Private DNS resolution for ECS instances - Elastic Compute Service

You can use private domain names for communication within the same virtual private cloud (VPC) to avoid using traditional IP addresses to access services deployed on Elastic Compute Service (ECS) instances. This separates the internal network from the Internet and enhances network security and isolation. The private domain name feature of ECS instances enables convenient and quick assignment of private domain names to instances, without the need to manually update and maintain their Domain Name System (DNS) records.

Private domain names of ECS instances

The private domain name of an ECS instance is an internal domain name assigned to the instance in a VPC and is used to identify and access the instance in the VPC. The ECS private DNS resolution service can generate and resolve private domain names. The DNS resolution service is a network service that converts domain names into IP addresses. The ECS private DNS resolution service depends on the Alibaba Cloud Private DNS (PrivateZone) service. The IP addresses of the private DNS (PrivateZone) server are 100.100.2.136 and 100.100.2.138, which are automatically allocated by the system.

Common scenarios

Hostname management: After you enable the ECS private DNS resolution service that uses the IP address-based or instance ID-based hostname for an ECS instance in a VPC, you can use the hostname to access the instance, which facilitates routine host management.
Cloud service instantiation: Services deployed on the cloud need to access each other. You can use the ECS private DNS resolution service to generate an internal authoritative domain name for each service and resolve the domain name to a private IP address of an ECS instance in a VPC. This instantiates services in the cloud.

Note

If you need more customized configurations for DNS resolution, such as configuring DNS forwarding and recursion features, you can use Private DNS. If you want to use public DNS resolution capabilities, Alibaba Cloud provides Public Authoritative DNS Resolution, a secure, fast, and stable authoritative DNS service.

Composition of the private domain name of an ECS instance

The private domain name of an ECS instance is a four-level domain name. The levels are separated by periods (.). Examples: i-8psi44j4o4yqoh2b****.ap-southeast-3.ecs.internal and ip-172-16-0-89.ap-southeast-3.ecs.internal. The private domain name of an ECS instance contains the following subdomain names:

Top-level domain name (.internal): the internal domain name in ECS, which is used in the internal network.
Second-level domain name (.ecs): the ECS service identifier.
Subdomain name (.regionID): the ID of the region in which an ECS instance resides. You must replace regionID with the actual ID of the region in which the instance resides. For example, if you select the Malaysia (Kuala Lumpur) region, set regionID to ap-southeast-3. For more information, see the Supported regions and zones section of the "Regions and zones" topic.
Hostname identifier: the hostname of an ECS instance. ECS supports the following types of hostname formats:
- IP address-based hostname: the hostname based on the primary private IPv4 address of the ECS instance in the ip-<Primary private IPv4 address of the ECS instance> format. Example: ip-171-16-0-89.
- Instance ID-based hostname: the hostname based on the ID of the ECS instance. Example: i-8ps2h6dsc74cuktb****. When you use IPv6 for communication, you can specify the instance ID-based hostname.

Private DNS record types for ECS instances

The DNS resolution service maintains DNS records that contain mappings between domain names and IP addresses. When a user attempts to access a domain name, the DNS resolution service converts the domain name into the corresponding IP address. The ECS private DNS resolution service can generate the types of DNS records described in the following table.

