FAQs - support.huaweicloud.com · 1 What Are the Private DNS Server Addresses Provided by the DNS Service? Private DNS servers are used in VPCs to: Resolve private domain names and

Domain Name Service

FAQs

Date 2020-02-21

Contents

1 What Are the Private DNS Server Addresses Provided by the DNS Service?............ 1

2 How Do I Switch to a Private DNS Server?....................................................................... 3

3 Why Does My Record Set Not Take Effect?.......................................................................5

4 How Do I Test Whether a Record Set Is Working?..........................................................7

5 Why Cannot I Access the Website After the Domain Name Is SuccessfullyResolved?.................................................................................................................................... 10

6 When Will a Record Set Take Effect After I Create It?.................................................11

7 When Will a Record Set Modification Take Effect?...................................................... 12

8 How Many Domain Name Levels Does the DNS Service Support?........................... 13

9 Is DNS a Paid Service?.......................................................................................................... 14

10 How Many Zones/Record Sets/PTR Records Can I Create?....................................... 15

11 Why Is the Email Address Format Changed in the SOA Record?............................ 16

12 Are Wildcard DNS Record Sets Supported?.................................................................. 17

13 How Zones Are Queried to Resolve a Domain Name?...............................................18

14 What Are HUAWEI CLOUD DNS Servers?......................................................................19

15 What Is TTL?.........................................................................................................................21

16 What Is the Function of an MX Record Set Priority?..................................................22

17 Why Does the System Prompt that My Record Set Is in Conflict with an ExistingOne?............................................................................................................................................. 23

18 If a VPC Associated with a Private Zone Is Deleted, Will It Be AutomaticallyDisassociated from the Zone?................................................................................................25

19 Do I Need to Register Private Domain Names?...........................................................26

20 Are the Private DNS Server Addresses for All Users the Same or Different?....... 27

21 Can I Modify a Created DNS Zone?................................................................................ 28

22 How Is a Domain Name Resolved When a Record Set Has Multiple Values?......29

Domain Name ServiceFAQs Contents

2020-02-21 ii

23 How Can I Access an ECS Using Its Host Name?......................................................... 30

24 How Can I Configure a PTR Record for an ECS Private IP Address?....................... 32

25 What Is CAA?........................................................................................................................37

26 What Are the Restrictions on Concurrent Private DNS Requests?..........................40

27 Can I Transfer a Hosted Zone from Account A to Account B?..................................41

28 Can I Resolve a Domain Name to On-premise or Another Cloud ServiceProvider's Server Addresses?.................................................................................................. 42

29 Does DNS Support Explicit and Implicit URL Forwarding?....................................... 43

30 What Are the Differences Between Public and Private Domain Names?............. 44

31 How Do I Configure the Same Public and Private Domain Name for MyWebsite?......................................................................................................................................45

32 Can Private Domain Names Be Used Across Regions?...............................................46

33 How Do I Add Record Sets for Subdomains?................................................................48

34 Does DNS Support Both IPv4 and IPv6?........................................................................ 51

35 Change History.................................................................................................................... 52

Domain Name ServiceFAQs Contents

2020-02-21 iii

1 What Are the Private DNS ServerAddresses Provided by the DNS Service?

Private DNS servers are used in VPCs to:

● Resolve private domain names and internal domain names of other cloudservices, such as OBS and Workspace.

● Forward domain name requests to public DNS servers.

Compared with the public DNS server 114.114.114.114, private DNS serversprovided by the DNS service have the following advantages:

● Resolve private domain names created within VPCs.

● Access internal addresses of cloud services like OBS and SFS.

● Allow ECSs not assigned with EIPs to access the Internet.

Table 1-1 lists private DNS server addresses provided by the DNS service indifferent regions.

Table 1-1 Private DNS server addresses

Region Private DNS Server

CN North-Beijing1 100.125.1.250

100.125.21.250

CN South-Guangzhou

100.125.1.250

100.125.136.29

CN East-Shanghai2 100.125.17.29

100.125.135.29

AP-Hong Kong 100.125.1.250

100.125.3.250

AP-Bangkok 100.125.1.250

Domain Name ServiceFAQs

1 What Are the Private DNS Server AddressesProvided by the DNS Service?

2020-02-21 1

Region Private DNS Server

AP-Singapore 100.125.1.250

100.125.128.250

AF-Johannesburg 100.125.1.250

LA-Santiago 100.125.1.250

100.125.0.250


1 What Are the Private DNS Server AddressesProvided by the DNS Service?

2020-02-21 2

2 How Do I Switch to a Private DNSServer?

Currently, private DNS servers are configured for VPC subnets by default. ECSs inthe subnets can use private DNS servers to access internal addresses of othercloud services (such as OBS and SMN) without going through the Internet, as wellas to request domain names on the Internet.

For VPCs created earlier, a public DNS server (114.114.114.114) is configured. Toallow ECSs in these VPCs to access private domain names, you can change thepublic DNS server to the private ones for the VPC subnets. For detailed addressesof the private DNS servers, see section 1 What Are the Private DNS ServerAddresses Provided by the DNS Service?

This section describes how to check the DNS servers of an ECS and change it tothe private DNS servers.

Checking the DNS Server Address of an ECS1. Log in to the management console.2. In the Computing category, click Elastic Cloud Server.

The Elastic Cloud Server page is displayed.3. In the ECS list, click the ECS name.4. On the ECS details page, click the VPC name.

The Virtual Private Cloud page is displayed.5. Click the VPC name.6. On the Subnets tab, check the DNS server addresses of the subnet in which

the ECS is located.

