. A secondary DNS server address is optional.

    The system prioritizes the primary DNS server for domain resolution. If the primary server fails to resolve a domain, the system falls back to the secondary server.

    • If the DNS server uses a public IP address, ensure that the business VPC has a NAT gateway to allow the synchronization node to access the DNS server.

    • If the DNS server uses a private IP address, ensure network connectivity between the business VPC and the DNS server.

    Region

    Select the region for the synchronization node's VPC. Private DNS resolution applies to access control policies in this region. If your business is distributed across two regions, you must create a synchronization node in each region and configure domain names for each node to apply private DNS resolution results to the access control policies in both regions.

    VPC

    Select the VPC for the synchronization node. This VPC is used to access the DNS server and can be any business VPC. We recommend that you do not select a VPC that is already used by a VPC Border or NAT Border.

    Zone and vSwitch

    Select the vSwitch for the synchronization node. You can also manually specify an IP address for the endpoint ENI of the synchronization node. The IP address must not conflict with an existing IP address within the vSwitch. If you do not specify an IP address, Cloud Firewall automatically assigns one.

    Two deployment scenarios are supported for availability zone and vSwitch configuration:

    • Dual-availability zone scenario (Recommended): For disaster recovery, create two synchronization nodes, each in a different vSwitch and availability zone.

    • Single-availability zone scenario: Create a single synchronization node in a vSwitch within one availability zone. This scenario does not provide disaster recovery.

    DNS Resolution Protocol

    • If your DNS server type is PrivateZone, the protocol is UDP.

    • If you use a self-managed DNS server, specify its protocol. UDP and TCP are supported.

    DNS Resolution Port

    • If your DNS server type is PrivateZone, the resolution port is 53.

    • If you use a self-managed DNS server, specify its port. The default port is 53.

    Firewall Border

    Select the firewall boundaries where the private DNS resolution results will apply. A node can be applied to multiple boundaries, but each boundary in a region can be associated with only one node. You must select at least one. The available boundaries are:

    • Internet Border

    • NAT Border

    • VPC Border

    DNS Resolution Synchronization Cycle

    DNS resolution results are synchronized every 5 minutes.

  4. Click Next to complete the creation.

Step 2: Add domain names

  1. On the Private DNS tab, find the synchronization node that you created and click Configure Domain Names in the Actions column.

  2. Click Add to add domain names.

    You can add up to 1,000 domain names at a time, with a total limit of 10,000. Wildcard domain names are not supported.

  3. Click View Resolution Details to verify that the resolved IP addresses are correct for your domains.

    image

  4. After you add all the domain names, click OK.

Step 3: Configure access control policies

Other operations

  • Edit instance: To modify the name of a synchronization node or change the IP address of a self-managed DNS server, find the node on the Private DNS tab and click Edit Instance in the Actions column.

  • Delete instance: If you no longer need the synchronization node, you can delete it from the Private DNS tab by clicking Delete in the Actions column. Before you delete the node, you must first remove all domain names configured for it.

    Important

    After you delete a synchronization node, the access control policies that use it will revert to using the resolution results from the default DNS server. This may introduce business risks. Proceed with caution.