Resolution type	Description	Private domain name format	Example	Scenario
DNS Resolution from the IP Address-based Hostname to the Instance Primary Private IPv4 Address (A Record)	Maps the private domain name that contains the IP address-based hostname of an instance to the primary private IPv4 address of the instance.	ip-[Primary private IPv4 address-based hostname].[regionID].[ecs.internal]	ip-192-168-1-1.region-name.ecs.internal is resolved to 192.168.1.1.	Service access testing: You can configure this type of DNS record to map the IP address-based hostname of an instance to the primary private IPv4 address of the instance. This can display the IP address in the domain name and is suitable for test scenarios.
DNS Resolution from the Instance ID-based Hostname to the Instance Primary Private IPv4 Address (A Record)	Maps the private domain name that contains the instance ID-based hostname of an instance to the primary private IPv4 address of the instance.	[Instance ID-based hostname].[regionID].[ecs.internal]	i-bp1hs9xdprd7xq4p****.region-name.ecs.internal is resolved to 192.168.xx.xx.	Automated deployment and management: The IP addresses of ECS instances may change due to frequent operations. You can configure this type of DNS record to map the instance ID-based hostname of an instance to the most recent primary private IPv4 address of the instance. This simplifies configuration management and O&M.
DNS Resolution from the Instance ID-based Hostname to the Instance Primary Private IPv6 Address (AAAA Record) Note: This type of DNS record is available for an ECS instance only when Assign IPv6 Address is selected for the instance.	Maps the private domain name that contains the instance ID-based hostname of an instance to the primary private IPv6 address of the instance.	[Instance ID-based hostname].[regionID].[ecs.internal]	i-bp1hs9xdprd7xq4p****.region-name.ecs.internal is resolved to 2408:xxxx:17:8aff:7833:3724:xxxx:xxxx.	IPv6 network connectivity: When a host or service supports IPv4 and IPv6, you can configure an AAAA record to support IPv6 connections. This helps leverage the larger IPv6 address space and improves communication efficiency.
Reverse DNS Resolution from the Instance Primary Private IPv4 Address to the IP Address-based Hostname (PTR Record)	Maps the primary private IPv4 address of an instance to the private domain name that contains the IP address-based hostname of the instance.	ip-[Primary private IPv4 address-based hostname].[regionID].[ecs.internal]	192.168.0.1 is resolved to ip-192-168-0-1.cn-hangzhou.ecs.internal.	Spam filtering: Email servers can use reverse DNS to check the validity of the server from which emails are sent. If an IP address cannot be resolved back to a domain name, the email may be marked as potential spam or rejected. Log analysis and tracing: In network security and system management, reverse DNS queries can be used to convert IP addresses into domain names for log analysis and source tracing.

Limits

Private domain names of ECS instances are generated by the system. You cannot configure private domain names for ECS instances.
ECS instances in the classic network do not support private domain names.
Private domain names can be used for communication within a VPC, not across VPCs.
A private domain name can be resolved only to the primary private IP address of the primary elastic network interface (ENI) but not to a secondary private IP address.
The resolution speed on an ECS instance in a VPC can reach up to 5,000 DNS requests per second. If the upper limit is exceeded on an instance, throttling may be triggered. In this case, the 99.99% service availability in the Service Level Agreement (SLA) may not be guaranteed.

Configure communication between ECS instances by using private domain names

Step 1: Enable the DNS hostname feature in a VPC

To use the ECS private DNS resolution feature for ECS instances in a VPC, you must enable the DNS hostname feature for the VPC. After you enable the DNS hostname feature for a VPC, the DNS resolution service generates a built-in authoritative zone in the [regionID].ecs.internal format. For example, if you create a VPC in the Malaysia (Kuala Lumpur) region and enable the DNS hostname feature, a built-in authoritative zone named ap-southeast-3.ecs.internal is generated, which is in effect only within the VPC. For more information, see Private domain name access in VPC.

Important

After the DNS hostname feature is enabled for a VPC, the ECS private DNS resolution feature that you configure for an ECS instance in the VPC can take effect.

Log on to the VPC console.
In the top navigation bar, select the region of the VPC that you want to manage.
On the VPC page, click the ID of the VPC that you want to manage. In the VPC Details section, enable the DNS hostname feature.

Step 2: Configure ECS private DNS resolution for an ECS instance

The mapping generated as a DNS record between the private domain name of an ECS instance and the primary private IP address of the instance must be configured on an ECS instance. You can configure DNS records when or after you create the instance.

Configure ECS private DNS resolution when you create an ECS instance

Note

When you call the RunInstances operation to create multiple ECS instances, specify the PrivateDnsNameOptions parameter and related parameters to configure ECS private DNS resolution for the instances.

Procedure

Go to the ECS instance buy page.
Click the Custom Launch tab.
Configure parameters, such as Billing Method, Region, Instance Type, and Image.
For information about each parameter on the Custom Launch tab, see Parameters.
In the lower part of the ECS instance buy page, click Advanced Settings(Optional) and configure parameters in the Private DNS Resolution section.
Select the mapping between the private domain name and the primary private IP address in the Private DNS Resolution section based on your business scenario. You can select multiple options. For information about DNS records, see the Private DNS record types for ECS instances section of this topic.

