{"id":45,"date":"2026-04-12T15:31:42","date_gmt":"2026-04-12T15:31:42","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-public-dns-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-and-cdn\/"},"modified":"2026-04-12T15:31:42","modified_gmt":"2026-04-12T15:31:42","slug":"alibaba-cloud-public-dns-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-and-cdn","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-public-dns-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-and-cdn\/","title":{"rendered":"Alibaba Cloud Public DNS Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Networking and CDN"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Networking and CDN<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>Public DNS<\/strong> is a public, internet-facing DNS recursive resolver service that you can use as the DNS server for clients (laptops, phones, on-prem servers, and cloud VMs) to resolve domain names to IP addresses.<\/p>\n\n\n\n<p>In simple terms: instead of using your ISP\u2019s DNS servers (which can be slow, unreliable, or subject to DNS hijacking in some networks), you point your device or server to Alibaba Cloud Public DNS so that <code>www.example.com<\/code> resolves quickly and consistently.<\/p>\n\n\n\n<p>Technically, Public DNS is a <strong>recursive DNS resolver<\/strong> operated by Alibaba Cloud. It receives DNS queries from clients, performs recursion (including caching), and returns answers based on the public DNS hierarchy (root \u2192 TLD \u2192 authoritative name servers). It is not the same as authoritative DNS hosting (where you manage your zone records); it is a resolver that helps you <em>query<\/em> DNS.<\/p>\n\n\n\n<p><strong>What problem it solves:<\/strong> reliable, fast, and more predictable DNS resolution\u2014especially useful when default DNS resolvers are slow, inconsistent, filtered, or prone to manipulation. Public DNS is commonly used to reduce DNS latency, improve availability, and harden DNS resolution behavior in production environments.<\/p>\n\n\n\n<blockquote>\n<p>Service name note: This tutorial is specifically about <strong>Alibaba Cloud Public DNS<\/strong> (recursive resolver). It is different from <strong>Alibaba Cloud DNS<\/strong> (authoritative DNS hosting, often called \u201cAlibaba Cloud DNS\u201d \/ \u201cAlibaba Cloud DNS PrivateZone\/Private DNS\u201d depending on feature) and different from <strong>HTTPDNS<\/strong> (DNS-over-HTTP style resolution for apps). Verify current product naming in the official docs if Alibaba Cloud updates branding.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Public DNS?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>Alibaba Cloud Public DNS provides <strong>public recursive DNS resolution<\/strong> for internet domain names. You configure clients to use Public DNS resolver IP addresses (and\/or encrypted DNS endpoints if supported) so those clients can resolve DNS queries via Alibaba\u2019s resolver infrastructure.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Recursive DNS resolution for public domain names<\/li>\n<li>DNS caching to speed up repeat lookups<\/li>\n<li>High availability resolver infrastructure (typically Anycast-based, depending on implementation\u2014verify in official docs)<\/li>\n<li>Support for standard DNS query types (A\/AAAA\/CNAME\/MX\/TXT\/SRV, etc., subject to upstream authoritative data)<\/li>\n<li>IPv4 and potentially IPv6 resolver endpoints (verify the latest endpoints in official docs)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components (conceptual)<\/h3>\n\n\n\n<p>Public DNS is a managed service, so you do not provision servers. Conceptually it consists of:\n&#8211; <strong>Resolver endpoints<\/strong>: IP addresses (and possibly DoH\/DoT hostnames) that accept DNS queries\n&#8211; <strong>Recursive resolver fleet<\/strong>: performs recursion and caching\n&#8211; <strong>Network edge<\/strong>: routes users to optimal resolver nodes (often Anycast; verify)\n&#8211; <strong>Security\/anti-abuse controls<\/strong>: rate limiting, attack mitigation, and response validation (exact mechanisms vary\u2014verify)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Managed public recursive resolver<\/strong> (internet service)<\/li>\n<li>Not a VPC-scoped \u201cprivate resolver\u201d by default<\/li>\n<li>Not authoritative DNS hosting<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scope: regional\/global\/zonal<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Global by nature<\/strong>: Public resolvers are reachable on the public internet and are not tied to a specific Alibaba Cloud region in the way compute services are.<\/li>\n<li><strong>Not account-scoped<\/strong>: Typically no per-account configuration is required to <em>use<\/em> Public DNS; you simply point clients to the resolver endpoints.<\/li>\n<li><strong>SLA\/coverage<\/strong>: Verify the current SLA and coverage in official documentation and product pages.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Alibaba Cloud ecosystem<\/h3>\n\n\n\n<p>In Alibaba Cloud\u2019s Networking and CDN landscape:\n&#8211; Use <strong>Public DNS<\/strong> when you need a reliable public resolver for clients (cloud VMs, on-prem, end-user devices).\n&#8211; Use <strong>Alibaba Cloud DNS<\/strong> (authoritative DNS) when you need to host and manage your domain\u2019s DNS records.\n&#8211; Use <strong>Private DNS \/ PrivateZone<\/strong> (if applicable in your account\/region) when you need internal DNS zones for VPCs (split-horizon DNS, internal service discovery).\n&#8211; Use <strong>HTTPDNS<\/strong> for application-layer DNS resolution patterns (often used to reduce DNS hijacking for mobile apps and to bypass local resolver issues\u2014verify suitability).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Public DNS?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Better user experience<\/strong>: faster and more reliable DNS resolution reduces page load time and API latency.<\/li>\n<li><strong>Reduced incident risk<\/strong>: avoids outages caused by flaky ISP resolvers or enterprise DNS misconfigurations.<\/li>\n<li><strong>Operational simplicity<\/strong>: no need to run and patch your own recursive DNS fleet for general internet resolution.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Lower DNS latency<\/strong> through caching and well-connected resolver infrastructure.<\/li>\n<li><strong>Improved availability<\/strong> compared to single-site resolvers.<\/li>\n<li><strong>Consistent resolution<\/strong> across environments (developer laptops, CI runners, ECS instances, on-prem servers).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fewer DNS tickets<\/strong> (\u201ccannot resolve domain\u201d \/ intermittent resolution).<\/li>\n<li><strong>Easier standardization<\/strong>: a common resolver baseline across teams and environments.<\/li>\n<li><strong>Simplified troubleshooting<\/strong> by pinning to known resolvers and comparing results.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Helps reduce exposure to some classes of DNS manipulation that occur with poor-quality resolvers (exact protections vary by network\u2014verify).<\/li>\n<li>If encrypted DNS transport is supported (DoH\/DoT), it can reduce on-path snooping and tampering (verify endpoints and client support).<\/li>\n<li>Supports security hardening patterns like:<\/li>\n<li>egress DNS restrictions (send DNS only to approved resolvers)<\/li>\n<li>consistent filtering policies (if you implement them externally\u2014Public DNS itself is not necessarily a filtering service)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Managed resolver capacity that scales beyond what a small self-managed DNS cluster can handle.<\/li>\n<li>Suitable for large fleets of clients querying public internet domains.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need a <strong>general-purpose public resolver<\/strong> for servers and endpoints.<\/li>\n<li>Your current DNS is slow\/unreliable, or you operate in networks with known DNS hijacking\/poisoning risks.<\/li>\n<li>You want standardized DNS behavior across multi-cloud or hybrid environments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need <strong>authoritative DNS management<\/strong> for your domain (use Alibaba Cloud DNS or another authoritative DNS provider).<\/li>\n<li>You need <strong>private service discovery within VPCs<\/strong> and split-horizon DNS for internal zones (use Private DNS\/PrivateZone or VPC DNS capabilities).<\/li>\n<li>You require <strong>full query logging, per-tenant policies, or conditional forwarding<\/strong> controlled by your organization\u2014Public DNS is not a customizable enterprise resolver platform in the same way as self-hosted Unbound\/BIND or some dedicated resolver products.