After you add your website to WAF, you must use the CNAME or IP address of WAF to change the DNS record to redirect requests destined for your website to WAF. This topic describes how to change the DNS record.
Prerequisites
- The website configurations are manually added to WAF in CNAME mode. For more information, see Manually add website configurations.
- You have the permissions to change the DNS record at your DNS service provider.
- Optional:Requests from WAF back-to-origin CIDR blocks are allowed on the origin server. For
more information, see Allow access from WAF back-to-origin CIDR blocks.
Notice If you use security software such as FortiGate for your origin server, you must add the WAF back-to-origin CIDR blocks to the whitelist of the software. This prevents normal traffic from being blocked by access control policies.
- Optional:The forwarding configurations for your website are correct and in effect. Before you
change the DNS record, you must verify that the website forwarding configurations
are correct. This prevents service interruptions caused by invalid configurations.
For more information, see Verify domain name settings.
Warning If you change the DNS record before the forwarding configurations for your website take effect, service interruptions may occur.
Background information
WAF redirects requests in one of the following methods:
- CNAME record: resolves the domain name to the CNAME assigned by WAF.
We recommend that you use the CNAME record method. If failures occur, such as node failures or failures in a data center, the CNAME record allows WAF to use another WAF IP address or directs requests to the origin server directly. This ensures service continuity and provides high availability and disaster recovery capabilities.
- A record: resolves the domain name to the WAF IP address.
We recommend that you use the A record method only when the CNAME record conflicts with the existing DNS settings. For example, the CNAME record conflicts with the MX record, and the MX record must be retained.
Obtain the WAF CNAME and WAF IP address
You must obtain the WAF CNAME or WAF IP address of your domain name before you change the DNS record. If you have already obtained the WAF CNAME or IP address, skip the following steps.
Use Alibaba Cloud DNS to change the DNS record
The following example demonstrates how to change the DNS record in Alibaba Cloud DNS. If your domain name is hosted on Alibaba Cloud DNS, perform the following steps to change the DNS record. If your domain name is not hosted on Alibaba Cloud DNS, refer to the following steps to change the DNS record at your DNS service provider.
References
- Protect the origin server.
If the IP address of your origin server is exposed, attackers may bypass WAF and directly attack your origin server. To avoid such attacks, we recommend that you configure an ECS security group or SLB whitelist. For more information, see Configure protection for an origin server.
- Retrieve actual IP addresses of clients.
After you add your website to WAF, WAF processes all requests destined for your website and forwards normal requests to the origin server. In this case, you must use the
X-Forwarded-For
header to retrieve the actual IP addresses of clients. For more information, see Retrieve actual IP addresses of clients.