Cloud Firewall:Private DNS

Limitations

Private DNS synchronization applies only to access control policies whose domain name identification mode is set to DNS-based Dynamic Resolution or FQDN and DNS-based Dynamic Resolution.

How it works

Procedure

Before you begin, identify the type of your DNS server.

• If you use PrivateZone, ensure that the required resolution records are configured.

• If you use a self-managed DNS server, ensure that the domain-to-IP mappings are configured on the server.

Complete the following steps to configure private DNS synchronization:

1. Create a private DNS synchronization node

A synchronization node consists of an endpoint, a vSwitch, and an elastic network interface (ENI) for the endpoint.

1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Prevention Configuration > Address Book > Sync Nodes.

2. On the Sync Nodes > Private DNSCreate.

3. In the panel that appears, configure the following parameters.

   Parameter	Description
   Synchronization node name	Enter a custom name for the synchronization node.
   Private DNS type	For PrivateZone: The default DNS servers are 100.100.2.136 and 100.100.2.138.
   	For a self-managed DNS server: You must specify the primary DNS server address. A standby DNS server address is optional. The system prioritizes the primary DNS server for resolution. If the primary server fails to resolve a domain name, the standby server is used. If the DNS server uses a public IP address, ensure that the business VPC has a NAT gateway to allow the synchronization node to access the DNS server. If the DNS server uses a private IP address, ensure network connectivity between the business VPC and the DNS server.
   Region	Select the region for the synchronization node. The resolution results are applied in this region. If your business spans multiple regions, create a synchronization node in each region to apply private DNS resolution to all relevant access control policies.
   VPC	Select the VPC for the synchronization node. This VPC is used to access the DNS server and can be any of your business VPCs. We recommend selecting a VPC that does not have a VPC Border or NAT Border firewall.
   Zone and vSwitch	Select the vSwitch for the synchronization node. You can also manually specify an IP address for the ENI of the synchronization node. The IP address must not conflict with any existing IP addresses in the vSwitch. If you do not specify an IP address, Cloud Firewall automatically assigns one. Two high-availability deployment options are available: Dual-zone scenario (recommended): Create two synchronization nodes in different vSwitches located in two different availability zones. This is the recommended approach for disaster recovery. Single-zone scenario: Create one synchronization node in a vSwitch within a single availability zone. This option does not provide disaster recovery.
   DNS resolution protocol	If your DNS server type is PrivateZone, the protocol is UDP. If your DNS server type is self-managed DNS server, select the protocol used by your DNS server. UDP and TCP are supported.
   DNS resolution port	If your DNS server type is PrivateZone, the port is 53. If your DNS server type is self-managed DNS server, specify the port used by your DNS server. The default port is 53.
   Firewall border	Select the firewall boundaries where the DNS resolution results will apply. A single synchronization node can apply to multiple Cloud Firewall boundaries, but each boundary in a region can be associated with only one synchronization node. You must select at least one boundary. The available boundaries are: Internet Border NAT Border VPC Border
   DNS resolution synchronization cycle	DNS resolution results are synchronized every 5 minutes.

4. Click OK.

2. Add domains for private resolution

1. On the Private DNS tab of the Synchronization Nodes page, locate the synchronization node that you created and click Configure Domain Names in the Actions column.

2. Click Add to add domain names.

   You can add up to 10,000 domain names in total, with a maximum of 1,000 per operation. Wildcard domain names are not supported.

3. Click View Resolution Details to verify that the resolved IP address matches the actual IP address of your domain.

   

4. After you add all required domain names, click OK.

3. Configure a domain-based access control policy

• To configure an access control policy for traffic between your public assets and the internet, see Configure an access control policy for the Internet Border.

• To configure an access control policy for traffic from resources within a VPC, such as ECS instances or containers, to the internet through a NAT gateway, see Configure an access control policy for the NAT Border.

• To configure an access control policy for traffic between network instances connected through Cloud Enterprise Network (CEN) or Express Connect, see Configure an access control policy for the VPC Border.

Other operations

• Edit Instance: To modify the name of a synchronization node or change the IP address of a self-managed DNS server, find the node on the Private DNS tab and click Edit Instance.

• Delete: If a synchronization node is no longer needed, you can delete it. Before you delete the node, you must remove all the domain names configured for it. On the Private DNS tab, click Delete.

  Important

  After you delete a synchronization node, the associated access control policies revert to using the default DNS server for resolution. This may cause business interruptions. Proceed with caution.