DoH JSON API
Resolve domain names over HTTPS using the DoH JSON API, available on both TLS and non-TLS endpoints.
Endpoints
-
https://223.5.5.5/resolve?name=domain&type=record type&uid=AccountID&ak=AccessKey ID&key=****&ts=timestamp
-
http://223.5.5.5/resolve?name=domain&type=record type&uid=AccountID&ak=AccessKey ID&key=****&ts=timestamp
-
https://223.6.6.6/resolve?name=domain&type=record type&uid=AccountID&ak=AccessKey ID&key=****&ts=timestamp
-
http://223.6.6.6/resolve?name=domain&type=record type&uid=AccountID&ak=AccessKey ID&key=****&ts=timestamp
Request parameters
Method: GET. Parameters:
|
Parameter |
Type |
Description |
Example |
Usage and default |
|
name |
string |
Domain name in the request |
name=www.taobao.com |
Required, no default value |
|
type |
string |
type=A |
Optional, no default value |
|
|
edns_client_subnet |
IP |
ECS IP |
edns_client_subnet=1.2.XX.XX/24 |
For DNS proxies only |
|
short |
boolean |
short=true or short=1 |
Optional, disabled by default |
|
|
uid |
string |
Account ID from the console (not the Alibaba Cloud account ID) |
uid=9**9 |
Required, no default value |
|
ak |
string |
AccessKey ID from the console |
ak=test |
Required, no default value |
|
ts |
string |
Timestamp |
Unsigned integer, seconds since January 1, 1970 |
ts=1614927253 Required, no default value |
|
key |
string |
Hash string for authentication |
Signature generated using AccessKey Secret |
key=fb321ab77496a89c04de0a1e979bfee4b4678a0dcd57f4da1da83****490f64b Required, no default value |
|
did |
string |
Device ID |
did=afck0100 |
Optional |
About the edns_client_subnet parameter
The edns_client_subnet parameter implements DNS ECS (RFC7871), passing user subnet information to the authoritative DNS for accurate resolution and traffic rerouting. Longer subnet masks provide more precise addressing; shorter masks improve privacy. A /24 mask length is recommended.
Use this parameter when a DNS proxy forwards queries via the DoH JSON API. The proxy sends the user's subnet information to HTTPDNS, which passes it to the authoritative server.
For example, with subnet=1.2.XX.XX/24, the authoritative server receives the 1.2.XX.XX/24 prefix to select the optimal DNS path.
About supported types for the type parameter
|
Record type |
ID |
Remarks |
|
A |
1 |
IPv4 address |
|
NS |
2 |
NS record |
|
CNAME |
5 |
Domain CNAME record |
|
SOA |
6 |
ZONE SOA record |
|
TXT |
16 |
TXT record |
|
AAAA |
28 |
IPv6 address |
|
PTR |
12 |
PTR record, used for reverse DNS lookup |
|
MX |
15 |
Mail exchange record |
|
SRV |
33 |
SRV record specifies host and port for specific services |
|
CAA |
257 |
CAA record is a security measure to prevent incorrect issuance of HTTPS certificates |
Algorithm for generating the authentication parameter key
key = sha256(AccountID+AccessKey Secret+ts+qname+AccessKey ID)
Note: The plus sign (+) represents string concatenation, not the actual "+" character.
Account ID is the string value of your account ID (e.g., "9**9"). ts is the current request timestamp. qname is the requested domain name. To generate an AccessKey pair, follow Create a key.
Key generation example
Assume:
-
Account ID=5***4
-
AccessKey Secret=12345**
-
qname=aliyun.com
-
ts=1614927253
-
AccessKey ID=5***4_2155917885567****
key=sha256(5***412345**1614927253aliyun.com5***4_2155917885567****)
Generated key:
key=*****ab77496a89c04de0a1e979bfee4b4678a0dcd57f4da1da83***a490f64b
Sample request
https://223.5.5.5/resolve?name=domain&type=record type&uid=AccountID&ak=AccessKey ID&key=****&ts=timestamp
Sample response
{
"Status":0,
"TC":false,
"RD":true,
"RA":true,
"AD":false,
"CD":false,
"Question":{ // Request section
"name":"www.taobao.com.",
"type":1
},
"Answer":[ // Response section
{
"name":"www.taobao.com.",
"TTL":45,
"type":5,
"data":"www.taobao.com.danuoyi.tbcache.com."
},
{
"name":"www.taobao.com.danuoyi.tbcache.com.",
"TTL":45,
"type":1,
"data":"47.246.XX.XX"
},
{
"name":"www.taobao.com.danuoyi.tbcache.com.",
"TTL":45,
"type":1,
"data":"47.246.XX.XX"
}
]
//"Authority" Authority section, if data exists, format is the same as Answer field
//"Additional" Additional section, if data exists, format is the same as Answer field
// Optional "edns_client_subnet":"1.2.XX.XX/24"
}
Response value description
|
Field name |
Description |
Example |
|
Status |
RCODE from the DNS header |
0: noerror 1: formerr 2: servfail 3: nxdomain |
|
TC |
TC flag: whether truncation is possible |
Usually false |
|
RD |
RD flag: whether recursion is desired |
Usually true |
|
RA |
RA flag: whether recursion is available |
Usually true |
|
AD/CD |
DNS header flags |
Usually false |
|
Question |
DNS request field |
None |
|
Answer |
DNS response field |
None |
|
name |
Domain name, included in both Question and Answer |
www.taobao.com |
|
type |
Request type as listed in About supported types for the type parameter |
Such as: A, AAAA, TXT, CNAME, NS, SOA |
|
TTL |
Maximum cache time on the server, in seconds |
3600 |
|
data |
Response data (varies by type) |
None |
Short mode response example:
Example A record request for www.taobao.com:
https://223.5.5.5/resolve?name=domain&type=A&uid=AccountID&short=1&ak=AccessKey ID&key=****&ts=timestamp
Response:
["221.229.XX.XX","61.155.XX.XX","221.229.XX.XX"]
CNAME record request:
https://223.5.5.5/resolve?name=domain&type=CNAME&uid=AccountID&short=1&ak=AccessKey ID&key=****&ts=timestamp
Response:
["www.taobao.com.danuoyi.tbcache.com."]
Failed response
Failed requests return HTTP 4xx/5xx with a JSON error code for debugging or issue reporting.
Example:
{
"code":"UrlParameterError"
}
Error code list
|
Error code |
HTTP status code |
Description |
|
UrlParameterError |
400 |
Request parameter format error |
|
NoPermission |
401 |
Authentication failed |
|
UrlPathError |
404 |
URL error |
|
NoResponse |
500 |
Request timeout, no response |
-
The DoH JSON API Best Practices guide covers domain resolution with HTTPDNS.
-
The SDK handles signatures automatically. Get started with the Android SDK development guide or iOS SDK development guide.