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Public DNS used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>E-commerce and retail (latency-sensitive web and API stacks)<\/li>\n<li>SaaS and internet services (global user base)<\/li>\n<li>Financial services (needs reliability and controlled DNS paths)<\/li>\n<li>Gaming and media (high concurrency, low latency)<\/li>\n<li>Manufacturing and IoT (distributed sites with varying ISP quality)<\/li>\n<li>Education and research (large, diverse client populations)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering teams standardizing base OS\/network settings<\/li>\n<li>SRE\/Operations teams reducing DNS-related incidents<\/li>\n<li>DevOps teams building reproducible CI\/CD environments<\/li>\n<li>Security teams implementing DNS egress control and monitoring<\/li>\n<li>Developers troubleshooting DNS inconsistencies across networks<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Web apps and APIs (outbound calls to third-party services)<\/li>\n<li>Microservices that depend on external SaaS endpoints<\/li>\n<li>CI\/CD runners and build agents downloading dependencies<\/li>\n<li>Container nodes (Kubernetes worker nodes resolving external registries)<\/li>\n<li>Monitoring agents and log shippers sending to external endpoints<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hybrid environments: on-prem + Alibaba Cloud + other clouds<\/li>\n<li>Multi-region deployments needing consistent DNS resolution behavior<\/li>\n<li>Branch office \/ remote workforce where ISP DNS is unpredictable<\/li>\n<li>\u201cThin edge\u201d designs where endpoints rely on public internet services<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Production vs dev\/test usage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production:<\/strong> common when DNS reliability is mission-critical and teams want to avoid local resolver issues.<\/li>\n<li><strong>Dev\/test:<\/strong> useful to reduce \u201cworks on my network\u201d DNS differences and speed up dependency downloads.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Alibaba Cloud Public DNS is a good fit. Each includes the problem, why Public DNS fits, and a short example.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Standardize DNS for ECS fleets<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Different ECS images and teams use different resolvers, causing inconsistent DNS behavior.<\/li>\n<li><strong>Why it fits:<\/strong> Public DNS provides a consistent resolver target across instances.<\/li>\n<li><strong>Example:<\/strong> A platform team enforces a baseline <code>\/etc\/resolv.conf<\/code> (or systemd-resolved config) pointing to Public DNS for all non-private queries.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Reduce CI\/CD pipeline failures caused by DNS<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Builds fail intermittently due to dependency registry resolution failures.<\/li>\n<li><strong>Why it fits:<\/strong> Public DNS improves reliability and caching for repeated lookups.<\/li>\n<li><strong>Example:<\/strong> GitLab runners on ECS switch from ISP DNS to Public DNS; fewer \u201cTemporary failure in name resolution\u201d incidents.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Improve resolution performance for global SaaS endpoints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Calls to external SaaS APIs are delayed by slow DNS.<\/li>\n<li><strong>Why it fits:<\/strong> Faster resolver infrastructure reduces DNS lookup time.<\/li>\n<li><strong>Example:<\/strong> Payment processing service resolves multiple third-party hostnames; DNS lookup time becomes negligible.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Mitigate poor ISP resolver quality in branch offices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Branch office endpoints have slow or unreliable DNS.<\/li>\n<li><strong>Why it fits:<\/strong> Public DNS is reachable from most networks and offers predictable behavior.<\/li>\n<li><strong>Example:<\/strong> Retail stores set DHCP DNS to Public DNS, improving POS system uptime.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Troubleshoot DNS poisoning\/hijacking symptoms<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Users sometimes resolve a domain to the wrong IP.<\/li>\n<li><strong>Why it fits:<\/strong> Switching to a trusted public resolver helps isolate whether the issue is local DNS manipulation.<\/li>\n<li><strong>Example:<\/strong> A support engineer compares results from Public DNS vs default resolver to confirm a poisoning issue.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Provide a stable resolver for containers (non-Kubernetes)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Container hosts sometimes inherit unstable DNS settings.<\/li>\n<li><strong>Why it fits:<\/strong> Public DNS reduces dependency on local resolvers.<\/li>\n<li><strong>Example:<\/strong> Docker hosts used for integration tests configure the host resolver to Public DNS.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Outbound-only servers in locked-down environments<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Servers have no inbound access and need a reliable resolver for outbound traffic.<\/li>\n<li><strong>Why it fits:<\/strong> Public DNS is simple to use and typically doesn\u2019t require account setup.<\/li>\n<li><strong>Example:<\/strong> Log forwarders resolve <code>logs.example-saas.com<\/code> reliably using Public DNS.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Multi-cloud consistency for DNS resolution<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> DNS behavior differs across clouds and data centers.<\/li>\n<li><strong>Why it fits:<\/strong> A shared resolver baseline reduces variability.<\/li>\n<li><strong>Example:<\/strong> Workloads in Alibaba Cloud and another cloud both use Public DNS for external lookups.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Faster access to package repositories and OS updates<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> <code>apt<\/code>, <code>yum<\/code>, language package managers suffer from DNS slowness.<\/li>\n<li><strong>Why it fits:<\/strong> Cached and well-connected resolvers speed up repeated lookups.<\/li>\n<li><strong>Example:<\/strong> A university lab\u2019s Linux clients update faster after switching DNS.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Edge\/IoT gateways resolving cloud endpoints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> IoT gateways deployed across many networks face varying DNS reliability.<\/li>\n<li><strong>Why it fits:<\/strong> Public DNS provides a stable resolver target.<\/li>\n<li><strong>Example:<\/strong> Gateways resolve MQTT endpoints consistently using Public DNS.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Benchmarking and DNS SLO monitoring<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> No baseline to measure DNS resolution performance.<\/li>\n<li><strong>Why it fits:<\/strong> Public DNS can serve as a benchmark resolver.<\/li>\n<li><strong>Example:<\/strong> SRE team runs periodic <code>dig<\/code> checks against Public DNS and internal resolvers to detect regressions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Improve user experience for internal corporate devices (BYOD\/remote)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Remote employees see intermittent \u201csite not found\u201d issues.<\/li>\n<li><strong>Why it fits:<\/strong> Public DNS offers a reliable option without VPN dependency.<\/li>\n<li><strong>Example:<\/strong> IT recommends Public DNS configuration for troubleshooting and as a fallback resolver.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<p>Public DNS is a managed resolver, so features focus on resolution quality, availability, and client compatibility. Feature availability can vary by geography and product updates\u2014verify details in official Alibaba Cloud documentation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Public recursive DNS resolution<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Resolves public DNS queries by performing recursion from root\/TLD to authoritative servers, then caches answers.<\/li>\n<li><strong>Why it matters:<\/strong> Most clients need recursion; authoritative servers alone won\u2019t answer arbitrary queries.<\/li>\n<li><strong>Practical benefit:<\/strong> Stable resolution for <code>A<\/code>, <code>AAAA<\/code>, <code>CNAME<\/code>, <code>MX<\/code>, <code>TXT<\/code>, etc.<\/li>\n<li><strong>Caveats:<\/strong> You cannot manage zone records via Public DNS (that\u2019s authoritative DNS).