All Products
Search

This Product

    Alibaba Cloud DNS:Blacklists and whitelists

    Document Center

    Alibaba Cloud DNS:Blacklists and whitelists

    Last Updated:Nov 21, 2025

    Configure blacklists and whitelists to control domain name resolution responses. This lets you permit resolution for only specific domain names or block resolution for others.

    Business rules

    image

    Domain name resolution requests are first checked against the whitelist. If the whitelist is empty, all requests pass this check. If the whitelist is not empty, only domain names on the list pass this check. Next, requests are checked against the blacklist. Domain names on the blacklist are blocked. Domain names that are not on the blacklist are resolved normally.

    • If both the whitelist and the blacklist are empty, all domain names are resolved normally.

    • If only the whitelist contains domain names, only the domain names on the whitelist are resolved normally.

    • If only the blacklist contains domain names, all domain names are resolved normally except for those on the blacklist, which are blocked.

    • If both the whitelist and the blacklist contain domain names, only domain names that are on the whitelist but not on the blacklist are resolved normally. All other domain names are blocked.

      Important

      The blacklist and whitelist feature is not supported for unencrypted connections that bind the source IP of a resolution request to a network egress.

    Add entries to a blacklist or whitelist

    1. Log on to the Alibaba Cloud DNS - HTTPDNS console.

    2. Click the Blacklists and whitelists tab.

    3. Click Whitelist or Blacklist, and then click Add Zone. In the dialog box, enter the domain names to add. Then, click OK.image

      Note

      • If you set Domain Name Type to Domain Name (Exclude subdomain), the blacklist and whitelist rule applies only to the exact-match domain name. To apply the rule to all subdomains, select Zone (Include all Subdomains Names).

      • You can add up to 50 domain names or zones (all subdomains included) in a single batch operation. The domain name type must be the same for all entries in the batch.

      • The blacklist and the whitelist can each contain a maximum of 100 entries. Each entry is counted as one, regardless of whether it is a domain name or a zone that includes subdomains.

    4. After you add a domain name, its status is Paused. To activate the rule, find the domain name and click Enable in the Actions column.image

      Warning

      • After you enable a domain name, the blacklist and whitelist feature takes effect immediately. Confirm that the configuration is correct before you proceed.

      • If you use a DNS over HTTPS (DoH) connection, you cannot log on to the Alibaba Cloud DNS console from your DoH-enabled browser if the whitelist does not contain aliyun.com or if aliyun.com is on the blacklist. To adjust the blacklist and whitelist configuration, you must first disable the DoH settings in your browser and then log on to the console.

      • If you use a software development kit (SDK) connection, the SDK retrieves the blacklist and whitelist policy on startup. This reduces the number of resolution requests sent to HTTPDNS and lowers your costs. Because the blacklist and whitelist policy is configured in HTTPDNS and must be periodically synchronized to the SDK, a small number of unexpected domain name requests may occur during SDK initialization. This is normal.

      • If you use a DoH connection, the blacklist and whitelist policy is enforced on HTTPDNS. The policy is applied only after a client's request reaches HTTPDNS and is counted. Therefore, this method does not reduce the number of DoH requests or lower your costs.

    Batch operations

    To help you manage domain names in batches, the blacklist and whitelist feature provides Batch Disable, Batch Enable, and Batch Delete operations. Fuzzy queries for domain names are also supported.image