Changing the DNS Servers for VPC SubnetsIf the subnet of the ECS is not using the private DNS servers, you need toconfigure them as follows:

1. Locate VPC subnet of the ECS and click Modify in the Operation column.2. Change the DNS server addresses of the subnet to the private DNS server

addresses.

Domain Name ServiceFAQs 2 How Do I Switch to a Private DNS Server?

2020-02-21 3

For example, in the CN North-Beijing1 region, you need to change the DNSserver addresses of a VPC subnet to 100.125.1.250 and 100.125.21.250.

Figure 2-1 Modify Subnet

Updating DNS Server Addresses for ECSsAfter you change the DNS server addresses of a VPC subnet, the DNS serveraddresses of ECSs in the subnet are not updated immediately.

You can use either of the following methods to update the DNS server addressesfor an ECS:● Restart the OS. The ECS will then obtain the new DNS server addresses from

the DHCP server.

NO TICE

Restarting the OS will interrupt services on the ECS. You are advised to do itduring off-peak hours.

Alternatively, wait for the DHCP lease time (24 hours by default) to end. TheECS will then update the IP address and DNS server addresses with the DHCPserver.

● Manually change DNS configurations of the ECS.If the DHCP function is disabled on the ECS, you need to manually updateDNS configurations.For example, in a Linux OS, change DNS configurations in the /etc/resolv.conf file. The method varies for different OSs.

Domain Name ServiceFAQs 2 How Do I Switch to a Private DNS Server?

2020-02-21 4

3 Why Does My Record Set Not TakeEffect?

If an IP address cannot be returned when you ping a domain name, the record setis not working.

The reasons may be the following:

● The network is faulty.● The record set is abnormal.● The record set is modified or cached by the DNS server.

You can perform the following operations to locate the fault for your domainname (example.com):

1. Check the local network.Check whether you can successfully ping another domain name.– If yes, the network is well connected. Go to step 2.– If no, the local network is faulty. Contact the broadband carrier to rectify

the fault.2. Check whether the record set takes effect.

a. Run the following commands to check whether the record set takeseffect:dig example.com @ns1.hwclouds-dns.comdig example.com @ns1.huaweicloud-dns.cndig example.com @ns1.huaweicloud-dns.netdig example.com @ns1.huaweicloud-dns.org

▪ If the command output shows that the record set does not takeeffect, go to step 2.b.

▪ Otherwise, the DNS server is normal. In this case, go to step 3.

b. Log in to the DNS console, check whether the record set is available or innormal status.

▪ If the record set is not available, add it and perform step 2.a again.

Domain Name ServiceFAQs 3 Why Does My Record Set Not Take Effect?

2020-02-21 5

▪ If the record set is not in normal status, delete the record set and re-create it. Then, perform step 2.a again.

▪ If the record set is available and normal, submit a service ticket toget service support.

3. Check whether the record set is modified or cached.

a. Check whether the DNS server has been changed.Changing the DNS server will take effect in 24 to 48 hours.

b. Check whether the record set is cached by the local computer.

▪ For a Windows OS, run the ipconfig /flushdns command to refreshDNS cache.

▪ A Linux or Unix OS does not cache DNS records.However, if the NSCD service is installed, run the service nscdrestart command to refresh DNS cache.

c. Check whether the record set is cached by the local DNS server providedby the carrier.DNS records are usually cached for less than an hour. Therefore, you canrun the ping command to check whether the record set takes effect anhour later.

d. Check whether the local DNS server has been attacked. (If so, the DNSrecord set may have been changed.)Change your local DNS server to a public DNS server, for example, 8.8.8.8or 114.114.114.114, and run the dig [email protected] or [email protected] command to check whether the recordset takes effect.

If your record sets have taken effect but you still cannot access the website with thedomain name, see 5 Why Cannot I Access the Website After the Domain Name IsSuccessfully Resolved?

Domain Name ServiceFAQs 3 Why Does My Record Set Not Take Effect?

2020-02-21 6

4 How Do I Test Whether a Record Set IsWorking?

You can run the following commands in the DOS window on a PC connected tothe Internet to test whether a record set has taken effect:

● ping Domain name● nslookup [-qt= Type] Target domain name Authoritative DNS server● dig Type Target domain name @Authoritative DNS server

● Set Type in the nslookup and dig commands to the record type, for example, A,CNAME, TXT, or MX, to check whether the record of that type works. If you do notspecify a type, the system queries the A record by default.

● If the PC does not support the dig command, you need to manually install it first.● The preceding commands can be used to test both public and private domain names.

You can run the preceding commands to check whether the query result is thesame as that configured in the DNS service.

● If so, the record set has taken effect.● Otherwise, check the TTL value. Perform the test after the cache expires. For

details, see 15 What Is TTL?

dig Command Example (for Linux)● The record set has taken effect.

Run the following command to test the resolution result of domain name1.private.com by the private DNS server (100.125.1.250):dig @100.125.1.250 1.private.com IN A; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @100.125.1.250 1.private.com IN A; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12120;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:

Domain Name ServiceFAQs 4 How Do I Test Whether a Record Set Is Working?

2020-02-21 7

;1.private.com. IN A

;; ANSWER SECTION: 1.private.com. 300 IN A 1.1.1.1

;; Query time: 0 msec;; SERVER: 100.125.1.250#53(100.125.1.250);; WHEN: Wed Oct 09 11:13:14 CST 2019;; MSG SIZE rcvd: 58

It can be seen that domain name 1.private.com has one A record.● The record set has not taken effect.

