Private DNS is a new form of Alibaba Cloud DNS PrivateZone. Private DNS is provided by Alibaba Cloud DNS to provide complete Domain Name System (DNS) resolution services in corporate intranets, which are mainly Alibaba Cloud virtual private clouds (VPCs). Private DNS consists of four modules: the built-in authoritative module, cache module, forward module, and recursion module. These modules can provide services such as DNS resolution, Private DNS resolution acceleration, definition of built-in authoritative zones, forwarding of DNS requests to cloud and on-premises data centers, and analysis of intranet resolution traffic logs for various clients in VPCs. For example, the clients can be Elastic Compute Service (ECS) instances and containers.
Overview
Alibaba Cloud DNS deploys self-developed DNS software in data centers in Alibaba Cloud regions around the world to provide a complete DNS resolution service in VPCs. The service is called Private DNS and provides the following features:
Built-in authoritative (formerly Alibaba Cloud DNS PrivateZone)
The built-in authoritative module is an authoritative DNS resolution module in corporate intranets (Alibaba Cloud VPCs). This module allows you to create built-in authoritative zones that are mapped to IP addresses. The zones take effect only in your VPCs. You can manage Alibaba Cloud resources such as ECS instances, Server Load Balancer (SLB) instances, and Object Storage Service (OSS) instances in VPCs by using the DNS records of these built-in authoritative zones. These built-in authoritative zones cannot be accessed by clients outside the VPCs. In addition, you can connect your VPCs to on-premises data centers over Express Connect circuits or VPN gateways. This way, the data centers and the VPCs can access each other over built-in authoritative zones.
The built-in authoritative module has two logical locations: the acceleration module and the regular module. Zones added in the acceleration module and the regular module are acceleration zones and regular zones. The private authoritative zones created in Alibaba Cloud DNS PrivateZone are added to the regular module. The DNS resolution for acceleration zones has the lowest latency because the acceleration module is closest to DNS request sources than other modules and the DNS records of acceleration zones are stored in the high-speed memories of DNS servers. Therefore, zones that require low latency and high stability for DNS resolution are suitable to be acceleration zones. Acceleration zones support DNS resolution based on user-defined resolution lines or weight-based DNS resolution. Regular zones do not support these features. For more information, see Line-based intelligent DNS resolution and Weight-based intelligent DNS resolution.
Cache
The cache module is mainly used to accelerate DNS resolution in VPCs. In most cases, DNS records for all domain names in VPCs are stored in the high-speed cache memories of DNS servers. This way, the system can quickly obtain the DNS records next time these domain names are resolved. The period for caching DNS records is affected by the time-to-live (TTL). After the TTL expires, the cached DNS records are invalid. You can enable the cache retention feature to cache the DNS records of some important domain names on DNS servers for a long time. After the TTL expires, the DNS servers respond to the DNS requests for the domain names and then update the DNS records. The cache retention feature can accelerate the DNS resolution for important domain names in VPCs. The cache retention feature also avoids exceptions caused by DNS resolution failures over the Internet, for example, an Internet authoritative DNS server fails.
Forward (formerly the Resolver feature of Alibaba Cloud DNS PrivateZone)
The forward module forwards DNS requests for specific zones in VPCs to external DNS systems based on the configured forwarding rules and outbound endpoints. This is suitable for DNS resolution in hybrid cloud scenarios and DNS resolution between cloud and on-premises scenarios.
Recursion
The recursion module recursively forwards the DNS requests from various clients such as ECS instances in VPCs to the Internet. This module is provided free of charge in VPCs. However, no service level agreement (SLA) is guaranteed. To use a DNS server of another vendor for DNS resolution, you can change one of the IP addresses (100.100.2.136 or 100.100.2.138) of the default DNS servers for the ECS instance. In this case, the ECS instance cannot use the Private DNS service provided by Alibaba Cloud DNS.
Service address
Service Address: The Name Server addresses of the Private DNS resolution service, which can be configured as the DNS service address of terminals in the cloud (ECS or container), or can be used for terminals out of the cloud (external hosts or external DNS) to access the in-cloud DNS. Service addresses are divided into two categories: "system-defined" and "user-defined". The default Private DNS resolution service addresses assigned by the system are 100.100.2.136
and 100.100.2.138
, provided for all VPCs in all regions in anycast mode. If you want to use your own planned private IP address in the VPC to provide Private DNS resolution services, you can customize Private DNS resolution IP addresses within a VPC by creating an Inbound Endpoint. This function can effectively solve the problem of 100.100.2.136/100.100.2.138
address segment conflict when the under-cloud network accesses the on-cloud DNS. Please refer to the Service address for details.
Traffic analysis
Private DNS provides an end-to-end and visualized analysis service for DNS requests. Private DNS allows you to observe the whole process of DNS resolution including the reception of DNS requests, the translation from domain names into IP addresses, and the return of DNS resolution results. The feature analyzes the data in multiple aspects including the DNS resolution latency, number of DNS requests, rate of matching caches, hotspot domain names, and hotspot DNS request sources. This provides you with references to optimize DNS resolution settings.
Private DNS rules apply only to the DNS requests initiated by clients whose DNS server address is 100.100.2.136 or 100.100.2.138 in VPCs. If you change the DNS server address of an ECS instance to another IP address, Private DNS rules do not take effect for the ECS instance.
Resolution priority rules
In VPCs, after DNS servers receive a DNS request, the servers will resolve the domain name according to the priority rules illustrated in the following figure.