edit-icon download-icon

CNAME access guide

Last Updated: Jan 15, 2018

After configuring the domain name in the WAF console, you must change your DNS resolution to CNAME address to switch access traffic to WAF. Only then, WAF can secure your origin site.

Flow logic

Flow logic

  • WAF console displays a message, “No CNAME access detected and no traffic” when WAF is disconnected.

    Note: This prompt is an alert message. You can still access the website.

  • CNAME access detection is performed once every hour, and traffic detection is performed once every few minutes. If you confirm that CNAME has been correctly accessed, you can check the status again in an hour.

  • CNAME access detection is performed when:

    • The domain name does not resolve to CNAME.
    • No traffic from domain name through WAF is detected from the past few minutes.

Access status exception

If you are prompted with a “No CNAME access detected and no traffic” or “Currently no traffic” error message after configuration, see Access status detection exceptions.

Access methods

Deployment scenario 1: Only enable WAF (no CDN or Anti-DDoS Pro service enabled)

  1. Go to Alibaba Cloud Security console > Web Application Firewall > Domain Name Configuration, and find the assigned CNAME address in the Domain Info field.
    CNAME

  2. Change the DNS resolution and access WAF.

    Using GoDaddy DNS as an example:

    1. Log on to the GoDaddy console.
    2. Modify the record type to CNAME, and enter the correct sub-domain name in host records. For example, the host record of www.aliyundemo.cn is “www”, and the host record of aliyundemo.cn is “@”.
    3. Enter the CNAME address assigned by WAF as the record value.
    4. Configure TTL (indicates the domain cache time) based on your needs. The reference value is 600 seconds.
  3. Once you enter the required information, click Save to complete the resolution settings.

Deployment scenario 2: Enable CDN with WAF

For more information, see Use CDN with WAF.

Deployment scenario 3: Enable Anti-DDoS Pro with WAF

For more information, see Use Anti-DDoS Pro with WAF.

Restrictions

  • You can only enter one CNAME resolution record value for each host record. You can modify it to the CNAME address for WAF.

  • The A record and CNAME record of each host record are mutually exclusive. You can modify the DNS record to the CNAME type and enter the CNAME address.

  • If the DNS service provider does not allow direct modification from A record to CNAME record, you must delete the A record first, and then add the CNAME address.
    Note: Try to complete the entire deletion and addition process as soon as possible. In case of delay in adding a CNAME address for an extended period once the A record is deleted, the domain name resolution may fail to generate a result.

  • MX records and CNAME records are mutually exclusive. If you must keep MX records, you can use A records to point to the WAF IP address. You can use the ping command on the CNAME address assigned by WAF to get the IP address of WAF. Then, configure the A record during DNS resolution by using the WAF IP address as the record value.
    Note: If you use A records for access, WAF does not initiate the fault cluster scheduling and fault bypass operations.

Thank you! We've received your feedback.