Run the following command to test the resolution result of domain namea.private.com by the private DNS server (100.125.1.250):dig @100.125.1.250 a.private.com IN A; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @100.125.1.250 a.private.com IN A; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60081;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;a.private.com. IN A

;; AUTHORITY SECTION: private.com. 300 IN SOA ns1.private.hwclouds-dns.com. hwclouds\.cs.huawei.com. 1 7200 900 1209600 300

;; Query time: 0 msec;; SERVER: 100.125.1.250#53(100.125.1.250);; WHEN: Wed Oct 09 11:13:14 CST 2019;; MSG SIZE rcvd: 122

It can be seen that the domain name exists but cannot be resolved.

nslookup Command Example (Windows)● The record set has taken effect.

Run the following command to test the resolution result of domain namepublictest.com:nslookup publictest.comServer: xxx.com Address: xx.xx.xx.xx

Non-authoritative answer:Name: publictest.comAddress: xx.xx.xx.xx

It can be seen that the A record set configured for the domain name takeseffect.

● The record set has not taken effect.Run the following command to test the resolution result of a CAA record setfor domain name publictest.com:nslookup -qt=caa publictest.com ns1.hwclouds-dns.comunknown query type: caaDNS request timeout. timeout was 2 seconds.Server: Unknown Address: xx.xx.xx.xx


2020-02-21 8

It can be seen that no CAA record set is found.


2020-02-21 9

5 Why Cannot I Access the Website Afterthe Domain Name Is Successfully Resolved?

Figure 5-1 shows the process of accessing a website using a domain name.

Figure 5-1 Accessing a website

The access process consists of two phases:

1. Phase 1: The DNS server resolves the domain name in the request into an IPaddress.

2. Phase 2: The client accesses the web server using the IP address and obtainsthe desired content.

To successfully access a website, both phases are mandatory. If the web server isunavailable, the website cannot be accessed even after the DNS server hasresolved the domain name.


5 Why Cannot I Access the Website After theDomain Name Is Successfully Resolved?

2020-02-21 10

6 When Will a Record Set Take EffectAfter I Create It?

● If the record set is created for the first time, it takes effect immediately.● If you delete a record set and add it again, it takes effect after the cache (that

is, TTL) of the previous record set expires.In some cases, however, the carrier may prolong the cache period of a domainname.


6 When Will a Record Set Take Effect After I CreateIt?

2020-02-21 11

7 When Will a Record Set ModificationTake Effect?

After you modify a record set, the modification takes effect after the cache (thatis, TTL) of the record set expires.

In some cases, however, the carrier may prolong the cache period of a domainname.

Domain Name ServiceFAQs 7 When Will a Record Set Modification Take Effect?

2020-02-21 12

8 How Many Domain Name Levels Doesthe DNS Service Support?

The DNS service supports the following levels for domain names suffixedwith .com:● Second level, such as example.com● Third level, such as www.example.com

The DNS service supports the following levels for domain names suffixedwith .com.cn:● Third level, such as example.com.cn● Fourth level, such as www.example.com.cn


8 How Many Domain Name Levels Does the DNSService Support?

2020-02-21 13

9 Is DNS a Paid Service?

No.

Domain Name ServiceFAQs 9 Is DNS a Paid Service?

2020-02-21 14

10 How Many Zones/Record Sets/PTRRecords Can I Create?

By default, you can create a maximum of 50 public zones, 50 private zones, 50PTR records, and 500 record sets.

If the quotas do not meet your service requirements, you can contact the servicesupport to apply for more resources.


10 How Many Zones/Record Sets/PTR Records Can ICreate?

2020-02-21 15

11 Why Is the Email Address FormatChanged in the SOA Record?

The email address you entered when creating a zone is used to receive error orproblem reports about the zone. You can specify an email address you frequentlyuse as the zone administrator's mailbox. However, according to RFC 2142, westrongly recommend you to preferentially use HOSTMASTER@Domain name asthe email address.

After the zone is created, the email you specified is displayed in the SOA record setof the zone. You must note that the "@" sign in the SOA record set has othermeanings. Therefore, the system replaces @ in the email address with a dot (.). Ifthere is already a dot before @, the system escapes the dot with a backslash (\).However, emails are still sent to the email address you specified. For more details,see RFC 1035.

Take [email protected] as an example.

If you have specified [email protected] when creating the zone, theemail address displayed in the SOA record set is test\.hostmaster.example.com.


11 Why Is the Email Address Format Changed in theSOA Record?

2020-02-21 16

12 Are Wildcard DNS Record SetsSupported?

Yes.

You can use an asterisk (*) as the host name in a domain name to create awildcard record set. For more details, see RFC 4592.

Currently, you can create a wildcard DNS record set of the A, AAAA, MX, CNAME,TXT, CAA, and SRV types.

Domain Name ServiceFAQs 12 Are Wildcard DNS Record Sets Supported?

2020-02-21 17

13 How Zones Are Queried to Resolve aDomain Name?

When a domain name request is initiated, the domain name is first queried in thezone of a subdomain if there is any.

● If the zone has been created, the system returns the result from the zoneconfiguration file.

● Otherwise, the system queries the domain name from the zone configurationfile of a higher-level domain name.

For example:

For example, you have created a zone for example.com and add an A record setfor www.example.com, and also, you have created a zone forwww.example.com and have not added an A record set for it.

In this case, if a visitor tries to access www.example.com, it is first queried in theconfiguration file of the www.example.com zone. However, because you have notadded an A record set in the zone, no result will be returned.


