This feature is currently available in the following regions: Philippines (Manila), Thailand (Bangkok), and Malaysia (Kuala Lumpur).
Configure private DNS server addresses on the SSL-VPN server so clients can resolve private domain names within a VPC.
How it works
SSL-VPN custom client DNS uses the OpenVPN DHCP Option mechanism. The workflow is as follows:
-
Enable the SSL Server switch on the Custom Client DNS and enter up to two private DNS server IPs within the VPC.
-
The SSL-VPN server pushes the DNS configuration to the client.
-
After the client connects, it automatically receives the DNS server addresses from the server.
-
The OS sets these as the preferred DNS for the active connection.
-
DNS queries (e.g.,
git.internalorexample.com) route through the VPN tunnel to the VPC DNS server for resolution.
Limitations
-
Maximum two DNS server addresses (primary and secondary).
-
The system does not verify DNS server reachability. Ensure the specified IPs can serve DNS within the VPC.
-
Some clients require additional configuration. macOS (Tunnelblick) applies DNS automatically. Windows may need a network adapter metric change. Linux requires script-based configuration.
-
Not supported on iPhone, iPad, or Android.
-
Domain-name-format DNS addresses are not supported.
-
Dynamic DNS updates are not supported.
-
IPv6 DNS addresses are not supported.
Procedure
Prerequisites
-
You have connected the client to the VPC by following the instructions in the Quick start guide. If you are using macOS, use the Tunnelblick client.
-
A DNS server (Windows AD DNS, CoreDNS, BIND, etc.) is running in the VPC.
-
The security group of the DNS server allows inbound traffic on
UDP port 53from the Client CIDR Block.
Step 1: Enable custom DNS
Console
-
In the Actions column of the SSL server, click Edit.
-
Enable the Custom Client DNS switch and configure:
-
DNS Server Address 1: Enter the private IP address of a DNS server deployed in your VPC.
-
DNS Server Address 2: Optional. Enter the IP address of a secondary DNS server.
-
API
Call the ModifySslVpnServer API operation and use the DnsServers parameter to set the DNS server addresses.
Step 2: Configure the client
Choose the method for your OS. macOS (Tunnelblick) applies DNS automatically on connect. Linux requires .ovpn file modifications.
Windows
-
Right-click the OpenVPN client icon in the system tray and select Reconnect.
-
Run
nslookup example.comin Command Prompt. Replace example.com with your private domain name. A correct private IP in the response confirms the DNS configuration works.
If DNS does not work:
-
Check network adapter metrics:
netsh interface ip show configA lower metric value indicates a higher network adapter priority.
-
If the VPN adapter does not have the lowest metric, set it:
netsh interface ip set interface "OpenVPN TAP-Windows" metric=10The network adapter created by the OpenVPN client for the VPN tunnel typically has a name that starts with 'OpenVPN TAP-Windows'. Replace 'OpenVPN TAP-Windows' with the actual VPN adapter name on your system.
Mac
-
In the Tunnelblick client, disconnect and then reconnect.
-
Run
dig example.comin Terminal. Replace example.com with your private domain name. A correct private IP in the response confirms the DNS configuration works.
CentOS/AliOS
-
Add the following lines to the end of
config.ovpnin/etc/openvpn/conf:script-security 2 up /etc/openvpn/conf/client.up down /etc/openvpn/conf/client.down down-pre -
Copy
client.upandclient.downfrom the OpenVPN contrib directory to the config directory and make them executable:sudo cp /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.up /etc/openvpn/conf/ sudo cp /usr/share/doc/openvpn/contrib/pull-resolv-conf/client.down /etc/openvpn/conf/ sudo chmod +x /etc/openvpn/conf/client.up sudo chmod +x /etc/openvpn/conf/client.down -
In both
client.upandclient.down, change the following code toif false; then:
-
Restart the openvpn process:
sudo killall openvpn sudo openvpn --config /etc/openvpn/conf/config.ovpn --daemon -
Verify the DNS update:
cat /etc/resolv.conf -
Run
dig example.com. Replace example.com with your private domain name. A correct private IP confirms DNS works.
To disable custom DNS:
-
Disconnect from the SSL-VPN:
sudo killall openvpn -
Edit
config.ovpnin/etc/openvpn/conf. Comment out the four lines starting withscript-security,up,down, anddown-pre. -
Restart OpenVPN to reconnect:
sudo openvpn --config /etc/openvpn/conf/config.ovpn --daemon
Ubuntu
-
Download the certificate again from the Alibaba Cloud console. In the SSL Client column for the target Actions, click Download Certificate.
-
Back up the existing certificate in
/etc/openvpn/confby moving it to another directory. -
Place the new certificate in
/etc/openvpn/conf. -
Edit the
config.ovpnfile and uncomment the last four lines:
-
Install
resolvectl(systemd-resolvedCLI):apt install systemd-resolved -
Set
tun0DNS as the global default (~.matches all domains):resolvectl domain tun0 "~." -
Restart the openvpn process:
sudo killall openvpn sudo openvpn --config /etc/openvpn/conf/config.ovpn --daemon -
Verify the DNS update:
resolvectl status tun0 -
Run
dig example.com. Replace example.com with your private domain name. A correct private IP confirms DNS works.
To disable custom DNS:
-
Disconnect from the SSL-VPN:
sudo killall openvpn -
Edit
config.ovpnin/etc/openvpn/conf. Comment out the four lines starting withscript-security,up,down, anddown-pre. -
Restart OpenVPN to reconnect:
sudo openvpn --config /etc/openvpn/conf/config.ovpn --daemon
FAQ
DNS settings do not take effect
-
Ensure the DNS server subnet is included in the Local CIDR Block configured for the SSL Server. If not, add it to the Local CIDR Block.
-
Ensure the DNS server allows requests from the Client CIDR Block (the IP pool allocated to SSL-VPN clients).
-
Ensure that the security group of the DNS server allows UDP port 53 traffic.
-
Check if other VPNs or network software are overriding the DNS settings.
-
For Windows clients, also check the following:
-
Ensure the VPN adapter has the lowest metric. Step 2: Configure the client.
-
Run
ipconfig /flushdnsto clear the DNS cache, then retry.
-
-
For CentOS/AliOS clients, also check the following:
-
Ensure
script-security 2andup/downscript lines are in the.ovpnfile. -
Ensure
client.upandclient.downexist in/etc/openvpn/conf/. -
Check
/etc/resolv.conffor the configured DNS address.
-
-
For Ubuntu clients, also check the following:
-
Ensure the certificate was re-downloaded and the last four lines in the
.ovpnfile are uncommented. -
Ensure the DNS update scripts (
update-resolv-conforupdate-systemd-resolved) exist on the system. -
Run
resolvectl statusto verify the configured DNS address appears.
-
Re-downloading the client certificate
Certificate re-download is only required for Ubuntu clients.
IPv6 address support
No. Only DNS servers with IPv4 addresses are supported.
Unreachable DNS servers
The system does not verify DNS server reachability. If configured servers are unreachable, clients cannot resolve domain names after connecting. Ensure the DNS servers are operational and their subnets are included in the SSL-VPN routing configuration.
Using a non-VPC DNS server
Yes. For example, you can set the DNS server addresses on the SSL server to a DNS server in your on-premises data center.