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Caching for performance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Stores DNS answers for their TTL duration.<\/li>\n<li><strong>Why it matters:<\/strong> Reduces latency and upstream query volume.<\/li>\n<li><strong>Practical benefit:<\/strong> Faster repeated lookups (common in microservices and CI).<\/li>\n<li><strong>Caveats:<\/strong> Cached answers remain until TTL expiry; rapid DNS changes may not be seen immediately.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) High availability resolver infrastructure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Operates a distributed resolver fleet.<\/li>\n<li><strong>Why it matters:<\/strong> DNS is a critical dependency; resolver downtime impacts everything.<\/li>\n<li><strong>Practical benefit:<\/strong> Better resilience than single-server resolvers.<\/li>\n<li><strong>Caveats:<\/strong> SLA and operational transparency vary\u2014verify in official docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) IPv4 resolver endpoints (and possibly IPv6)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Provides resolver access over IPv4, and may provide IPv6 endpoints.<\/li>\n<li><strong>Why it matters:<\/strong> Modern environments increasingly require IPv6 readiness.<\/li>\n<li><strong>Practical benefit:<\/strong> Works for IPv4-only and dual-stack networks.<\/li>\n<li><strong>Caveats:<\/strong> Confirm latest endpoint IPs in official docs before standardizing.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Standards-based DNS protocol support<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Supports standard UDP\/TCP DNS resolution (port 53).<\/li>\n<li><strong>Why it matters:<\/strong> Maximum compatibility with OS resolvers and network devices.<\/li>\n<li><strong>Practical benefit:<\/strong> Works without special client software.<\/li>\n<li><strong>Caveats:<\/strong> Plain DNS is not encrypted; consider encrypted transports if available and required.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Security and anti-abuse protections (service-side)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Resolver operators typically implement DDoS mitigation, rate limiting, and response integrity checks.<\/li>\n<li><strong>Why it matters:<\/strong> Public resolvers are common attack targets.<\/li>\n<li><strong>Practical benefit:<\/strong> Better survivability under abusive traffic patterns.<\/li>\n<li><strong>Caveats:<\/strong> Exact protections and guarantees are not always publicly detailed\u2014verify.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Optional encrypted DNS transports (DoH\/DoT) (verify)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) encrypts DNS queries in transit.<\/li>\n<li><strong>Why it matters:<\/strong> Helps protect DNS privacy and integrity on untrusted networks.<\/li>\n<li><strong>Practical benefit:<\/strong> Reduces risk of on-path tampering and passive DNS snooping.<\/li>\n<li><strong>Caveats:<\/strong> Client support varies; endpoint hostnames and policies must be confirmed in official docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Compatibility with enterprise network patterns<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Can be used as upstream resolver for forwarders or DNS proxy appliances.<\/li>\n<li><strong>Why it matters:<\/strong> Enterprises often centralize DNS but still need reliable upstream recursion.<\/li>\n<li><strong>Practical benefit:<\/strong> Use internal resolvers for policy\/logging, forward to Public DNS for recursion.<\/li>\n<li><strong>Caveats:<\/strong> Ensure you don\u2019t create forwarding loops; test carefully.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>Public DNS sits between your clients and the global DNS hierarchy:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>A client (ECS instance, laptop, container node) sends a DNS query to the configured resolver IP.<\/li>\n<li>Public DNS checks its cache:\n   &#8211; If cached and valid \u2192 responds immediately.\n   &#8211; If not cached \u2192 performs recursion:<ul>\n<li>queries root servers<\/li>\n<li>queries TLD servers<\/li>\n<li>queries authoritative servers for the domain<\/li>\n<\/ul>\n<\/li>\n<li>Public DNS returns the final answer to the client and caches it for the TTL.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data plane (DNS queries):<\/strong> client \u2192 resolver endpoint \u2192 recursion\/caching \u2192 client response<\/li>\n<li><strong>Control plane:<\/strong> typically minimal\/no customer control plane; configuration is mostly on the client side (OS\/router\/DHCP).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Public DNS is commonly used alongside:\n&#8211; <strong>Alibaba Cloud ECS<\/strong> (clients running on ECS)\n&#8211; <strong>Alibaba Cloud VPC DNS \/ internal DNS<\/strong> (for private name resolution inside VPC)\n&#8211; <strong>Alibaba Cloud DNS (authoritative)<\/strong> (when you host zones on Alibaba Cloud DNS, clients can still <em>resolve<\/em> them via Public DNS, like any resolver)\n&#8211; <strong>Security tooling<\/strong> (firewalls restricting DNS egress; DNS monitoring with synthetic checks)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Global DNS hierarchy (root\/TLD\/authoritative name servers)<\/li>\n<li>Alibaba Cloud backbone and resolver infrastructure<\/li>\n<li>Client OS stub resolvers<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public DNS is generally <strong>open to the public<\/strong> (like other public resolvers).<\/li>\n<li>There is usually <strong>no IAM-based authentication<\/strong> for basic usage.<\/li>\n<li>Security controls are therefore mostly:<\/li>\n<li>network-based (who can query from where)<\/li>\n<li>abuse prevention on the resolver side<\/li>\n<li>your own egress control and monitoring<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Clients query Public DNS over:<\/li>\n<li>UDP\/53 (most common)<\/li>\n<li>TCP\/53 (for large responses, zone transfers are not relevant here)<\/li>\n<li>Possibly DoT\/853 and DoH\/443 (verify availability)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<p>Because Public DNS is managed and public:\n&#8211; You typically <strong>cannot access resolver query logs<\/strong> like you could on a self-hosted resolver.\n&#8211; Governance and observability are implemented via:\n  &#8211; client-side metrics (latency, failure rate)\n  &#8211; synthetic probes (<code>dig<\/code>\/<code>kdig<\/code> from multiple locations)\n  &#8211; network flow logs (if you control the network path)\n  &#8211; egress firewall rules restricting DNS to approved resolvers<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Simple architecture (Mermaid)<\/h4>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  C[Client: ECS \/ Laptop \/ On-prem Server] --&gt;|DNS Query UDP\/TCP 53| PDNS[Alibaba Cloud Public DNS]\n  PDNS --&gt;|Recursive queries| ROOT[Root Servers]\n  PDNS --&gt; TLD[TLD Servers]\n  PDNS --&gt; AUTH[Authoritative DNS for domain]\n  PDNS --&gt;|Answer + TTL| C\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Production-style architecture (Mermaid)<\/h4>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph ClientNetwork[\"Enterprise \/ Cloud Client Networks\"]\n    ECS[ECS Instances]\n    K8S[Kubernetes Nodes]\n    ONP[On-prem Servers]\n    LAP[Remote Laptops]\n  end\n\n  subgraph Controls[\"Controls &amp; Observability (Your Side)\"]\n    FW[Firewall \/ Egress Policy\\nAllow DNS only to approved resolvers]\n    SYN[Synthetic DNS Probes\\n(dig\/kdig scheduled)]\n    MON[Monitoring &amp; Alerts\\nLatency, SERVFAIL rate]\n  end\n\n  subgraph Alibaba[\"Alibaba Cloud (Managed)\"]\n    PDNS[Public DNS Resolver Endpoints]\n    CACHE[Resolver Cache &amp; Recursion Fleet]\n  end\n\n  subgraph InternetDNS[\"Public DNS Ecosystem\"]\n    ROOT[Root]\n    TLD[TLD]\n    AUTH[Authoritative Name Servers]\n  end\n\n  ECS --&gt; FW --&gt; PDNS\n  K8S --&gt; FW --&gt; PDNS\n  ONP --&gt; FW --&gt; PDNS\n  LAP --&gt; PDNS\n\n  PDNS --&gt; CACHE --&gt; ROOT\n  CACHE --&gt; TLD\n  CACHE --&gt; AUTH\n\n  SYN --&gt; PDNS\n  PDNS --&gt; MON\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<p>Public DNS can be used without an Alibaba Cloud account (because it\u2019s public). However, this tutorial includes an optional lab on an Alibaba Cloud ECS instance for a controlled environment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Account\/subscription requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>For basic usage:<\/strong> none (public service)<\/li>\n<li><strong>For the hands-on ECS lab:<\/strong> an <strong>Alibaba Cloud account<\/strong> with billing enabled<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>To create and manage ECS resources: a RAM user\/role with permissions such as:<\/li>\n<li><code>ecs:*<\/code> for the lab (broad)<\/li>\n<li>Prefer least privilege in real environments (create instance, VPC, security group, delete resources)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public DNS usage is typically free.