13 How Zones Are Queried to Resolve a DomainName?

2020-02-21 18

14 What Are HUAWEI CLOUD DNSServers?

To enable users to access the nearest DNS server and resolve domain names withthe lowest latency, HUAWEI CLOUD has deployed DNS servers in multiple AZsaround the world. In some regions, anycast is supported.

HUAWEI CLOUD DNS using the following addresses to provide resolution services:

● ns1.huaweicloud-dns.com: DNS address for regions in the Chinese mainland● ns1.huaweicloud-dns.cn: DNS address for regions in the Chinese mainland● ns1.huaweicloud-dns.net: DNS address for countries or regions outside the

Chinese mainland● ns1.huaweicloud-dns.org: DNS address for countries or regions outside the

Chinese mainland

After you have created a public zone on the console, an NS record set isgenerated by default, and its value is the preceding four DNS addresses.

Suggestions on DNS Address Setting

Since there is a limit in the international Internet bandwidth of the Chinesemainland, network latency increases when users access the network across theChinese mainland.

For this reason, it is recommended that you configure an NS record set for yourpublic domain in the following ways:

● If your website users are mainly in the Chinese mainland, set the DNSaddresses to ns1.huaweicloud-dns.com and ns1.huaweicloud-dns.cn.

● If your website users are mainly in countries or regions outside the Chinesemainland, set the DNS addresses to ns1.huaweicloud-dns.net andns1.huaweicloud-dns.org.

● If users of your website are all over the world, set the four DNS addresses.

Procedure for Setting the DNS Addresses

You need to set the DNS addresses on the Record Sets page.

Domain Name ServiceFAQs 14 What Are HUAWEI CLOUD DNS Servers?

2020-02-21 19

https://support.huaweicloud.com/intl/en-us/usermanual-dns/en-us_topic_0035467702.html

1. Log in to the management console.

2. In the Network category, click Domain Name Service.

The DNS console is displayed.

3. In the navigation pane, choose Public Zones.

The Public Zones page is displayed.

4. In the public zone list, click the name of the target domain.

Figure 14-1 Record Sets

5. Locate the NS record set and click Modify under Operation.

Figure 14-2 Modify Record Set

6. Change the settings of Value based on Suggestions on DNS AddressSetting.

7. Click OK.

For public domains registered with HUAWEI CLOUD before, their DNS servers arens1.hwclouds-dns.com and ns1.hwclouds-dns.net. The two addresses are still available.

To provide better resolution services, you are advised to change the two addresses to fournew DNS addresses.

Domain Name ServiceFAQs 14 What Are HUAWEI CLOUD DNS Servers?

2020-02-21 20

15 What Is TTL?

TTL is short for time-to-live, which specifies the cache period of resource recordson a local DNS server.

The local DNS server is connected clients (computers or smartphones) with theInternet. By default, its address is assigned by the broadband carrier. You can alsochoose a public DNS server, for example, 114.114.114.114 and 8.8.8.8, as yourlocal DNS server. The local DNS servers for ECSs purchased on HUAWEI CLOUDare private DNS servers. For details, see 1 What Are the Private DNS ServerAddresses Provided by the DNS Service?

When the local DNS server receives a domain name request, it asks theauthoritative DNS server of the domain name for the required resource record,and then caches the record for a period of time. During this period, if the localDNS server receives requests for this domain name again, it does not request therecord from the authoritative DNS server, but directly returns a result from therecord in its cache.

The time period during which resource records are cached on the local DNS serveris specified by the TTL value. You can set it when adding record sets in public orprivate zones. For details, see Managing Record Sets.

Domain Name ServiceFAQs 15 What Is TTL?

2020-02-21 21


16 What Is the Function of an MXRecord Set Priority?

The priority in an MX record specifies the sequence for an email server to receiveemails. A smaller value indicates a higher priority.

● If there is only one MX record on the DNS server, the priority does not work.● If multiple MX records have been created, the DNS server of the email sender

preferentially sends emails to the email server with the highest priority.Once this email server becomes faulty, the DNS server of the senderautomatically sends emails to the email server with the second highestpriority.

You can set the priority when creating MX record sets in public or private zones.For details, see Managing Record Sets.


16 What Is the Function of an MX Record SetPriority?

2020-02-21 22


17 Why Does the System Prompt thatMy Record Set Is in Conflict with an Existing

One?

The record set you are trying to create is in conflict with or the same as anexisting record set.

Table 17-1 lists the restrictions on two types of record sets when their names andresolution lines are the same.

Table 17-1 Restrictions between record types

NS CNAME

A AAAA MX TXT PTR SRV CAA

NS Nolimita

Conflict

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

CNAME

Conflictb

Nolimit

Conflict

Conflict

Conflict

Conflict

Conflict

Conflict

Conflict

A Nolimit

Conflict

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

AAAA

Nolimit

Conflict

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

MX Nolimit

Conflict

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

TXT Nolimit

Conflict

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

PTR Nolimit

Conflict

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

SRV Nolimit

Conflict

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit


17 Why Does the System Prompt that My Record SetIs in Conflict with an Existing One?

2020-02-21 23

CAA Nolimit

Conflict

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

Nolimit

a: No NS record sets cannot be added for primary domains (for example,example.com). There is no restriction on subdomains (for example,www.example.com).b: For primary domains (for example, example.com), you can add CNAMErecord sets and NS record sets at the same time. However, CNAME record setsconflict with NS record sets for subdomains (for example, www.example.com),and therefore they cannot be added at the same time.

