In complex network architectures, business systems may use private Domain Name System (DNS) servers to resolve internal domain names. A private DNS server can be the Alibaba Cloud DNS Private DNS server or a self-managed DNS server. In most cases, the domain names are pointed to internal IP addresses or specific nodes. However, Cloud Firewall uses Alibaba Cloud DNS servers whose IP addresses are 100.100.2.136 and 100.100.2.138 for dynamic domain name resolution by default. You can configure a synchronization node to allow Cloud Firewall to obtain the resolution results of the Alibaba Cloud DNS Private DNS server or a self-managed DNS server. This topic describes how to synchronize the resolution results of private DNS servers in Cloud Firewall.
Limits
The synchronization of private DNS resolution results is applicable only in scenarios where access control policies whose domain name identification mode is set to DNS-based Dynamic Resolution or FQDN and DNS-based Dynamic Resolution.
Overview
Before | After |
 |  |
Business systems use private DNS servers to resolve outbound domain names, but Cloud Firewall uses Alibaba Cloud DNS servers whose IP addresses are 100.100.2.136 and 100.100.2.138 to resolve the domain names. This can cause access control policies to become invalid due to inconsistency in the resolution results of different DNS servers. | To resolve the issue, Cloud Firewall provides synchronization nodes to automatically obtain the resolution results of the Alibaba Cloud DNS Private DNS server or a self-managed DNS server. This prevents access control policies from becoming invalid due to inconsistency in the resolution results of different DNS servers. |
Procedure
Before you start, check the type of your DNS server and make sure that the following preparations are complete:
If your DNS server is the Alibaba Cloud DNS Private DNS server, make sure that resolution records are configured.
If your DNS server is a self-managed DNS server, make sure that the mapping between domain names and IP addresses is configured for the self-managed DNS server.
Perform the following steps to configure private DNS resolution settings:
Step 1: Create a synchronization node for private DNS resolution
A synchronization node includes resources such as an endpoint, vSwitch, and endpoint elastic network interface (ENI).
Log on to the Cloud Firewall console. In the left-side navigation pane, choose .
On the Private DNS tab, click Create.
In the Create panel, configure the following parameters.
Parameter
Description
Synchronization Node Name
Enter a name for the synchronization node.
Private DNS Type
If you select PrivateZone, the default IP addresses of the DNS server are 100.100.2.136 and 100.100.2.138.
If you select Self-managed DNS Server, you must specify the IP address of the primary DNS server. You can also specify the IP address of the secondary DNS server based on your business requirements.
The system preferentially uses the primary DNS server for domain name resolution. If a domain name fails to be resolved by the primary DNS server, the system uses the secondary DNS server to resolve the domain name.
If the DNS server uses a public IP address, make sure that your business VPC has a NAT gateway to allow the created synchronization node to access the DNS server.
If the DNS server uses a private IP address, make sure that your business VPC and the DNS server can communicate with each other to allow the created synchronization node to access the DNS server.
Region
Select the region of the VPC to which the synchronization node belongs. The domain name resolution results are applied in the selected region. If your workloads run in two regions, you must create a synchronization node in each region, and configure domain names for each synchronization node. This way, the resolution results of your private DNS server are applied to the access control policies in both regions.
VPC
Select a VPC for the synchronization node. The VPC is used to access the private DNS server. We recommend that you do not select a VPC that is used by a VPC firewall or a NAT firewall.
Zone and vSwitch
Select a vSwitch for the synchronization node. You can also specify an IP address for the ENI of the synchronization node. You must select an IP address that is within the CIDR block of the selected vSwitch and is not in use. If you do not specify an IP address, Cloud Firewall automatically allocates an IP address.
You can configure the following types of zone and vSwitch settings:
Dual-zone scenario (recommended): You can create two synchronization nodes in vSwitches in two different zones. We recommend that you configure this type of settings for disaster recovery scenarios.
Single-zone scenario: You can create only one synchronization node in a vSwitch in one zone. Disaster recovery is not supported in single-zone scenarios.
DNS Resolution Protocol
If your private DNS server is the Alibaba Cloud DNS Private DNS server, this parameter is set to UDP.
If your private DNS server is a self-managed DNS server, you must select a protocol. UDP and TCP are supported.
DNS Resolution Port
If your private DNS server is the Alibaba Cloud DNS Private DNS server, this parameter is set to 53.
If your private DNS server is a self-managed DNS server, you must specify the port of the server. The default value is 53.
Firewall Border
Select the firewall boundary on which you want the resolution results to take effect. One synchronization node can take effect on multiple firewall boundaries. However, one firewall boundary supports only one synchronization node. You must select at least one firewall boundary. Valid values:
Internet Border
NAT Border
VPC Border
DNS Resolution Synchronization Cycle
This parameter is set to Every 5 Minutes.
Click Next.
Step 2: Add a domain name for private DNS resolution
On the Synchronization Nodes page, find the created synchronization node and click Configure Domain Names in the Actions column.
In the Configure Domain Names panel, click Add to add a domain name.
You can add up to 10,000 domain names in total and up to 1,000 domain names in a batch. Wildcard domain names are not supported.
Click View Resolution Details to check whether the IP address that is obtained after the domain name resolution is the same as the actual IP address that is mapped to the domain name.
Click OK.
Step 3: Configure domain name-based access control policies
Configure an access control policy to manage traffic from an Internet-facing asset to the Internet. For more information, see Create access control policies for the Internet firewall.
Configure an access control policy to manage traffic from a resource such as an ECS instance or an elastic container instance in a VPC to the Internet over a NAT gateway. For more information, see Create an access control policy for a NAT firewall.
Configure an access control policy to manage traffic between network instances that are connected by using a transit router of a Cloud Enterprise Network (CEN) instance or an Express Connect circuit. For more information, see Create an access control policy for a VPC firewall.
More operations
Modify a synchronization node: If you want to change the name of a synchronization node or the IP address of the related self-managed DNS server, find the synchronization node and click Edit Instance on the Synchronization Nodes page.
Delete a synchronization node: If you no longer require a synchronization node to connect to your private DNS server, find the synchronization node and click Delete on the Synchronization Nodes page. Before you delete a synchronization node, you must remove the configured domain names.
ImportantAfter you delete a synchronization node, the system automatically uses the resolution results of the default DNS server, and the resolution results are applied to the configured access control policies. This may pose business risks. Proceed with caution.