<\/li>\n<li>The lab may incur costs for:<\/li>\n<li>ECS instance runtime<\/li>\n<li>EIP (if used)<\/li>\n<li>storage and outbound bandwidth<\/li>\n<li>If you use an existing ECS instance, no extra provisioning cost is needed beyond your current resources.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">CLI\/SDK\/tools needed<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For validation:<\/li>\n<li><code>dig<\/code> (bind-utils \/ dnsutils)<\/li>\n<li><code>nslookup<\/code> (often preinstalled)<\/li>\n<li><code>resolvectl<\/code> (if using systemd-resolved)<\/li>\n<li>Optional:<\/li>\n<li><code>tcpdump<\/code> for troubleshooting<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public DNS endpoints are global; connectivity depends on your network.<\/li>\n<li>ECS lab can be performed in any region where you can create ECS.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public DNS may apply <strong>rate limiting<\/strong> to prevent abuse (verify exact limits in official docs).<\/li>\n<li>ECS quotas apply for instance creation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services (for the lab)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alibaba Cloud ECS<\/li>\n<li>VPC + Security Group (standard ECS setup)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Current pricing model (accurate description)<\/h3>\n\n\n\n<p>Alibaba Cloud Public DNS is typically offered as a <strong>free public recursive DNS resolver<\/strong>. There is usually no per-query bill from Alibaba Cloud for standard usage of a public resolver.<\/p>\n\n\n\n<p>However, pricing and service terms can change; in some clouds, advanced resolver features or enterprise offerings may be paid. <strong>Verify current pricing and terms in the official Alibaba Cloud Public DNS product page and documentation.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (what could matter)<\/h3>\n\n\n\n<p>For Public DNS itself, typically:\n&#8211; No charge per DNS query\n&#8211; No subscription fee<\/p>\n\n\n\n<p>For your overall solution, costs often come from:\n&#8211; <strong>Compute<\/strong>: ECS instances if you run forwarders, DNS proxies, or monitoring\n&#8211; <strong>Network egress<\/strong>: traffic to the internet for recursion from your network (usually small per query, but can add up at scale)\n&#8211; <strong>Operational tooling<\/strong>: monitoring systems, logging, SIEM ingestion<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public DNS itself is commonly free.<\/li>\n<li>Your lab environment may not be free unless you use free-tier ECS (if available in your account\/region).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost drivers (direct and indirect)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DNS query volume from large fleets (not billed by Public DNS in most cases, but impacts your network and monitoring)<\/li>\n<li>High-frequency retry storms during outages (can amplify query volume)<\/li>\n<li>Synthetic probing from many locations (tiny but can add noise)<\/li>\n<li>If you deploy internal DNS forwarders for policy\/logging, the forwarders\u2019 compute and operations cost can dominate<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Misconfiguration causing retry storms:<\/strong> can create a burst of DNS traffic and cascading failures.<\/li>\n<li><strong>Poor caching \/ low TTL settings:<\/strong> forces more frequent lookups, increasing latency and upstream dependency.<\/li>\n<li><strong>Overly strict firewalling:<\/strong> blocks TCP\/53 fallback, causing resolution issues for large DNS responses.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DNS packets are small, but high QPS environments (large Kubernetes clusters, service meshes, CI fleets) can generate meaningful DNS traffic.<\/li>\n<li>If you rely on encrypted DNS (DoH\/DoT), overhead per query can increase due to TLS and HTTP framing.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer OS and application caching where appropriate.<\/li>\n<li>Run a small set of <strong>internal caching forwarders<\/strong> (optional) to reduce repeated external recursion and to centralize policies\u2014only if you truly need that control.<\/li>\n<li>Set sensible timeouts and retries in your stub resolvers to prevent query storms.<\/li>\n<li>Monitor DNS failure rates and latencies to catch regressions early.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Public DNS:<\/strong> typically $0<\/li>\n<li><strong>Lab ECS instance:<\/strong> cost depends on region, instance type, and runtime duration. Use the smallest practical instance, run the lab quickly, and stop\/delete resources immediately after.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public DNS: typically $0<\/li>\n<li>You may still budget for:<\/li>\n<li>2\u20133 small ECS instances as DNS forwarders (if you need internal policy\/logging)<\/li>\n<li>Monitoring and alerting (Prometheus\/Grafana or managed monitoring)<\/li>\n<li>Network\/security operations<\/li>\n<\/ul>\n\n\n\n<p><strong>Official references to check<\/strong>\n&#8211; Alibaba Cloud pricing landing page: https:\/\/www.alibabacloud.com\/pricing<br\/>\n&#8211; Alibaba Cloud pricing calculator (if applicable in your locale): https:\/\/www.alibabacloud.com\/pricing\/calculator<br\/>\n&#8211; Public DNS product and documentation pages: verify current URLs in Alibaba Cloud Help Center (search for \u201cPublic DNS\u201d).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab shows how to use <strong>Alibaba Cloud Public DNS<\/strong> on an ECS Linux instance, validate DNS resolution, measure latency, and safely roll back.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Configure an Alibaba Cloud ECS instance to use Alibaba Cloud Public DNS resolvers for outbound DNS queries, then validate:\n&#8211; name resolution works\n&#8211; which resolver is being used\n&#8211; latency and reliability compared to the previous configuration<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Create (or reuse) a small ECS Linux instance.\n2. Install DNS tools (<code>dig<\/code>).\n3. Record the current DNS configuration and baseline query performance.\n4. Configure the instance to use Alibaba Cloud Public DNS.\n5. Validate functionality and compare performance.\n6. Troubleshoot common issues.\n7. Clean up or roll back configuration.<\/p>\n\n\n\n<blockquote>\n<p>Resolver endpoints note: Alibaba Cloud Public DNS is widely referenced with IPv4 resolver IPs <strong>223.5.5.5<\/strong> and <strong>223.6.6.6<\/strong>. Confirm the current recommended resolver IPs (and IPv6 endpoints) in official Alibaba Cloud documentation before rolling to production.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Prepare an ECS instance<\/h3>\n\n\n\n<p><strong>Option A: Use an existing ECS instance<\/strong>\n&#8211; Ensure you have shell access (SSH) and permission to edit DNS settings.<\/p>\n\n\n\n<p><strong>Option B: Create a new ECS instance (quick lab)<\/strong>\n1. In the Alibaba Cloud console, go to <strong>ECS<\/strong>.\n2. Create an instance:\n   &#8211; Image: Alibaba Cloud Linux 3 \/ CentOS \/ Ubuntu (any mainstream distro is fine)\n   &#8211; Instance type: small\/low-cost\n   &#8211; Network: VPC with security group allowing SSH (22) from your IP\n3. Allocate a public IP\/EIP if you need internet SSH access, or use a bastion host.<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong> You can SSH into the server.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Install DNS utilities (<code>dig<\/code>) and capture baseline<\/h3>\n\n\n\n<p>SSH into the instance and run:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">For Ubuntu\/Debian<\/h4>\n\n\n\n<pre><code class=\"language-bash\">sudo apt-get update\nsudo apt-get install -y dnsutils\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">For CentOS\/RHEL\/Alibaba Cloud Linux<\/h4>\n\n\n\n<pre><code class=\"language-bash\">sudo yum install -y bind-utils\n<\/code><\/pre>\n\n\n\n<p>Now capture your current resolver configuration:<\/p>\n\n\n\n<pre><code class=\"language-bash\">cat \/etc\/resolv.conf\n<\/code><\/pre>\n\n\n\n<p>Run a few baseline DNS queries:<\/p>\n\n\n\n<pre><code class=\"language-bash\">dig www.alibabacloud.com +stats\ndig www.google.com +stats\ndig www.cloudflare.com +stats\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong>\n&#8211; <code>dig<\/code> returns an <code>ANSWER SECTION<\/code>.