The rules are as follows:

● Conflict: The two types of record sets cannot be created at the same time.● No limit: The two types of record sets can coexist without restrictions.

● If you want to add a record set but there is a conflict, you need to delete the record setin conflict before adding the new record set.

● Deleting a record set may cause failure in domain name resolution. Exercise cautionwhen performing this operation.


17 Why Does the System Prompt that My Record SetIs in Conflict with an Existing One?

2020-02-21 24

18 If a VPC Associated with a PrivateZone Is Deleted, Will It Be Automatically

Disassociated from the Zone?

No.

If a VPC is deleted, you need to manually disassociate it from the private zone.


18 If a VPC Associated with a Private Zone IsDeleted, Will It Be Automatically Disassociated from

the Zone?

2020-02-21 25

19 Do I Need to Register PrivateDomain Names?

Private domain names you created in HUAWEI CLOUD DNS take effect only inassociated VPCs. Therefore, you do not need to register them.

You can customize any private domain names (except .com) as long as theycomply with domain name specifications. All private domain names are free ofcharge.

Domain Name ServiceFAQs 19 Do I Need to Register Private Domain Names?

2020-02-21 26

20 Are the Private DNS ServerAddresses for All Users the Same or

Different?

Private DNS server addresses are the same for all tenants in the same AZ, andprivate domain names of different tenants are logically isolated.


20 Are the Private DNS Server Addresses for AllUsers the Same or Different?

2020-02-21 27

21 Can I Modify a Created DNS Zone?

After a zone is created, you cannot change its name, but can update its emailaddress and description.

Domain Name ServiceFAQs 21 Can I Modify a Created DNS Zone?

2020-02-21 28

22 How Is a Domain Name ResolvedWhen a Record Set Has Multiple Values?

You can add multiple values when creating A and AAAA record sets.

If a record set has multiple values, all IP addresses are returned for each query in arandom order. The browser will take the first IP address as the result.

The probability for getting each IP address is technically the same.


22 How Is a Domain Name Resolved When a RecordSet Has Multiple Values?

2020-02-21 29

23 How Can I Access an ECS Using ItsHost Name?

The DNS service allows you to create private zones for any top-level domainnames except .com in VPCs.

When you buy an ECS, you set a host name for it, for example, ecs01. Then, youcan create a private zone ecs01 in the DNS service and add an A record to mapthe domain name ecs01 to the private IP address of the ECS so that the ECS canbe accessed using its host name.

Procedure1. Log in to the management console.2. In the Network category, click Domain Name Service.

The DNS console is displayed.3. In the navigation pane, choose Private Zones.

The Private Zones page is displayed.

4. Click in the upper left corner and select the desired region and project.

5. Click Create Private Zone.Specify the zone name to ECS host name ecs01.

6. Click OK.You can query information about the private zone you created on the PrivateZones page.

7. In the zone list on the Private Zones page, click the name of the private zoneyou created.The record set page is displayed.

8. Click Add Record Set.Add an A record set in the ecs01 zone.– Set Type to A – Map domains to IPv4 addresses.– Leave the Name field blank.– Set Value to the private IP address of the ECS, for example, 192.168.1.10.

Domain Name ServiceFAQs 23 How Can I Access an ECS Using Its Host Name?

2020-02-21 30

9. Click OK.After the record set is created, you can use the domain name ecs01 to accessthe ECS whose private IP address is 192.168.1.10 from the associated VPC.

Domain Name ServiceFAQs 23 How Can I Access an ECS Using Its Host Name?

2020-02-21 31

24 How Can I Configure a PTR Recordfor an ECS Private IP Address?

PTR records enable visitors to query domain names based on IP addresses.

If you want to set PTR records for ECS private IP addresses, create a private zoneand create PTR records in the zone. The domain name in a PTR record is specifiedin the x.x.x.x.in-addr.arpa format.

For details about how to set a PTR record for an EIP, see Creating a PTR Record.

in-addr.arpa is the domain name suffix for reverse resolution.For example, if the private IP address is 192.168.1.10, the domain name in the PTR record is10.1.168.192.in-addr.arpa.In this case, you need to create a private zone 192.in-addr.arpa and add a PTR record10.1.168.192.in-addr.arpa.

Creating a Private Zone1. Log in to the management console.2. In the Network category, click Domain Name Service.

The DNS console is displayed.3. In the navigation pane, choose Private Zones.

The Private Zones page is displayed.

4. Click in the upper left corner and select the desired region and project.5. Click Create Private Zone.


24 How Can I Configure a PTR Record for an ECSPrivate IP Address?

2020-02-21 32


Figure 24-1 Create Private Zone

6. Configure the parameters according to Table 24-1.

Table 24-1 Parameters required for creating a private zone

Parameter Description Example Value

Name Domain nameSet the domain name suffix to in-addr.arpa.

192.in-addr.arpa

VPC VPC to be associated with the privatezone

-

Email (Optional) Email address of theadministrator managing the privatezoneIt is recommended that you set theemail address toHOSTMASTER@Domain name.For more details about the emailaddress, see 11 Why Is the EmailAddress Format Changed in the SOARecord?

[email protected]



2020-02-21 33


Tag (Optional) Identifier of a resource.Each tag contains a key and a value.You can add 10 tags at most to a zone.For details about tag key and valuerequirements, see Table 24-2.

example_key1example_value1

Description (Optional) Description of the zone,which cannot exceed 255 characters

This is a privatezone.

