diff --git a/DNS-alias-mode.md b/DNS-alias-mode.md
index a21c957..1742c98 100644
--- a/DNS-alias-mode.md
+++ b/DNS-alias-mode.md
@@ -118,13 +118,34 @@ acme.sh --issue  \
 
 Let's assume the first domain `aliasDomainForValidationOnly.com` is hosted at cloudflare, and the second is hosted at godaddy.
 
+### 5. Mix dns alias and default dns auth
 
-### 5. Last
+You can get a certificate with domains where you can authenticate with dns and want to mix it with domains where you need to use dns alias mode. Use `--challenge-alias no` to mark the domain that doesn't use a dns alias.
+
+If we have direct acccess to set a txt record for *.example.com. The domain example.net must use dns alias. For extern1.example.net set a CNAME
+
+```txt
+_acme-challenge.extern1.example.net
+  =>   _acme-challenge.aliasDomainForValidationOnly.com
+```
+
+Then issue cert:
+
+```sh
+
+./acme.sh/acme.sh --issue \
+   -d host1.example.com   --challenge-alias no \
+   -d host2.example.com   --challenge-alias no \
+   -d extern1.example.net --challenge-alias aliasDomainForValidationOnly.com \
+   --dns dns_infoblox
+```
+
+### 6. Last
 
 Do not remove the CNAME like : `_acme-challenge.example.com` after you issue the cert. It will be reused when acme.sh tries to renew the cert. The left cname record `_acme-challenge.example.com` doesn't harm your domain at all. Just keep it there.
 
 
-### 6. challenge-alias or domain-alias
+### 7. challenge-alias or domain-alias
 
 We have another parameter: `--domain-alias`, it has the same meaning with `--challenge-alias`.