\n&#8211; The <code>Query time:<\/code> line shows baseline latency.\n&#8211; You have a record of what DNS servers were previously configured.<\/p>\n\n\n\n<blockquote>\n<p>Tip: If your system uses <code>systemd-resolved<\/code>, <code>\/etc\/resolv.conf<\/code> may point to <code>127.0.0.53<\/code>. That is normal; you\u2019ll change systemd-resolved settings instead of editing <code>resolv.conf<\/code> directly.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Determine how DNS is managed on the instance<\/h3>\n\n\n\n<p>Run:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ps -p 1 -o comm=\n<\/code><\/pre>\n\n\n\n<p>If it returns <code>systemd<\/code>, check if systemd-resolved is active:<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo systemctl status systemd-resolved --no-pager\n<\/code><\/pre>\n\n\n\n<p>Also check:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ls -l \/etc\/resolv.conf\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If <code>\/etc\/resolv.conf<\/code> is a symlink to systemd-resolved stub, use <strong>Step 4A<\/strong>.<\/li>\n<li>If it\u2019s a regular file managed by NetworkManager or static config, use <strong>Step 4B<\/strong>.<\/li>\n<\/ul>\n\n\n\n<p><strong>Expected outcome:<\/strong> You know whether to configure DNS via systemd-resolved or by editing configuration files.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4A: Configure Alibaba Cloud Public DNS with systemd-resolved (recommended where available)<\/h3>\n\n\n\n<p>Edit the systemd-resolved config:<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo nano \/etc\/systemd\/resolved.conf\n<\/code><\/pre>\n\n\n\n<p>Set (or add) <code>DNS=<\/code> to the Alibaba Cloud Public DNS IPs:<\/p>\n\n\n\n<pre><code class=\"language-ini\">[Resolve]\nDNS=223.5.5.5 223.6.6.6\nFallbackDNS=\n<\/code><\/pre>\n\n\n\n<p>Restart the resolver:<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo systemctl restart systemd-resolved\n<\/code><\/pre>\n\n\n\n<p>Check effective configuration:<\/p>\n\n\n\n<pre><code class=\"language-bash\">resolvectl status\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong>\n&#8211; <code>resolvectl status<\/code> shows the DNS servers as <code>223.5.5.5<\/code> and <code>223.6.6.6<\/code> for the relevant link or globally.\n&#8211; DNS queries succeed.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4B: Configure Alibaba Cloud Public DNS via NetworkManager or static resolv.conf<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">If NetworkManager is installed<\/h4>\n\n\n\n<p>Check:<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo systemctl status NetworkManager --no-pager\nnmcli dev show | grep -i dns\n<\/code><\/pre>\n\n\n\n<p>Set DNS for your active connection (example; adjust connection name):<\/p>\n\n\n\n<pre><code class=\"language-bash\">nmcli con show\nsudo nmcli con mod \"&lt;YOUR_CONNECTION_NAME&gt;\" ipv4.dns \"223.5.5.5 223.6.6.6\"\nsudo nmcli con mod \"&lt;YOUR_CONNECTION_NAME&gt;\" ipv4.ignore-auto-dns yes\nsudo nmcli con up \"&lt;YOUR_CONNECTION_NAME&gt;\"\n<\/code><\/pre>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre><code class=\"language-bash\">nmcli dev show | grep -i dns\ncat \/etc\/resolv.conf\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">If using a static <code>\/etc\/resolv.conf<\/code> (not recommended long-term)<\/h4>\n\n\n\n<p>Edit the file:<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo cp \/etc\/resolv.conf \/etc\/resolv.conf.bak.$(date +%F)\nsudo nano \/etc\/resolv.conf\n<\/code><\/pre>\n\n\n\n<p>Set:<\/p>\n\n\n\n<pre><code class=\"language-conf\">nameserver 223.5.5.5\nnameserver 223.6.6.6\noptions timeout:2 attempts:2\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong>\n&#8211; <code>\/etc\/resolv.conf<\/code> shows the Public DNS nameservers.\n&#8211; DNS queries succeed.<\/p>\n\n\n\n<blockquote>\n<p>Caveat: Many distros overwrite <code>\/etc\/resolv.conf<\/code> on reboot or interface restart. Prefer systemd-resolved or NetworkManager configuration.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Validate resolution and measure improvement<\/h3>\n\n\n\n<p>Run:<\/p>\n\n\n\n<pre><code class=\"language-bash\">dig www.alibabacloud.com +stats\ndig www.alibabacloud.com @223.5.5.5 +stats\ndig www.alibabacloud.com @223.6.6.6 +stats\n<\/code><\/pre>\n\n\n\n<p>Check that the resolver being used matches your configuration:\n&#8211; If using systemd-resolved, <code>resolvectl status<\/code> should show it.\n&#8211; If using direct resolv.conf, the default <code>dig<\/code> should use those nameservers.<\/p>\n\n\n\n<p>Test multiple record types:<\/p>\n\n\n\n<pre><code class=\"language-bash\">dig alibabacloud.com MX +short\ndig alibabacloud.com TXT +short\ndig www.alibabacloud.com AAAA +short\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong>\n&#8211; Successful answers for A\/AAAA (where available).\n&#8211; Query times that are stable and often improved compared to baseline (exact results depend on location\/network).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Verify reliability (basic SERVFAIL\/NXDOMAIN behavior)<\/h3>\n\n\n\n<p>Run a known-nonexistent name query:<\/p>\n\n\n\n<pre><code class=\"language-bash\">dig nonexistent-subdomain-verify-12345.alibabacloud.com +stats\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong>\n&#8211; You receive <code>NXDOMAIN<\/code> (expected for a non-existent name), not timeouts.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Resolver configured<\/strong>\n   &#8211; systemd-resolved: <code>resolvectl status<\/code> shows <code>223.5.5.5 223.6.6.6<\/code>\n   &#8211; or <code>\/etc\/resolv.conf<\/code> shows those servers<\/p>\n<\/li>\n<li>\n<p><strong>DNS works<\/strong>\n   &#8211; <code>dig www.alibabacloud.com<\/code> returns <code>NOERROR<\/code> and an answer<\/p>\n<\/li>\n<li>\n<p><strong>Latency measured<\/strong>\n   &#8211; <code>Query time:<\/code> is captured for baseline and after change<\/p>\n<\/li>\n<li>\n<p><strong>No unexpected breakage<\/strong>\n   &#8211; Applications that depend on DNS (package managers, curl) function normally<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p>Optional validation (network path):<\/p>\n\n\n\n<pre><code class=\"language-bash\">nc -vz 223.5.5.5 53\nnc -vu 223.5.5.5 53\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: <code>dig<\/code> times out (<code>no servers could be reached<\/code>)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Check outbound rules:<\/strong> security group\/NACL\/firewall may block UDP\/53 or TCP\/53.<\/li>\n<li><strong>Fix:<\/strong> allow egress to resolver IPs on UDP\/53 and TCP\/53.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: <code>\/etc\/resolv.conf<\/code> keeps reverting<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cause:<\/strong> NetworkManager, cloud-init, or systemd-resolved overwrites it.<\/li>\n<li><strong>Fix:<\/strong> configure DNS in the correct manager:<\/li>\n<li>systemd-resolved: <code>\/etc\/systemd\/resolved.conf<\/code><\/li>\n<li>NetworkManager: <code>nmcli con mod ... ipv4.dns ...<\/code><\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: Internal\/private hostnames stop resolving<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cause:<\/strong> You replaced VPC\/internal DNS resolver with a public resolver; private zones won\u2019t resolve publicly.<\/li>\n<li><strong>Fix options:<\/strong><\/li>\n<li>Keep VPC DNS for internal zones and forward public queries appropriately (common pattern: local resolver\/forwarder).<\/li>\n<li>Use split DNS configuration (advanced) or a local forwarder (Unbound\/dnsmasq) that forwards private zones to internal resolvers and everything else to Public DNS.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Issue: Some domains resolve differently than expected<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cause:<\/strong> DNS is influenced by geo\/anycast routing, CDN policies, and EDNS behavior.<\/li>\n<li><strong>Fix:<\/strong> compare results against multiple resolvers, verify authoritative records, and confirm expected CDN behavior.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>If this was a temporary test, roll back:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">For systemd-resolved<\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Restore previous <code>\/etc\/systemd\/resolved.conf<\/code> (if you backed it up).