Table 24-2 Tag key and value requirements

Item Requirement Example Value

Key ● Cannot be left blank.● Must be unique for each resource.● Consists of at most 36 characters.● Cannot start or end with a space nor

contain =*<>\,|/

example_key1

Value ● Cannot be left blank.● Consists of at most 43 characters.● Cannot start or end with a space nor

contain =*<>\,|/

example_value1

7. Click OK.

You can query information about the private zone you created on the PrivateZones page.

Click the zone name to query detailed zone information. The system has createdrecord sets of the SOA type and NS type in the zone.● The SOA record set determines the DNS server that is the authoritative information

source for a particular domain name.● The NS record set defines authoritative DNS servers for a zone.

Adding a PTR Record1. In the zone list on the Private Zones page, click the name of the private zone

you created.The record set page is displayed.

2. Click Add Record Set.The Add Record Set box is displayed.



2020-02-21 34

Figure 24-2 Add Record Set

3. Configure the parameters according to Table 24-3.

Table 24-3 Parameters required for adding a record set of the PTR type


Name IP address in the PTR record (typedin reverse order)

10.1.168For example, if the IPaddress is192.168.1.10, thedomain name in thePTR record is10.1.168.192.in-addr.arpa.● If the private zone

name is 192.in-addr.arpa, enter10.1.168 in the box.

● If the private zonename is1.168.192.in-addr.arpa, enter 10in the box.



2020-02-21 35


Type Type of the record set PTR – Map IP addressesto domains

TTL (s) Caching period of the record set (inseconds)

The default value is300s, that is, 5 min.

Value Domain name mapped to the IPaddressYou can enter only one name at atime.

mail.example.com

Tag (Optional) Identifier of a resource.Each tag contains a key and avalue. You can add 10 tags at mostto a record set. This item isdisplayed when you switch onOther Settings.For details about tag key and valuerequirements, see Table 24-2.


Description (Optional) Description of the PTRrecord set. This item is displayedwhen you switch on OtherSettings.

The PTR record is forreverse resolution.

4. Click OK.



2020-02-21 36

25 What Is CAA?

Certification Authority Authorization (CAA) is a way to ensure that HTTPScertificates are issued by authorized certificate authorities (CAs). It is incompliance with IETF RFC 6844 standards. Since September 8, 2017, all CAs arerequired to check CAA records before issuing certificates.

CAA SpecificationsDomain name owners can create CAA records to specify that authorized CAs issuecertificates for their domain names.

In the world, hundreds of CAs have the right to issue HTTPS certificates to verifyidentity of a website. CAA allows you to specify that only authorized CAs issueHTTPS certificates for your website domain names, preventing possibly fraudulentcertificate issuing. Setting CAA records is a way to enhance security for yourwebsites.

CAs will perform a DNS lookup for CAA records when they issue certificates.

● If a CA does not find any CAA record, it can issue a certificate for the domainname.Any other CAs are also able to issue certificates for this domain name,bringing risks of certificate mis-issuing.

● If the CA finds a CAA record that authorizes it to issue certificates, it will issuea certificate for the domain name.

● If the CA finds a CAA record but the record does not authorize it to issuecertificates, the CA will not be able to issue HTTPS certificates for the domainname. In this case, HTTPS certificates will not be mis-issued.

CAA RecordA CAA record consists of a flag byte [flag], a property tag, and a property value[tag]-[value]. You can create multiple CAA records for a domain name.

Domain Name ServiceFAQs 25 What Is CAA?

2020-02-21 37

Table 25-1 Configuration of CAA records

Function Example Description

Configure aCAA record forone domainname.

0 issue"ca.example.com"

Only the specified CA(ca.example.com) can issuecertificates for a particular domainname (domain.com). Requests toissue certificates for the domainname by other CAs will be rejected.

0 issue ";" No CA is allowed to issuecertificates for the domain namedomain.com.

Configure thatthe CA reportsto the domainname holder.

0 iodef"mailto:[email protected]"

When a certificate issuing requestviolates the CAA record, the CA willnotify the domain name holder ofthe violation.

0 iodef "http://domain.com/log/"0 iodef "https://domain.com/log/"

Requests to issue certificates byunauthorized CAs will be recorded.

Authorize a CAto issuewildcardcertificates.

0 issuewild"ca.example.com"

The specified CA (ca.example.com)can issue wildcard certificates forthe domain name.

Configurationexample

0 issue "ca.abc.com"0 issuewild "ca.def.com"0 iodef"mailto:[email protected]"

The example configures a CAArecord for the domain namedomain.com.● Only CA ca.abc.com can issue

certificates of all types.● Only CA ca.def.com can issue

wildcard certificates.● Any other CAs are not allowed to

issue certificates.● When a violation occurs, the CA

sends a notification [email protected].

Checking Whether a CAA Record Takes Effect

You can run the dig command to check whether the CAA record has taken effect.

The command format is: dig [Type] [Domain name] +trace.

For example:

dig caa www.example.com +trace


2020-02-21 38

If the OS does not support the dig command, you need to manually install it first.


2020-02-21 39

26 What Are the Restrictions onConcurrent Private DNS Requests?

To ensure the lookup efficiency of private domain names, the private DNS serverswill limit traffic issued from a single source IP address to 2000 QPS. If a serverinitiates DNS query requests in an overwhelmingly high frequency that exceedsnormal service demands, that is, the QPS reaches 2000, the extra requests will notbe processed.

If your services generate enormous concurrent requests, we suggest that youenable DNS caching to improve lookup efficiency.