Configure ECS private DNS resolution when you modify instance attributes

Note

When you call the ModifyInstanceAttribute operation to modify instance attributes, specify the PrivateDnsNameOptions parameter and related parameters to configure ECS private DNS resolution.

Procedure

Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the ECS instance whose attributes you want to modify and click the instance ID to go to the instance details page. In the upper-right corner of the page, click All Actions. In the pane that appears, choose Instance Attributes > Modify Instance Attribute. The Modify Instance Attributes dialog box appears.
Select the mapping between the private domain name and the primary private IP address in the Private DNS Resolution section based on your business scenario. You can select multiple options. For information about DNS records, see the Private DNS record types for ECS instances section of this topic.
Click Confirm.

Step 3: Verify the ECS private DNS resolution feature

You can run a command to check whether the ECS private DNS resolution feature is in effect on an ECS instance on which the private DNS records are configured or on another ECS instance in the same VPC that is connected to the ECS instance over the internal network. The command used to query DNS records varies based on the operating system.

Linux instance

In Linux, the host command is used to query the mappings between domain names and IP addresses and perform reverse DNS lookups to query the domain names based on IP addresses.

Install the host tool. By default, Linux instances do not support the host command. To install the host tool, run the sudo yum install bind-utils command.
Example of querying DNS information:
Note
In this example, the following information is used for the instance for which the ECS private DNS resolution feature is enabled. Replace the IP address and instance ID with the actual values.
Instance ID: i-8psi44j4o4yqoh2b****
Region ID: ap-southeast-3
IPv4 address: 172.16.0.89
IPv6 address: 240b:xxxx:41:b200:1ca9:f9bb:ae4:1ea0
1. Connect to a Linux instance.
  For more information, see Use Workbench to connect to a Linux instance over SSH.
2. Run the host command to query DNS information based on a type of private DNS record.
  - Query the IPv4 address mapped to the IP address-based domain name. This step is suitable for an ECS instance for which Enable DNS Resolution from the IP Address-based Hostname to the Instance Primary Private IPv4 Address (A Record) is selected.
```
host ip-172-16-0-89.ap-southeast-3.ecs.internal
```
  - Query the IP address mapped to the instance ID-based domain name. This step is suitable for an ECS instance for which Enable DNS Resolution from the Instance ID-based Hostname to the Instance Primary Private IPv4 Address (A Record) is selected.
```
host i-8psi44j4o4yqoh2b****.ap-southeast-3.ecs.internal
```
  - Query the IPv6 address mapped to the instance ID-based domain name. This step is suitable for an ECS instance for which Enable DNS Resolution from the Instance ID-based Hostname to the Instance Primary Private IPv6 Address (AAAA Record) is selected.
```
host -t AAAA i-8psi44j4o4yqoh2b****.ap-southeast-3.ecs.internal
```
  - Perform a reverse DNS lookup to query the domain name generated based on the IP address-based hostname. This step is suitable for an ECS instance for which Enable Reverse DNS Resolution from the Instance Primary Private IPv4 Address to the IP Address-based Hostname (PTR Record) is selected.
```
host 172.16.0.89
```

Windows instance

nslookup is a pre-installed tool in Windows that can be used to query DNS information.