<\/li>\n<li>Restart:<\/li>\n<\/ol>\n\n\n\n<pre><code class=\"language-bash\">sudo systemctl restart systemd-resolved\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">For NetworkManager<\/h4>\n\n\n\n<p>Re-enable DHCP-provided DNS:<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo nmcli con mod \"&lt;YOUR_CONNECTION_NAME&gt;\" ipv4.ignore-auto-dns no\nsudo nmcli con up \"&lt;YOUR_CONNECTION_NAME&gt;\"\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">If you edited <code>\/etc\/resolv.conf<\/code> directly<\/h4>\n\n\n\n<p>Restore the backup:<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo cp \/etc\/resolv.conf.bak.* \/etc\/resolv.conf\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">If you created a new ECS instance<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Stop and <strong>release<\/strong> the instance<\/li>\n<li>Release EIP (if allocated)<\/li>\n<li>Delete unused disks\/snapshots created for the lab<\/li>\n<\/ul>\n\n\n\n<p><strong>Expected outcome:<\/strong> No ongoing compute charges for the lab environment.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use the right DNS service for the job:<\/strong><\/li>\n<li>Public recursion \u2192 <strong>Public DNS<\/strong><\/li>\n<li>Authoritative zones \u2192 <strong>Alibaba Cloud DNS<\/strong><\/li>\n<li>Private zones\/service discovery \u2192 <strong>Private DNS\/PrivateZone<\/strong> (if applicable) or VPC DNS features<\/li>\n<li><strong>Consider local caching forwarders<\/strong> for large fleets:<\/li>\n<li>reduces external dependency<\/li>\n<li>centralizes timeout\/retry behavior<\/li>\n<li>enables conditional forwarding (private vs public)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public DNS itself usually doesn\u2019t use IAM, but your <em>infrastructure changes<\/em> do:<\/li>\n<li>restrict who can change OS images, DHCP options, or instance network configs<\/li>\n<li>use change control for DNS settings (IaC + approvals)<\/li>\n<li>Maintain least privilege for ECS and network changes using Alibaba Cloud RAM.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public DNS is typically free, but:<\/li>\n<li>avoid unnecessary query volume (DNS storms)<\/li>\n<li>ensure application-level caching where safe<\/li>\n<li>keep TTLs reasonable on your authoritative records (when you control them)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Configure <strong>two resolvers<\/strong> for redundancy.<\/li>\n<li>Ensure both <strong>UDP\/53 and TCP\/53<\/strong> are allowed (TCP matters for large responses and reliability).<\/li>\n<li>Tune resolver timeouts to avoid long stalls:<\/li>\n<li>Example: <code>options timeout:2 attempts:2<\/code> (adjust to your SLOs)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>health checks<\/strong> (synthetic probes) from representative networks.<\/li>\n<li>Track DNS error rates: SERVFAIL, timeouts, NXDOMAIN (unexpected), and latency percentiles.<\/li>\n<li>Plan a rollback path (golden AMI images, baseline config backups).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Manage DNS configuration via:<\/li>\n<li>configuration management (Ansible\/Salt)<\/li>\n<li>cloud-init where appropriate (with care)<\/li>\n<li>immutable images and instance profiles<\/li>\n<li>Document resolver endpoints and fallback plan.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you deploy forwarder instances, standardize:<\/li>\n<li>naming: <code>dns-forwarder-prod-a<\/code>, <code>dns-forwarder-prod-b<\/code><\/li>\n<li>tags: <code>service=dns<\/code>, <code>env=prod<\/code>, <code>owner=platform<\/code>, <code>cost-center=...<\/code><\/li>\n<li>Track resolver configuration changes in Git.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public DNS is generally <strong>open<\/strong>; you don\u2019t authenticate to query it.<\/li>\n<li>Security therefore shifts to:<\/li>\n<li>controlling <strong>which resolvers your clients can query<\/strong><\/li>\n<li>monitoring for suspicious DNS patterns<\/li>\n<li>protecting your own authoritative DNS accounts\/registrar from takeover<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Plain DNS (UDP\/TCP 53) is <strong>not encrypted<\/strong>.<\/li>\n<li>If Alibaba Cloud Public DNS supports DoH\/DoT, you can encrypt DNS in transit (verify endpoints, certificates, and client support in official docs).<\/li>\n<li>If you cannot use encrypted DNS, mitigate by:<\/li>\n<li>restricting DNS egress to trusted resolvers<\/li>\n<li>using VPN or trusted networks for sensitive environments<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Allowing arbitrary DNS to the internet can enable data exfiltration via DNS tunneling.<\/li>\n<li>Recommended:<\/li>\n<li>egress firewall policies: allow DNS only to approved resolvers (Public DNS IPs or your forwarders)<\/li>\n<li>monitor for unusual query patterns (high entropy subdomains, high QPS)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Don\u2019t store secrets in DNS TXT records unless you understand visibility and caching implications.<\/li>\n<li>Assume public DNS queries can be observed by resolver operators and potentially on-path devices if not encrypted.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public DNS usually does not provide per-customer query logs.<\/li>\n<li>If you need audit trails:<\/li>\n<li>run internal forwarders and log queries locally<\/li>\n<li>use network flow logs to see DNS traffic to resolver IPs<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DNS queries can contain sensitive metadata (internal hostnames, service endpoints).<\/li>\n<li>Consider:<\/li>\n<li>whether sending DNS traffic to a public resolver meets your regulatory and data residency requirements<\/li>\n<li>using private resolvers for internal namespaces and limiting what is sent publicly<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Replacing internal DNS with Public DNS and leaking internal hostnames (or breaking internal resolution).<\/li>\n<li>Leaving unrestricted DNS egress, enabling DNS tunneling.<\/li>\n<li>Assuming public resolvers provide content filtering or malware blocking by default.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use split DNS: internal zones resolved internally; public zones resolved via Public DNS.<\/li>\n<li>Restrict DNS egress to approved resolvers.<\/li>\n<li>Monitor DNS latency and failure rate\u2014security incidents often show up as DNS anomalies.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Not authoritative DNS:<\/strong> you cannot host or manage zone records in Public DNS.<\/li>\n<li><strong>Limited configurability:<\/strong> no per-customer conditional forwarding, policy controls, or query logs in typical public resolver offerings.<\/li>\n<li><strong>Private names won\u2019t resolve:<\/strong> internal VPC\/private zones require internal resolvers or Private DNS\/PrivateZone.<\/li>\n<li><strong>Caching can delay changes:<\/strong> TTL-based caching means record changes may not propagate instantly.<\/li>\n<li><strong>Rate limiting\/abuse controls:<\/strong> public resolvers may throttle high-volume or suspicious traffic (verify exact behavior).<\/li>\n<li><strong>Plain DNS visibility:<\/strong> unless encrypted DNS is used, queries can be observed or modified on-path in hostile networks.<\/li>\n<li><strong>TCP\/53 sometimes blocked:<\/strong> some networks block TCP\/53, causing failures for large responses (DNSSEC, large TXT records).<\/li>\n<li><strong>Geo\/CDN differences:<\/strong> different resolvers can produce different CDN endpoints due to geo routing and EDNS behavior.<\/li>\n<li><strong>Endpoint changes:<\/strong> public resolver IPs or recommended endpoints can change over time\u2014confirm via official docs before hard-coding into enterprise baselines.<\/li>\n<li><strong>No guaranteed internal SLA disclosure:<\/strong> public services may not offer the same support\/SLA as paid enterprise offerings\u2014verify.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Public DNS is one option in the DNS stack. Here\u2019s how it compares to adjacent options.