26 What Are the Restrictions on Concurrent PrivateDNS Requests?

2020-02-21 40

27 Can I Transfer a Hosted Zone fromAccount A to Account B?

No. DNS does not support zone transfer from one account to another.


27 Can I Transfer a Hosted Zone from Account A toAccount B?

2020-02-21 41

28 Can I Resolve a Domain Name toOn-premise or Another Cloud Service

Provider's Server Addresses?

Yes.

You can add record sets for a domain name to resolve it into any server addresseswithin HUAWEI CLOUD, on another cloud, or in an offline equipment room. Aslong as the record set values are correct, the domain name can be successfullyresolved.

For example, if you add an A record set, the record set value must be correct IPv4addresses.


28 Can I Resolve a Domain Name to On-premise orAnother Cloud Service Provider's Server Addresses?

2020-02-21 42

29 Does DNS Support Explicit andImplicit URL Forwarding?

No. Currently, DNS does not support explicit or implicit URL forwarding.


29 Does DNS Support Explicit and Implicit URLForwarding?

2020-02-21 43

30 What Are the Differences BetweenPublic and Private Domain Names?

Public domain names are used on the Internet. They are purchased and must beunique on the Internet.

To resolve a public domain name, you need to:

1. Purchase a domain name from a registrar.2. Create a public zone for the domain name and add record sets. For details,

see Configuring a Public Zone.

After these operations, the domain name will be resolved by DNS and accessibleon the Internet. For details about how a public domain name is resolved, seePublic Zone.

Private domain names are used only within VPCs. You do not have to registerprivate domain names and can create them with any names.

For details, see Configuring a Private Zone.

The most important difference between public and private domain names is thatthe former is used on the Internet and the later within VPCs.


30 What Are the Differences Between Public andPrivate Domain Names?

2020-02-21 44

https://support.huaweicloud.com/intl/en-us/qs-dns/en-us_topic_0035467699.html

https://support.huaweicloud.com/intl/en-us/productdesc-dns/en-us_topic_0035920135.html

https://support.huaweicloud.com/intl/en-us/qs-dns/dns_qs_0006.html

31 How Do I Configure the Same Publicand Private Domain Name for My Website?

You can configure the same public and private domain name for your website sothat both intranet and Internet users can access the website with the same name.

The private DNS server resolves private domain names in VPCs and forwardsrequests of public domain names to a public DNS server. For example, you accessa website from an ECS on HUAWEI CLOUD.

1. If the ECS requests a private domain name or a domain name of a service onHUAWEI CLOUD, the private DNS server directly returns the resolution result.

2. If the ECS requests a public domain name, the private DNS server forwardsthe request to a public DNS server, (for example, 114.114.114.114) and returnthe resolution result to the ECS.

However, if the public domain name registered for the website is the same as theprivate domain name, the private DNS server resolves it as a private domainname. If the resolution fails, the private DNS server returns a message indicatingthat no record set is found and does not forward the request to the public DNSserver.

To resolve this issue, you need to create a private zone using a subdomain nameof the public domain name and add record sets for the subdomain.

If the public domain name is example.com, you create a private zone123.example.com and configure record sets for it. In this way, requests to123.example.com and all its subdomain names (*.123.example.com) are processedby the private DNS server, and requests to example.com and other subdomainnames are forwarded to the public DNS server.

● If want to host your domain name in the DNS service, configure a public zone byreferring to Configuring a Public Zone.

● If you select another DNS service provider, see the help document of the provider.

● For details about how to configure a private zone for subdomain name123.example.com on the DNS console, see Configuring a Private Zone.


31 How Do I Configure the Same Public and PrivateDomain Name for My Website?

2020-02-21 45

https://support.huaweicloud.com/intl/en-us/qs-dns/en-us_topic_0035467699.html

https://support.huaweicloud.com/intl/en-us/qs-dns/dns_qs_0006.html

32 Can Private Domain Names Be UsedAcross Regions?

Private zones are region-level resources. They are created in specified regions andprojects. A private zone can be associated with one or more VPCs in the sameregion.

If a private zone is associated with multiple VPCs, the private domain name takeseffect in the VPCs but cannot be used across them. A private domain name canonly be used across two VPCs connected by a peering connection.

For example, create a private zone example.com, associate it with VPC A and VPCB, and add the following record sets.

Table 32-1 Private zone record sets

Name Type Value

ecs1.example.com A 192.168.1.3

ecs3.example.com A 192.168.2.3

Figure 32-1 shows how the private domain name is resolved.


32 Can Private Domain Names Be Used AcrossRegions?

2020-02-21 46

Figure 32-1 Process to resolve a private domain name

All ECSs in VPC A and VPC B can access the domain name example.com.

If ECS 2 in VPC A accesses ecs3.example.com, the private DNS server returns192.168.2.3, the IP address of ECS 3 in VPC B. However, no VPC peering connectionis established between VPC A and VPC B. Therefore, ECS 2 cannot access ECS 3 inVPC B using this IP address.


32 Can Private Domain Names Be Used AcrossRegions?

2020-02-21 47

33 How Do I Add Record Sets forSubdomains?

The procedure for adding record sets for a subdomain is the same as that for aprimary domain name. You only need to enter a prefix of the domain name whenadding record sets.

The following uses the public domain name example.com to describe how to addan A record set its subdomain 123.example.com. The value of the record set is192.168.1.2.

Procedure1. Log in to the management console.

2. In the Network category, click Domain Name Service.

The DNS console is displayed.

3. In the navigation pane, choose Public Zones.

The zone list is displayed.

4. Click the name of the zone example.com.

5. Click Add Record Set.

The Add Record Set box is displayed.

