The recursive resolution service (Public DNS) supports encrypted access (access over HTTP, HTTPS, DoH, and DoT) and non-encrypted access (access over TCP and UDP). You can log on to the Alibaba Cloud DNS console and click Recursive Resolution (Public DNS) in the left-side navigation pane to access the Access Configuration tab.
Encrypted access (access over HTTP, HTTPS, DoH, and DoT)
Public DNS provides three types of encrypted access: SDK-based access, access by calling the JSON API, and DoT/DoH-based access. If you use the SDK-based access method or the method of access by calling the JSON API, you must create a key pair for authentication. For more information, see Service authentication.
Method 1: SDK-based access
Scenarios: This method is suitable for scenarios in which you want to prevent domain names of mobile apps and IoT devices from hijacking during resolution. Integrating Alibaba Cloud Public DNS SDK provides the same capabilities as integrating HTTPDNS.
Download Public DNS SDK for Android or Public DNS SDK for iOS based on the operating system of your app.
Integrate the SDK with your app. For more information, see the following topics:
Go to the Recursive Resolution (Public DNS) page in the Alibaba Cloud DNS console. On the Traffic Analysis tab, check whether the statistics about resolutions are displayed. If the statistics about resolutions are displayed, Alibaba Cloud Public DNS is successfully configured as your DNS service.
2. Access by calling the JSON API
Scenarios: This method is suitable for scenarios in which you cannot use SDKs and need to use native API operations to initiate DNS requests.
You can use the following URLs to call the JSON API for DNS over HTTPS (DoH). Both Transport Layer Security (TLS) and non-TLS API operations are provided.
https://223.5.5.5/resolve?name=Domain name&type=Record type&uid=Account ID&ak=AccessKey ID&key=****&ts=Timestamp
http://223.5.5.5/resolve?name=Domain name&type=Record type&uid=Account ID&ak=AccessKey ID&key=****&ts=Timestamp
https://223.6.6.6/resolve?name=Domain name&type=Record type&uid=Account ID&ak=AccessKey ID&key=****&ts=Timestamp
http://223.6.6.6/resolve?name=Domain name&type=Record type&uid=Account ID&ak=AccessKey ID&key=****&ts=Timestamp
For more information, see JSON API for DoH.
Method 3: DoT/DoH-based access
Scenarios: This method is suitable for clients such as browsers and mobile phones. However, service authentication is not supported. We recommend that you do not use this method.
Configure the address of a DNS over TLS (DoT) or DoH server based on the corresponding format. Replace user_id with the value of the Account ID parameter that you can obtain from the Access Configuration tab of the Recursive Resolution (Public DNS) page in the Alibaba Cloud DNS console.
Method 1: Short address-based access (low security, not recommended)
Address of a DoT server: user_id.alidns.com
Address of a DoH server: https://user_id.alidns.com/dns-query
Unauthorized users may perform DNS resolution by using your account. Make sure that you keep your account ID confidential.
Method 2: Custom address-based access
We recommend that you use this method to customize addresses that can access the service. This ensures higher security and reduces the risk of unauthorized access and data leakage.
Address of a DoT server: user_id-custom field.alidns.com
Address of a DoH server: https://user_id-custom field.alidns.com/dns-query
DoT- or DoH-based access: By default, DoT- or DoH-based access is disabled. You can manually enable DoT- or DoH-based access.
If DoT- or DoH-based access is disabled, DNS requests over DoT or DoH are rejected.
For more information about DoT, see Access Alibaba Cloud Public DNS by using DoT.
For more information about DoH, see Access Alibaba Cloud Public DNS by using DoH.
Non-encrypted access (access over TCP and UDP)
The non-encrypted access method is applicable if DNS recursive requests are initiated over UDP or TCP. If you use the non-encrypted access method, you need to configure addresses such as 223.5.5.5, 223.6.6.6, 2400:3200::1, and 2400:3200:baba::1 in the DNS settings of devices such as PCs and IoT devices. DNS requests in the non-encrypted access method do not carry user attribute identification. As a result, the system cannot distinguish DNS request sources. To address this issue, you can bind your network egress IP address (source IP address of DNS requests) to your Alibaba Cloud account so that DNS requests can be identified and counted. Moreover, this ensures that the system preferentially protects the DNS requests from the bound IP address against throttling in scenarios that are likely to trigger intelligent throttling for recursive resolutions, such as the scenarios where Public DNS is attacked by abnormal traffic and traffic increases rapidly. For more information about throttling, see Notice on throttling of Public DNS Free Edition.
Bind a network egress IP address (source IP address of DNS requests) to an Alibaba Cloud account
Public DNS allows you to bind your network egress IP address to your Alibaba Cloud account. After they are bound, the DNS requests initiated from this IP address over UDP or TCP belong to your Alibaba Cloud account. When the intelligent DNS throttling policy is enabled in extreme cases, the system preferentially protects the DNS requests from the bound IP address against throttling. DNS requests from the bound IP address will be billed. Public DNS provides a free resource plan of 20 million DNS requests over UDP/TCP or 10 million DNS requests over HTTP per month. For more information, see Billable item.
Only users who have passed enterprise verification are allowed to bind network egress IP addresses to Alibaba Cloud accounts, and only the source IPv4 addresses of Internet egresses can be bound. This means that you can bind your network egress IP address only in the network environment to which the network egress IP address belongs and the IP address must pass verification.
Most of the domain names accessed by users from home networks are hotspot domain names. These hotspot domain names are accessed by many users over Internet and their DNS results are stored in the DNS cache. In most cases, Public DNS does not implement throttling on these hotspot domain names.