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Alibaba Cloud Public DNS<\/strong><\/td>\n<td>Fast, simple public recursion<\/td>\n<td>Easy to adopt; typically free; good baseline resolver<\/td>\n<td>Limited enterprise controls and logging; not authoritative<\/td>\n<td>You need reliable public DNS resolution for clients<\/td>\n<\/tr>\n<tr>\n<td><strong>Alibaba Cloud DNS (authoritative)<\/strong><\/td>\n<td>Hosting DNS zones\/records<\/td>\n<td>Manage records, routing policies (depending on edition), integration with Alibaba Cloud<\/td>\n<td>Not a recursive resolver for clients<\/td>\n<td>You own a domain and need authoritative DNS hosting<\/td>\n<\/tr>\n<tr>\n<td><strong>Alibaba Cloud Private DNS \/ PrivateZone<\/strong> (verify exact product name in your console)<\/td>\n<td>Internal service discovery and private zones<\/td>\n<td>Private namespaces, split-horizon DNS<\/td>\n<td>Not for general public recursion alone<\/td>\n<td>You need internal DNS for VPC resources<\/td>\n<\/tr>\n<tr>\n<td><strong>HTTPDNS (Alibaba Cloud)<\/strong><\/td>\n<td>App-level DNS resolution patterns<\/td>\n<td>Can mitigate local DNS hijacking for apps; avoids some resolver path issues<\/td>\n<td>Requires app integration; not OS-level DNS<\/td>\n<td>Mobile\/embedded apps with DNS hijack concerns (verify features)<\/td>\n<\/tr>\n<tr>\n<td><strong>Cloudflare Resolver (1.1.1.1)<\/strong><\/td>\n<td>Global public recursion<\/td>\n<td>Strong performance and privacy posture (varies by policy)<\/td>\n<td>Policy may differ; may be blocked in some networks<\/td>\n<td>You want a widely used public resolver alternative<\/td>\n<\/tr>\n<tr>\n<td><strong>Google Public DNS (8.8.8.8)<\/strong><\/td>\n<td>Global public recursion<\/td>\n<td>Highly available; widely reachable<\/td>\n<td>Policy\/telemetry considerations<\/td>\n<td>You need a ubiquitous fallback resolver<\/td>\n<\/tr>\n<tr>\n<td><strong>Quad9 (9.9.9.9)<\/strong><\/td>\n<td>Security-focused public recursion<\/td>\n<td>Malware-blocking options<\/td>\n<td>Can block domains; not suitable for all orgs<\/td>\n<td>You want resolver-level threat blocking<\/td>\n<\/tr>\n<tr>\n<td><strong>Self-managed Unbound\/BIND<\/strong><\/td>\n<td>Full control, logging, conditional forwarding<\/td>\n<td>Custom policies, logs, internal zones, strict governance<\/td>\n<td>Operational burden, patching, scaling<\/td>\n<td>You need enterprise control and auditability<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: Hybrid retail platform with branch offices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Hundreds of branch offices have inconsistent ISP DNS performance, causing intermittent failures for cloud-based POS and inventory APIs.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>Branch routers\/DHCP provide DNS servers pointing to:<ul>\n<li>primary: internal forwarder (if deployed in HQ\/VPN) or directly to Public DNS<\/li>\n<li>secondary: Public DNS as fallback<\/li>\n<\/ul>\n<\/li>\n<li>Central monitoring runs synthetic DNS checks from representative branches.<\/li>\n<li>Egress firewall policies restrict DNS to approved resolvers.<\/li>\n<li><strong>Why Public DNS was chosen:<\/strong><\/li>\n<li>Easy rollout across diverse networks<\/li>\n<li>Improved resolution reliability without deploying DNS servers at every branch<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Reduced DNS-related incidents<\/li>\n<li>Improved API call reliability and faster application startup<\/li>\n<li>Clear operational baseline for troubleshooting<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: SaaS on Alibaba Cloud ECS and managed databases<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> CI pipelines and ECS instances intermittently fail resolving package registries and third-party APIs.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>Standardize ECS images to use Alibaba Cloud Public DNS for external lookups.<\/li>\n<li>Keep VPC\/internal DNS for private hostnames (if needed).<\/li>\n<li>Add lightweight synthetic checks in the monitoring stack.<\/li>\n<li><strong>Why Public DNS was chosen:<\/strong><\/li>\n<li>Near-zero cost<\/li>\n<li>Minimal configuration effort<\/li>\n<li>Reduced operational overhead versus running Unbound\/BIND<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>More stable CI runs<\/li>\n<li>Faster dependency downloads<\/li>\n<li>Fewer \u201cDNS flake\u201d incidents<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<p>1) <strong>Is Alibaba Cloud Public DNS the same as Alibaba Cloud DNS (authoritative)?<\/strong><br\/>\nNo. Public DNS is a <strong>recursive resolver<\/strong> you point clients to. Alibaba Cloud DNS is <strong>authoritative DNS hosting<\/strong> where you manage zone records for your domains.<\/p>\n\n\n\n<p>2) <strong>Do I need an Alibaba Cloud account to use Public DNS?<\/strong><br\/>\nTypically no\u2014public resolvers can be used by anyone. For Alibaba Cloud ECS lab work, you need an account to create instances.<\/p>\n\n\n\n<p>3) <strong>What are the Alibaba Cloud Public DNS resolver IPs?<\/strong><br\/>\nCommonly referenced IPv4 resolver IPs are <strong>223.5.5.5<\/strong> and <strong>223.6.6.6<\/strong>. Confirm the latest recommended endpoints in official Alibaba Cloud documentation before production rollout.<\/p>\n\n\n\n<p>4) <strong>Is Public DNS free?<\/strong><br\/>\nPublic DNS is generally offered as a free public resolver. Verify current terms on the official product page.<\/p>\n\n\n\n<p>5) <strong>Can Public DNS resolve my private VPC hostnames?<\/strong><br\/>\nNo. Private zones require VPC\/internal DNS or Private DNS\/PrivateZone. Public resolvers do not have access to your private namespace.<\/p>\n\n\n\n<p>6) <strong>Should I replace my VPC DNS with Public DNS on ECS?<\/strong><br\/>\nNot blindly. If you need internal resolution (private zones, internal endpoints), keep internal resolvers for those zones. Consider a split DNS approach or an internal forwarder.<\/p>\n\n\n\n<p>7) <strong>Does Public DNS support DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT)?<\/strong><br\/>\nIt may, depending on Alibaba Cloud\u2019s current offering. Verify official documentation for supported encrypted DNS endpoints and recommended client configuration.<\/p>\n\n\n\n<p>8) <strong>How do I measure whether Public DNS is faster?<\/strong><br\/>\nUse <code>dig +stats<\/code> and compare <code>Query time<\/code> across multiple runs and multiple domains, from the same host and network.<\/p>\n\n\n\n<p>9) <strong>Why do different DNS resolvers return different IPs for the same domain?<\/strong><br\/>\nCDNs and geo load balancers may respond differently based on resolver location and EDNS behavior. Different resolvers can legitimately yield different \u201cbest\u201d endpoints.<\/p>\n\n\n\n<p>10) <strong>Can I get DNS query logs from Public DNS?<\/strong><br\/>\nTypically no. If you need logs for audit\/troubleshooting, run internal forwarders and log queries there.<\/p>\n\n\n\n<p>11) <strong>What\u2019s the best practice for redundancy?<\/strong><br\/>\nConfigure at least <strong>two resolver endpoints<\/strong>. Ensure your OS resolver failover behavior is tested (timeouts, attempts, ordering).<\/p>\n\n\n\n<p>12) <strong>What ports must be allowed?<\/strong><br\/>\nAt minimum: <strong>UDP\/53<\/strong>. Also allow <strong>TCP\/53<\/strong> to handle large responses and retries reliably.<\/p>\n\n\n\n<p>13) <strong>Can Public DNS help mitigate DNS hijacking?<\/strong><br\/>\nUsing a reputable resolver can reduce exposure to poor or malicious ISP resolvers. For on-path tampering, encrypted DNS (DoH\/DoT) is stronger\u2014verify if Public DNS supports it and whether it fits your compliance requirements.<\/p>\n\n\n\n<p>14) <strong>Is it safe to use a public resolver for enterprise workloads?<\/strong><br\/>\nOften yes for public domains, but consider compliance, privacy, and logging needs. Many enterprises use internal forwarders for governance and send recursion upstream to a trusted resolver.<\/p>\n\n\n\n<p>15) <strong>What if my network blocks access to Public DNS?<\/strong><br\/>\nSome corporate or ISP networks restrict DNS. In that case, use internal resolvers, DoH (if allowed), or a VPN-based DNS strategy.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Public DNS<\/h2>\n\n\n\n<p>Because Alibaba Cloud documentation URLs can vary by locale and may change, verify the exact current links in the Alibaba Cloud Help Center by searching for \u201cPublic DNS\u201d.