6. Set required parameters according to Table 33-1.

Table 33-1 Parameters required for adding an A record set


Name Domain name (You do not needto manually add the suffix.)The default value is the zonename.

123

Type Type of the record set. A – Map domains toIPv4 addresses

Domain Name ServiceFAQs 33 How Do I Add Record Sets for Subdomains?

2020-02-21 48


Line Resolution line. The DNS serverwill return the IP address of thespecified line based on the sourceof visitors.● Default: If no other lines are

specified, DNS will return thedefault resolution resultwherever the visitors comefrom.

● ISP: Return the resolutionresult based on visitors' carriernetworks. For details, seeConfiguring ISP Lines forRecord Sets.

● Region: Return the resolutionresult based on visitors'geographical location. Fordetails, see ConfiguringRegion Lines for Record Sets.

Default

TTL (s) Cache duration of the record set(in seconds)

The default value is300s, that is, 5 min.

Value IPv4 address mapped to thedomain name.Every two IPv4 addresses areseparated using a line break.

192.168.1.2

Weight (Optional) Weight of a recordset, which defaults to 1.This parameter is supported onlyfor public domain names.The value range is 0–100.When multiple record sets of thesame name are created in a zone,the one with a larger weighttakes effect in priority.

1

Tag (Optional) Identifier of aresource. Each tag contains a keyand a value. You can add 10 tagsat most to a record set. Thisparameter is displayed when youswitch on Other Settings.For details about tag key andvalue requirements, see Table33-2.



2020-02-21 49

https://support.huaweicloud.com/intl/en-us/usermanual-dns/dns_usermanual_0020.html





Description (Optional) Description of therecord set. This parameter isdisplayed when you switch onOther Settings.

-

Table 33-2 Tag key and value requirements

Parameter Requirement Example Value

Key ● Cannot be left blank.● Must be unique for each resource.● Consists of at most 36 characters.● Cannot start or end with a space

nor contain =*<>\,|/

example_key1

Value ● Cannot be left blank.● Consists of at most 43 characters.● Cannot start or end with a space

nor contain =*<>\,|/

example_value1

7. Click OK.

The record set you added is displayed in the list. Check whether the record setstatus is normal.


2020-02-21 50

34 Does DNS Support Both IPv4 andIPv6?

Yes.

You can add A and AAAA record sets for a domain name to resolve it into IPv4and IPv6 addresses.

For example, add the following record sets for example.com.

Table 34-1 Record sets

Name Type Value

www.example.com A 192.168.1.2

www.example.com AAAA 2407:c080:0:ffff:ffff:fffe:0:1

HUAWEI CLOUD DNS servers (ns1.huaweicloud-dns.com, ns1.huaweicloud-dns.cn,ns1.huaweicloud-dns.net, and ns1.huaweicloud-dns.org) support both IPv4 andIPv6.

All local DNS servers, either supporting IPv4 or IPv6 or both, can send requests toHUAWEI CLOUD DNS servers and obtain the record sets.

Domain Name ServiceFAQs 34 Does DNS Support Both IPv4 and IPv6?

2020-02-21 51

35 Change History

Released On Description

2020-02-21 This issue is the seventh official release, which incorporates thefollowing changes:Added new DNS addresses in 14 What Are HUAWEI CLOUDDNS Servers?

2020-02-12 This issue is the sixth official release, which incorporates thefollowing changes:● Added examples in 4 How Do I Test Whether a Record Set

Is Working?● Added restrictions on NS and CNAME record set conflicts in

17 Why Does the System Prompt that My Record Set Is inConflict with an Existing One?

Domain Name ServiceFAQs 35 Change History

2020-02-21 52

Released On Description

2019-09-05 This issue is the fifth official release, which incorporates thefollowing changes:Added the private DNS server addresses of the LA-Santiagoregion in 1 What Are the Private DNS Server AddressesProvided by the DNS Service?Added the following content:● 27 Can I Transfer a Hosted Zone from Account A to

Account B?● 28 Can I Resolve a Domain Name to On-premise or

Another Cloud Service Provider's Server Addresses?● 29 Does DNS Support Explicit and Implicit URL

Forwarding?● 5 Why Cannot I Access the Website After the Domain

Name Is Successfully Resolved?● 30 What Are the Differences Between Public and Private

Domain Names?● 31 How Do I Configure the Same Public and Private

Domain Name for My Website?● 32 Can Private Domain Names Be Used Across Regions?● 33 How Do I Add Record Sets for Subdomains?● 34 Does DNS Support Both IPv4 and IPv6?

2019-08-23 This issue is the fourth official release, which incorporates thefollowing changes:Updated the private DNS server addresses in the AP-Singaporeregion in 1 What Are the Private DNS Server AddressesProvided by the DNS Service?

2019-07-02 This issue is the third official release, which incorporates thefollowing changes:Optimized the following FAQs:● 2 How Do I Switch to a Private DNS Server?● 15 What Is TTL?● 26 What Are the Restrictions on Concurrent Private DNS

Requests?

2019-03-05 This issue is the second official release, which incorporates thefollowing changes:● Updated the screenshots.● Added DNS server addresses in different regions in 1 What

Are the Private DNS Server Addresses Provided by theDNS Service?

2018-11-22 This issue is the first official release.

Domain Name ServiceFAQs 35 Change History

2020-02-21 53

Documents

FAQs - support.huaweicloud.com · 1 What Are the Private DNS Server Addresses Provided by the DNS Service? Private DNS servers are used in VPCs to: Resolve private domain names and