IP boundaries

IP boundaries limit select DNS responses to clients within certain IP blocks. Clients outside those boundaries may be given a fallback response or no response at all.

IP boundary determinations should be considered imprecise as they’re sometimes missing and an interim resolver’s IP is substituted. As such, they are always best effort. Nonetheless, boundaries can be quite useful for guiding a majority of users to the preferred destination.

Start by configuring one or more boundary routing definitions at Routing -> Boundaries -> Add IP Addresses.

Name: a name for this boundary
IPs: one or more IP addresses or CIDR blocks (space separated)

; Configured boundary:
Name: AWS us-west
IPs : 2001:db8:0:f::/64

Next, assign your boundaries to host records.

; Configured host:
www.your-domain.com  A  Boundary=AWS us-west

With the above configuration, clients in AWS us-west will be routed to Everyone else will receive “domain not found” because there is no fallback.

Adding a fallback record
www.your-domain.com  A     Boundary=AWS us-west
www.your-domain.com  A  Boundary=(not set)

Here, clients in AWS us-west will continue to be routed to but now everyone else will be routed to That’s because there is both a boundary and non-boundary record for the same name/type (www.your-domain.com/A).

Overlapping IPs

Overlapping IP blocks within a single IP boundary will be merged. For example, and will be treated as just

Overlapping IP blocks on separate IP boundaries must not be assigned to the same hostname. Doing so may result in inconsistent results due to how DNS caches queries.

DNS caching without a fallback

Some DNS resolvers do not scope their cache for “no response” answers. Using boundaries without a fallback deliberately returns “no response”, which can then trigger odd results. If the host records are intended to be queried using broadly available DNS resolvers, it is strongly recommended to add a dummy fallback record (eg: www.your-domain.com A Boundary=(not set)). On the other hand, if the boundary is used to constrain access to a known and limited set of resolvers (eg: a corporate office), then no dummy fallback record is required.

Technical details and Combinations

Boundaries may be assigned to A, AAAA, and ALIAS host record types.

IP and geo boundary routing are processed together. A client that matches both an IP boundary and a geo boundary will see both records. A fallback record is only used if neither an IP boundary nor a geo boundary match.

IP and geo boundaries are processed before Geo-closest.