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>Alibaba Cloud Help Center (search \u201cPublic DNS\u201d) \u2013 https:\/\/www.alibabacloud.com\/help<\/td>\n<td>Entry point to current Public DNS docs, endpoints, and configuration guidance<\/td>\n<\/tr>\n<tr>\n<td>Official product page<\/td>\n<td>Alibaba Cloud product pages \u2013 https:\/\/www.alibabacloud.com<\/td>\n<td>Confirms positioning, availability, and links to docs (navigate to Networking and CDN \u2192 Public DNS)<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>Alibaba Cloud Pricing \u2013 https:\/\/www.alibabacloud.com\/pricing<\/td>\n<td>Confirms pricing model and related cost considerations<\/td>\n<\/tr>\n<tr>\n<td>Pricing calculator<\/td>\n<td>Alibaba Cloud Pricing Calculator \u2013 https:\/\/www.alibabacloud.com\/pricing\/calculator<\/td>\n<td>Helpful for estimating ECS costs if you deploy DNS forwarders\/monitors<\/td>\n<\/tr>\n<tr>\n<td>DNS concepts<\/td>\n<td>Alibaba Cloud Help Center: DNS\/Domain documentation \u2013 https:\/\/www.alibabacloud.com\/help<\/td>\n<td>Background on authoritative DNS vs resolvers (navigate within DNS-related docs)<\/td>\n<\/tr>\n<tr>\n<td>Troubleshooting basics<\/td>\n<td><code>dig<\/code> manual and DNS troubleshooting guides (community)<\/td>\n<td>Practical skills for measuring DNS latency, SERVFAIL, caching behavior<\/td>\n<\/tr>\n<tr>\n<td>Standards reference<\/td>\n<td>RFC 1034\/1035 (DNS), RFC 7858 (DoT), RFC 8484 (DoH)<\/td>\n<td>Protocol-level understanding of DNS and encrypted transports<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, cloud engineers<\/td>\n<td>Cloud fundamentals, networking, DevOps practices (verify course catalog)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate DevOps learners<\/td>\n<td>SCM, CI\/CD, DevOps tooling, basics of cloud\/networking (verify)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud operations teams<\/td>\n<td>Cloud operations, monitoring, reliability practices (verify)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs and operations engineers<\/td>\n<td>Reliability engineering, incident response, observability (verify)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops\/SRE teams exploring AIOps<\/td>\n<td>AIOps concepts, automation, monitoring analytics (verify)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training and mentoring (verify offerings)<\/td>\n<td>Beginners to experienced engineers<\/td>\n<td>https:\/\/www.rajeshkumar.xyz<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps and cloud training (verify offerings)<\/td>\n<td>Teams and individuals<\/td>\n<td>https:\/\/www.devopstrainer.in<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps enablement (verify offerings)<\/td>\n<td>Startups and small teams<\/td>\n<td>https:\/\/www.devopsfreelancer.com<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and training resources (verify offerings)<\/td>\n<td>Operations teams<\/td>\n<td>https:\/\/www.devopssupport.in<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>DevOps, cloud, platform engineering (verify services)<\/td>\n<td>Cloud networking baselines, DNS strategy, migration planning<\/td>\n<td>Standardizing DNS across hybrid networks; implementing internal forwarders and monitoring<\/td>\n<td>https:\/\/www.cotocus.com<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps consulting and training (verify services)<\/td>\n<td>Architecture reviews, DevOps transformation, operational readiness<\/td>\n<td>DNS reliability assessment; implementing IaC for network\/DNS configuration<\/td>\n<td>https:\/\/www.devopsschool.com<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify services)<\/td>\n<td>Operations maturity, CI\/CD, cloud adoption<\/td>\n<td>DNS troubleshooting playbooks; monitoring and incident response setup<\/td>\n<td>https:\/\/www.devopsconsulting.in<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before this service<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DNS fundamentals: recursion vs authoritative DNS, TTL, record types<\/li>\n<li>Linux networking basics: <code>\/etc\/resolv.conf<\/code>, systemd-resolved, NetworkManager<\/li>\n<li>Basic cloud networking: VPC concepts, security groups, egress rules<\/li>\n<li>Troubleshooting tools: <code>dig<\/code>, <code>nslookup<\/code>, <code>tcpdump<\/code><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after this service<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Authoritative DNS design (Alibaba Cloud DNS or equivalent)<\/li>\n<li>Private DNS and service discovery patterns in VPCs<\/li>\n<li>DNS security:<\/li>\n<li>DNSSEC concepts (signing vs validation)<\/li>\n<li>DoH\/DoT deployment tradeoffs<\/li>\n<li>DNS exfiltration detection<\/li>\n<li>Observability:<\/li>\n<li>synthetic DNS probes<\/li>\n<li>error budget\/SLO design for DNS<\/li>\n<li>Advanced: running Unbound\/dnsdist for enterprise DNS policy and logging<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Engineer \/ Cloud Operations Engineer<\/li>\n<li>SRE \/ Production Engineer<\/li>\n<li>Network Engineer \/ Cloud Network Engineer<\/li>\n<li>DevOps Engineer \/ Platform Engineer<\/li>\n<li>Security Engineer (network security, detection engineering)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alibaba Cloud certifications often include networking components. Verify the latest Alibaba Cloud certification tracks and exam objectives on official Alibaba Cloud certification pages (naming and availability can change).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>DNS baseline project:<\/strong> write an Ansible role to configure resolvers on Linux hosts and validate with <code>dig<\/code>.<\/li>\n<li><strong>Synthetic DNS monitoring:<\/strong> schedule probes from multiple VMs and alert on latency\/SERVFAIL.<\/li>\n<li><strong>Split DNS lab:<\/strong> run Unbound as a forwarder that sends <code>corp.internal<\/code> to private DNS and everything else to Public DNS.<\/li>\n<li><strong>Incident drill:<\/strong> simulate DNS outage by blocking UDP\/53 and confirm rollback and failover behavior.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>DNS (Domain Name System):<\/strong> System that maps names (e.g., <code>example.com<\/code>) to IP addresses.<\/li>\n<li><strong>Recursive resolver:<\/strong> DNS server that performs recursion on behalf of a client and caches answers.<\/li>\n<li><strong>Authoritative DNS:<\/strong> DNS servers that host the official records for a domain\/zone.<\/li>\n<li><strong>TTL (Time To Live):<\/strong> How long a DNS answer may be cached.<\/li>\n<li><strong>NXDOMAIN:<\/strong> Response code indicating the domain name does not exist.<\/li>\n<li><strong>SERVFAIL:<\/strong> Response code indicating a server failure (often upstream issues, DNSSEC validation failure, or timeouts).<\/li>\n<li><strong>Anycast:<\/strong> Network routing technique where the same IP is advertised from multiple locations; clients reach a \u201cnearest\u201d node.<\/li>\n<li><strong>DoH (DNS over HTTPS):<\/strong> DNS queries sent over HTTPS (TCP\/443), encrypted with TLS.<\/li>\n<li><strong>DoT (DNS over TLS):<\/strong> DNS queries sent over TLS (typically TCP\/853).<\/li>\n<li><strong>Stub resolver:<\/strong> The local resolver on a host (OS component) that forwards queries to configured recursive resolvers.<\/li>\n<li><strong>Forwarder:<\/strong> A DNS server that forwards queries to upstream resolvers rather than performing full recursion itself.<\/li>\n<li><strong>Split-horizon DNS:<\/strong> Different DNS answers depending on client location\/network (e.g., internal vs external).<\/li>\n<li><strong>DNS hijacking\/poisoning:<\/strong> Manipulation of DNS responses to redirect traffic to incorrect destinations.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>Public DNS<\/strong> is a managed <strong>public recursive DNS resolver<\/strong> in the <strong>Networking and CDN<\/strong> category. It helps clients resolve internet domain names reliably and often faster than default ISP resolvers, with minimal setup (configure resolver endpoints on your OS, DHCP, or forwarders).<\/p>\n\n\n\n<p>It matters because DNS is a dependency for nearly every workload: improving DNS reliability can reduce incidents, speed up outbound calls, stabilize CI\/CD pipelines, and simplify troubleshooting. Public DNS fits best as a <strong>standard resolver baseline<\/strong> for public domains, while <strong>authoritative DNS<\/strong> and <strong>private DNS<\/strong> should be handled by Alibaba Cloud DNS and Private DNS\/PrivateZone (as applicable).<\/p>\n\n\n\n<p>Cost is typically low to zero for Public DNS itself, but you should account for indirect costs like ECS instances if you deploy internal forwarders and the operational cost of monitoring and governance. From a security perspective, focus on DNS egress control, split DNS for private namespaces, and encrypted DNS transports if supported and required.<\/p>\n\n\n\n<p><strong>Next step:<\/strong> confirm the current Public DNS endpoints and any encrypted DNS options in official Alibaba Cloud documentation, then roll out Public DNS to a small canary group of hosts with synthetic monitoring before broad production adoption.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Networking and CDN<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,8],"tags":[],"class_list":["post-45","post","type-post","status-publish","format-standard","hentry","category-alibaba-cloud","category-networking-and-cdn"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/45","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=45"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/45\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=45"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=45"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=45"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}