Blacklists and whitelists for HTTPDNS - Alibaba Cloud DNS

You can configure Blacklist/Whitelist to control domain name resolution responses. This lets you permit resolution only for specific domain names or block resolution for others.

Business rules

Domain name resolution requests are first checked against the whitelist. If the whitelist is not empty, only domain names on the list are allowed to proceed. If the whitelist is empty, all requests proceed. Next, the requests are checked against the blacklist. Domain names on the blacklist are blocked, while all other domain names are resolved normally.

If both the whitelist and the blacklist are empty, all domain names are resolved normally.
If only the whitelist contains domain names, only the domain names on the whitelist are resolved normally.
If only the blacklist contains domain names, all domain names are resolved normally except for those on the blacklist, which are blocked.
If both the whitelist and the blacklist contain domain names, only domain names that are on the whitelist but not on the blacklist are resolved normally. All other domain names are blocked.
Important
The Blacklist/Whitelist feature is not supported for unencrypted connections that bind the source IP of a resolution request to a network egress.

Add entries to a Blacklist/Whitelist

Log on to the Alibaba Cloud DNS - HTTPDNS console.
Switch to the Blacklist/Whitelist tab.
Click Whitelist or Blacklist, and then click Add Zone. In the Add Domain Name dialog box, enter the domain names to add.
Note
- If you set Domain Name Type to Domain Name (Exclude Subdomain Names), the Blacklist/Whitelist rule applies only to the exact-match domain name. To apply the rule to all subdomains of the domain name, select Zone (Include All Subdomain Names).
- You can add up to 50 domain names or zones (all subdomains included) in a single batch operation. The domain name type must be the same for all entries in the batch.
- The Whitelist and the Blacklist can each contain a maximum of 100 entries. Each domain name or zone counts as a single entry.
After you add a domain name, its status is Disable. To activate the rule, find the domain name and click Enable in the Actions column.
Warning
- After you enable a domain name, the Blacklist/Whitelist feature takes effect immediately. Ensure that the configuration is correct before you proceed.
- If you use a DNS over HTTPS (DoH) connection, you cannot log on to the Alibaba Cloud DNS console from your DoH-enabled browser if the whitelist does not contain aliyun.com or if aliyun.com is on the blacklist. To adjust the Blacklist/Whitelist configuration, first disable the DoH settings in your browser and then log on to the console.
- If you use a software development kit (SDK) connection, the SDK retrieves the Blacklist/Whitelist policy on startup. This reduces the number of resolution requests sent to HTTPDNS and lowers your costs. Because the blacklists and whitelists policy is configured in HTTPDNS and must be periodically synchronized to the SDK, a small number of unexpected domain name requests may occur during SDK initialization. This is normal.
- If you use a DoH connection, the Blacklist/Whitelist policy is enforced on HTTPDNS. The policy is applied only after a client's request reaches HTTPDNS, at which point the request is counted. Therefore, this method does not reduce the number of DoH requests or lower your costs.

Batch operations

To help you manage domain names in batches, the Blacklist/Whitelist feature provides Batch Disable, Batch Enable, and Batch Delete operations. You can also use fuzzy queries to search for domain names.