HTTPDNS provides a stable, secure, accurate, and fast public recursive resolution service for mobile apps, IoT devices, and other terminal devices. It supports protocols such as HTTP, HTTPS, DNS-over-HTTPS (DoH), and DNS-over-TLS (DoT). When you integrate HTTPDNS with your apps or IoT devices, it replaces traditional Local DNS services. This prevents issues such as domain hijacking, slow resolution, and delayed DNS record updates, and makes domain name resolution for your terminal devices faster and more secure.
Resolution path
Common problems with traditional Local DNS
DNS hijacking
Traditional Local DNS uses the UDP protocol, which allows attackers to tamper with DNS responses. This can redirect user requests to malicious websites or ad pages and create security vulnerabilities.
DNS cache poisoning
Similar to domain hijacking, attackers can exploit Local DNS. They can access and modify the DNS cache by forging identities or exploiting system vulnerabilities. This poses a significant threat to the integrity and reliability of your network services.
Slow resolution latency
The Local DNS used by a terminal device may need to perform multiple recursive queries to obtain the final resolution result. If the Local DNS does not have a cached record, the resolution time increases significantly. Some authoritative DNS servers have a limited number of nodes globally. This can cause Local DNS requests to time out, which results in resolution failures on the client side. These problems are exacerbated in weak network environments.
Poor extensibility
New standard protocols such as DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) are becoming more common. These protocols use transport layer security (TLS) to encrypt data, which improves privacy and performance. However, traditional Local DNS often lacks native support for DoH and DoT. This prevents you from taking full advantage of these new technologies.
Long TTL cache period
Local DNS servers may have different cache management policies. Some servers might set a very long Time-to-Live (TTL) for DNS records. If the authoritative DNS updates a record, the long TTL prevents the cached record on the Local DNS from expiring in a timely manner. This causes users to access an outdated destination address and can prolong service outages in failure scenarios.
Inaccurate scheduling
Some Local DNS servers do not support the EDNS Client Subnet (ECS) protocol. They cannot forward the client's source IP information to the authoritative DNS. This results in inaccurate location-based scheduling by the authoritative DNS. In addition, some public DNS services use network proxies, which can also lead to inaccurate scheduling.
Advantages of HTTPDNS
App anti-hijacking for better security
Unlike the traditional UDP protocol, HTTPDNS supports secure connection protocols such as DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-over-QUIC (DoQ). Using HTTPDNS for recursive resolution bypasses the Local DNS, which prevents domain hijacking and cache poisoning.
Global nodes for accelerated resolution
You can enable local resolution caching on the client side to reduce resolution latency to 0 ms. This greatly improves the domain name access experience and resolution success rate. HTTPDNS is deployed in multiple clusters worldwide to provide accelerated resolution services for global users.
Fast propagation of DNS record changes
For public authoritative domain names hosted on Alibaba Cloud DNS (Paid Edition), DNS record changes can trigger an automatic data refresh on HTTPDNS, which allows changes to take effect in seconds. The automatic refresh feature of HTTPDNS is especially useful during a failure when you need to make urgent changes, because it helps your DNS record changes take effect quickly on terminal devices.
Accurate scheduling based on source IP
HTTPDNS supports the ECS protocol and sends resolution requests that include the terminal device's source IP information to the authoritative DNS. This allows for more accurate scheduling by the authoritative DNS.
Network traffic analysis and detailed logs
You can analyze the traffic of resolution requests made to HTTPDNS and view trends in domain name resolution request volumes and rankings of top requested domain names. The service also provides detailed log records for each resolution request and response, which facilitates troubleshooting during operations and maintenance (O&M).
Stability, reliability, and SLA guarantee
When you connect to HTTPDNS using the software development kit (SDK), you receive a 99.99% Service-level agreement (SLA) for resolution service availability. HTTPDNS uses globally redundant nodes for disaster recovery, which ensures a stable and reliable service.