Example of querying DNS information:
Note
In this example, the following information is used for the instance for which the ECS private DNS resolution feature is enabled. Replace the IP address and instance ID with the actual values.
Instance ID: i-8ps2h6dsc74cfy02ithz
Region ID: ap-southeast-3
IPv4 address: 172.16.0.91
IPv6 address: 240b:400e:41:b200:1ca9:f9bb:ae4:1e9a
1. Connect to a Windows instance.
  For more information, see Use Workbench to connect to a Windows instance over RDP.
2. Run the nslookup command to query DNS information based on a type of private DNS record.
  - Query the IP address mapped to the IP address-based domain name. This step is suitable for an ECS instance for which Enable DNS Resolution from the IP Address-based Hostname to the Instance Primary Private IPv4 Address (A Record) is selected.
```
nslookup ip-172-16-0-91.ap-southeast-3.ecs.internal
```
  - Query the IP address mapped to the instance ID-based domain name. This step is suitable for an ECS instance for which Enable DNS Resolution from the Instance ID-based Hostname to the Instance Primary Private IPv4 Address (A Record) is selected.
```
nslookup i-8ps2h6dsc74cfy02****.ap-southeast-3.ecs.internal
```
  - Query the IPv6 address mapped to the instance ID-based domain name. This step is suitable for an ECS instance for which Enable DNS Resolution from the Instance ID-based Hostname to the Instance Primary Private IPv6 Address (AAAA Record) is selected.
```
nslookup -type=AAAA i-8ps2h6dsc74cfy02****.ap-southeast-3.ecs.internal
```
  - Perform a reverse DNS lookup to query the domain name generated based on the IP address-based hostname. This step is suitable for an ECS instance for which Enable Reverse DNS Resolution from the Instance Primary Private IPv4 Address to the IP Address-based Hostname (PTR Record) is selected.
```
nslookup 172.16.0.91
```

If the ECS private DNS resolution feature can take effect, the ECS instance for which you configured private DNS records can be accessed by other ECS instances in the same VPC over the internal network. You can run the ping <Private domain name> command for testing. Example command: ping ip-172-16-0-91.ap-southeast-3.ecs.internal.

Important

To test access to one ECS instance from another ECS instance over IPv6, you must enable IPv6 for and assign IPv6 addresses to both the source and destination instances. For more information, see IPv6 communication.

Other operations

Impacts of different operations on ECS private DNS resolution

Change the VPC of an instance
If the ECS private DNS resolution feature is enabled for an ECS instance, check whether the DNS hostname feature is enabled for the new VPC to which the ECS instance is migrated. For more information, see Change the VPC of an ECS instance.
Change the primary private IP address of an instance
The ECS private DNS resolution service automatically performs remapping. If the primary private IPv4 or IPv6 address of your instance changes, such as when you change the primary private IPv4 address, the existing private DNS record that matches the original IP address is deleted, and a new DNS record that matches the new IP address is generated.
Release an instance
After an instance is released, all DNS records related to the instance in the built-in authoritative zone of the VPC to which the instance belongs are deleted. The instance and the services on the instance cannot be accessed by using the private domain name.

View information about ECS private DNS resolution

View the resolution of the private domain name of an ECS instance on the instance details page in the ECS console.

Note

You can also call the DescribeInstances operation to query detailed information about specified ECS instances. In the response, the PrivateDnsNameOptions parameter and related parameters contain the private DNS resolution information about the specified instances.

Go to ECS console - Instance.
In the top navigation bar, select the region and resource group of the resource that you want to manage.
Find the ECS instance that you want to query and click the instance ID to go to the instance details page. In the Other Information section, find the Private DNS Records parameter to view the number of private DNS records.
Move the pointer over the number of private DNS records to view the mapping between the private domain names and IP addresses configured for the current ECS instance.

Disable ECS private DNS resolution for an ECS instance

To disable ECS private DNS resolution for an ECS instance, clear all Private DNS Resolution options for the instance in the ECS console. For more information, see the Step 2: Configure ECS private DNS resolution for an ECS instance section of this topic.

To disable ECS private DNS resolution for all ECS instances in a VPC, disable the DNS hostname feature for the VPC. After you disable the DNS hostname feature for a VPC, the built-in authoritative zone associated with the VPC is deleted, and the private domain names of all ECS instances in the VPC become invalid and cannot be resolved to the primary private IP addresses of the instances. For more information, see Private domain name access in VPC.

Important

If your application uses a private domain name instead of an instance IP address to access cloud resources, your application may fail to access the resources after the DNS hostname feature is disabled.

References

You can use the private DNS resolution service to configure more DNS resolution features, such as DNS forwarding and recursive resolution features. For more information, see What is Private DNS?
Alibaba Cloud provides the public authoritative DNS resolution feature to provide a secure, fast, and stable DNS service. For more information, see Public Authoritative DNS Resolution.
To use public recursive resolution capabilities for mobile applications or IoT, you can configure the Alibaba Cloud public DNS resolution feature to help your terminals resolve domain names in a fast and secure manner. For more information, see What is Alibaba Cloud Public DNS?