In complex network architectures, business systems may rely on a private DNS service, such as Alibaba Cloud PrivateZone or a self-managed DNS server, to resolve internal domain names. These domain names typically resolve to internal IP addresses or specific service nodes. However, Cloud Firewall uses the Alibaba Cloud DNS servers at 100.100.2.136 and 100.100.2.138 for dynamic resolution by default. This discrepancy can cause domain-based access control policies to fail. Enabling the private DNS synchronization feature lets you configure Cloud Firewall to get domain name resolution results from your PrivateZone or self-managed DNS server. This topic describes how to synchronize private DNS in Cloud Firewall.
Limitations
Private DNS synchronization is effective only when an access control policy's domain identification mode is set to DNS-based Dynamic Resolution or FQDN and DNS-based Dynamic Resolution.
Solution overview
Before synchronization | After synchronization |
Business systems rely on private DNS for outbound domain resolution, while Cloud Firewall uses the default Alibaba Cloud DNS servers (100.100.2.136 and 100.100.2.138). When the same domain is resolved by different DNS servers, the results may be inconsistent, causing domain-based access control policies to fail. | To address policy failures caused by inconsistent DNS resolution, Cloud Firewall provides a solution based on synchronization nodes. This mechanism lets Cloud Firewall automatically fetch resolution results from PrivateZone or a self-managed DNS server. This ensures consistent results across DNS servers and prevents policy failures. |
Procedure
Before you begin, identify your DNS server type.
If you use PrivateZone, ensure that the necessary resolution records are configured.
If you use a self-managed DNS server, ensure that the domain-to-IP mappings are configured on the server.
To configure private DNS synchronization, follow these three steps:
Step 1: Create a synchronization node
A synchronization node includes an endpoint, a vSwitch, and an endpoint ENI.
Log on to the Cloud Firewall console. In the left-side navigation pane, choose .
On the page, click Create.
Configure the synchronization node with the following parameters.
Parameter
Description
Synchronization Node Name
Enter a custom name for the synchronization node.
Private DNS Type
If you use PrivateZone, the default DNS servers are 100.100.2.136 and 100.100.2.138.
If you use a self-managed DNS server, you must specify the primary DNS server address. A secondary DNS server address is optional.
The system prioritizes the primary DNS server for domain resolution. If the primary server fails to resolve a domain, the system falls back to the secondary server.
If the DNS server uses a public IP address, ensure that the business VPC has a NAT gateway to allow the synchronization node to access the DNS server.
If the DNS server uses a private IP address, ensure network connectivity between the business VPC and the DNS server.
Region
Select the region for the synchronization node's VPC. Private DNS resolution applies to access control policies in this region. If your business is distributed across two regions, you must create a synchronization node in each region and configure domain names for each node to apply private DNS resolution results to the access control policies in both regions.
VPC
Select the VPC for the synchronization node. This VPC is used to access the DNS server and can be any business VPC. We recommend that you do not select a VPC that is already used by a VPC Border or NAT Border.
Zone and vSwitch
Select the vSwitch for the synchronization node. You can also manually specify an IP address for the endpoint ENI of the synchronization node. The IP address must not conflict with an existing IP address within the vSwitch. If you do not specify an IP address, Cloud Firewall automatically assigns one.
Two deployment scenarios are supported for availability zone and vSwitch configuration:
Dual-availability zone scenario (Recommended): For disaster recovery, create two synchronization nodes, each in a different vSwitch and availability zone.
Single-availability zone scenario: Create a single synchronization node in a vSwitch within one availability zone. This scenario does not provide disaster recovery.
DNS Resolution Protocol
If your DNS server type is PrivateZone, the protocol is UDP.
If you use a self-managed DNS server, specify its protocol. UDP and TCP are supported.
DNS Resolution Port
If your DNS server type is PrivateZone, the resolution port is 53.
If you use a self-managed DNS server, specify its port. The default port is 53.
Firewall Border
Select the firewall boundaries where the private DNS resolution results will apply. A node can be applied to multiple boundaries, but each boundary in a region can be associated with only one node. You must select at least one. The available boundaries are:
Internet Border
NAT Border
VPC Border
DNS Resolution Synchronization Cycle
DNS resolution results are synchronized every 5 minutes.
Click Next to complete the creation.
Step 2: Add domain names
On the Private DNS tab, find the synchronization node that you created and click Configure Domain Names in the Actions column.
Click Add to add domain names.
You can add up to 1,000 domain names at a time, with a total limit of 10,000. Wildcard domain names are not supported.
Click View Resolution Details to verify that the resolved IP addresses are correct for your domains.

After you add all the domain names, click OK.
Step 3: Configure access control policies
To configure an access control policy for traffic between your public assets and the internet, see Configure access control policies for the Internet Border.
To configure an access control policy for traffic from resources within a VPC, such as ECS instances and Elastic Container Instance, to the internet through a NAT gateway, see Configure access control policies for the NAT Border.
To configure an access control policy for traffic between network instances connected through Cloud Enterprise Network or Express Connect, see Configure access control policies for the VPC Border.
Other operations
Edit instance: To modify the name of a synchronization node or change the IP address of a self-managed DNS server, find the node on the Private DNS tab and click Edit Instance in the Actions column.
Delete instance: If you no longer need the synchronization node, you can delete it from the Private DNS tab by clicking Delete in the Actions column. Before you delete the node, you must first remove all domain names configured for it.
ImportantAfter you delete a synchronization node, the access control policies that use it will revert to using the resolution results from the default DNS server. This may introduce business risks. Proceed with caution.