After you add a domain name to the WAF console, you must use the CNAME address (or IP address) of WAF to change the DNS settings. To ensure website security, requests from your website are then resolved to WAF for traffic scrubbing. This topic describes how to change DNS settings.

Prerequisites

  • The website configurations are added to the WAF console. For more information, see Add domain names
  • You have the permissions to change DNS records at your DNS service provider.
  • Requests from WAF back-to-origin CIDR blocks are allowed. For more information, see Configure back-to-origin CIDR blocks.
    Notice If you use security software such as FortiGate for your origin server, you must add the WAF back-to-origin CIDR blocks to the whitelist of the software. This prevents normal traffic from being blocked by access control policies.
  • The forwarding configurations for your website are correct and valid. Before you change the DNS settings, you must verify that the website forwarding configurations are correct. This prevents service interruptions caused by incorrect configurations. For more information, see Perform redirect check with a local computer.
    Warning If you change the DNS settings before the forwarding configurations for your website take effect, service interruptions may occur.

Background information

WAF redirects requests in either one of the following methods:

  • CNAME record: resolves the domain name to the WAF CNAME address.

    We recommend that you use the CNAME record method. If an error occurs, such as node failures or failures in a data center, the CNAME record allows WAF to use another WAF IP address or directs the requests to the origin server directly. This ensures business continuity and provides high availability and disaster recovery capabilities.

  • A record: resolves the domain name to the WAF IP address.

    We recommend that you use the A record method only when the CNAME record conflicts with the current DNS settings. For example, the CNAME record conflicts with the MX record, and the MX record must be retained.

The following content describes how to configure WAF for a website that does not use proxy services such as CDN and Anti-DDoS Pro. If you need to deploy both WAF and other proxy services, see the following topics:

Obtain the WAF CNAME address and WAF IP address

You must obtain the WAF CNAME address or WAF IP address of your domain name before you change the DNS settings. If you have already obtained the address when you add the domain name, skip the following steps.

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Asset Center > Website Access.
  4. On the Website Access page, find and move the pointer over the target domain name and copy the WAF CNAME address of the domain name.CNAME address
  5. Optional: Obtain the WAF IP address of the domain name.
    Note Perform this step when you use the A record method. If you use the CNAME record, skip this step.
    1. Open Command Prompt in Windows.
    2. Run the following command to obtain the WAF IP address:
      ping <WAF CNAME address that you have copied>
    3. Record the WAF IP address in the command output.

Use Alibaba Cloud DNS to change the DNS records

The following example demonstrates how to change the DNS records in Alibaba Cloud DNS. If your domain name is hosted on Alibaba Cloud DNS, perform the following steps to change the DNS records. If your domain name is not hosted on Alibaba Cloud DNS, refer to the following steps to change the DNS records at your DNS service provider.

  1. Log on to Alibaba Cloud DNS console.
  2. On the Manage DNS page, find the target domain name and click Configure in the Actions column.
  3. On the DNS Settings page, find the target record in the Host column and click Edit in the Actions column.
    In the following example, aliyun.com is used:
    • www: used to select domain names that begin with www, such as www.aliyun.com.
    • @: matches the root domain name, for example, aliyun.com.
    • *: matches all wildcard domain names including root domain names and subdomain names, such as blog.aliyun.com, www.aliyun.com, and aliyun.com.
  4. In the Edit Record dialog box, select either the CNAME record or the A record to change the record.
    • CNAME record: Set Type to CNAME and Value to the WAF CNAME address and keep other settings unchanged.
      Note We recommend that you set the TTL to 10 minutes. The greater the TTL is, the longer it takes to synchronize and change the DNS records.
      Change a CNAME record

      Note the following descriptions about conflicts:

      • You can specify only one CNAME record for each host record. Set Value to the WAF CNAME address.
      • Different record types conflict with each other. For example, a CNAME record, an A record, an MX record, and a TXT record cannot exist at the same time under the same host record. If you cannot change the record type, delete all conflicting records, and then add a new CNAME record.
        Warning You must delete all conflicting records and add the new CNAME record. This must be completed in a short period of time. Otherwise, your domain name becomes inaccessible.
      • If you must retain the MX record, we recommend that you use the A record method to resolve the domain name to the WAF IP address.
    • A record: Set Type to A and Value to the WAF IP address and keep other settings unchanged.
      Note We recommend that you set the TTL to 10 minutes. The greater the TTL is, the longer it takes to synchronize and change the DNS records.
      A record
  5. Click OK and wait for the DNS records to take effect
  6. Verify the DNS settings. You can ping the website domain name or use a DNS detection tool to verify whether the DNS records take effect.
    Note It takes some time for the DNS records to take effect. If the verification fails, verify the DNS records again in 10 minutes.
  7. Check the DNS resolution status.
    1. Log on to the Web Application Firewall console.
    2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
    3. In the left-side navigation pane, choose Asset Center > Website Access.
    4. On the Website Access page, find the added domain name and view its DNS Status.Exception
      The DNS Status of the domain name is Normal only when it is resolved to the CNAME address of WAF and WAF detects access traffic to it.
    5. Optional:If DNS Status is Abnormal, click the Abnormal icon to query the cause.
      Common causes include No traffic through the CNAME is detected and No Traffic. After the exception is fixed, click the Recheck icon to perform the check again.

      If you confirm that the DNS settings are correct, check the DNS resolution status again in an hour or troubleshoot the errors. For more information, see DNS resolution status exception.

      Note The DNS resolution status only indicates whether you have correctly configured WAF for your website. It does not indicate whether your website is accessible.

References

  • Protect the origin server.

    If the IP address of your origin server is exposed, attackers may bypass WAF and directly attack your origin server. To avoid such attacks, we recommend that you configure an ECS security group or SLB whitelist policy to block malicious requests. For more information, see Configure protection for your origin server.

  • Retrieve actual IP addresses of clients.

    After you configure WAF for your website, all requests are forwarded to WAF, and WAF returns the processed requests back to the origin server. In this case, you need to use the X-Forwarded-For request header to retrieve the actual IP addresses of clients. For more information, see Retrieve actual client IP addresses.