Core features
Feature set | Feature | Description | References |
Connection configuration | Key management | Create AccessKeys to connect to HTTPDNS through the SDK or JSON API. You can also pause, enable, or delete these AccessKeys. | |
Blacklists and whitelists | Whitelist | If the whitelist is empty, all domain names are resolved by default. You can also set a whitelist to allow resolution only for the domain names in the list. | |
Blacklist | Set a blacklist to block resolution requests for specific domain names. | ||
Built-in authoritative zone | Built-in authoritative zone | You can define private authoritative zones and DNS records directly in HTTPDNS. These records are effective only for resolution requests that use a specific configuration ID (Account ID) through methods such as SDK, JSON API, DoT, or DoH. |
Typical scenarios
Many leading global applications for games, social media, video, and payments, along with IoT devices such as smart speakers and in-vehicle systems, use HTTPDNS.
DNS anti-hijacking
Applicable users: This service is intended for all users who have experienced domain name resolution hijacking. It is suitable for mobile apps, smart speakers, in-vehicle systems, and other IoT terminal devices to prevent hijacking. It is especially useful for apps with high user experience requirements, such as games, videos, social media, and E-commerce. It is also often used by global businesses to prevent domain hijacking by Local DNS in different regions.
You can connect to the service using the JSON RPC API or the SDKs for iOS and Android.
Customer value:
Secure anti-hijacking: Bypasses Local DNS to prevent domain hijacking. It also provides DDoS attack mitigation capabilities to protect end users from DDoS attacks.
User privacy protection: Supports DoT and DoH protocols. Both protocols are based on transport layer security (TLS), which protects against data leaks and safeguards user privacy.
Accelerated access: HTTPDNS and public authoritative resolution are automatically refreshed in sync. This reduces the recursive resolution process and provides direct access to the authoritative DNS, which accelerates access.
Nearest access: A global network of cluster nodes provides users with nearest access.
Basic resolution: Provides basic domain name resolution services. It supports domain name resolution using the HTTP, HTTPS, DoH, DoT, and DoQ protocols.
Coordinated resolution for faster change propagation
This scenario applies when you use HTTPDNS, Alibaba Cloud DNS for authoritative resolution, and Global Traffic Manager for your full-stack DNS solution.
Coordinated resolution: HTTPDNS and Alibaba Cloud DNS (authoritative resolution) can detect domain name changes in seconds, which allows resolution updates to take effect faster.
Terminal acceleration: DNS cache acceleration reduces recursive lookups and returns the IP address of the nearest node based on the access source.
Disaster recovery and backup: When used with Global Traffic Manager, the service uses health checks to automatically reroute traffic to the optimal node.
Accurate scheduling: IP-based scheduling is more accurate because HTTPDNS and Alibaba Cloud DNS share the same address database.
Global cluster distribution
The global tier-1 DNS cluster nodes include the following:
China (Hangzhou), China (Shanghai), China (Chengdu), China (Shenzhen), China (Beijing), China (Qingdao), China East 5 (Nanjing - local region - decommissioning), Dalian, Xi'an, Wuhan, Taiyuan, Zhengzhou, Tianjin, Jinan, Shijiazhuang, China (Hong Kong), US (Silicon Valley), US (Virginia), US (Atlanta), Mexico, Singapore, Germany (Frankfurt), Japan (Tokyo), UK (London), Indonesia (Jakarta), Philippines (Manila), Malaysia (Kuala Lumpur), South Korea (Seoul), Thailand (Bangkok), UAE (Dubai), and SAU (Riyadh - Partner Region).
In addition to the tier-1 DNS cluster nodes, Alibaba Cloud has expanded its network with over 160 tier-2 DNS recursive nodes. These nodes cover major tier-1 and tier-2 cities and the three major carriers in the Chinese mainland. This vast network provides users with faster and more accurate DNS resolution, which significantly improves the network access experience.
A global multi-cluster deployment ensures that you can obtain low-latency, highly reliable domain name resolution services, regardless of your location.
The cluster node information is for reference only and does not constitute a service commitment. The cluster node information is subject to change as our infrastructure evolves.
System architecture
HTTPDNS consists of a control layer and a resolution layer:
Control layer: The control layer provides services using the console and OpenAPI. It manages and stores DNS data, configuration data, and logs. The control layer is located in the China (Zhangjiakou) and China (Hangzhou) regions in the Chinese mainland.
Resolution layer: The resolution layer provides services using globally deployed server clusters. It retrieves DNS records from the control layer and responds to DNS queries. The resolution layer has nodes deployed across major continents and regions worldwide.