After you have added a domain name to the WAF console and before changing the DNS record to redirect requests to WAF for protection, we recommend that you change the DNS record on a local computer to verify WAF domain name settings. This example in this topic is performed on a Windows machine. The example describes how to verify the domain name settings on your local computer.

Prerequisites

The domain name has been added to the WAF console. For more information, see Add domain names.

Background information

You can configure address-to-name mapping of your local computer by modifying its hosts file. This means the DNS record takes effect on only the local computer. During the verification, you must resolve the domain name of your website to the IP address of WAF on a local computer. If you can access the domain name added to the WAF console from a local computer, the domain name settings in WAF are correct. The step on a local computer prevents access exceptions caused by incorrect domain name settings.

Procedure

The following procedure describes how to verify domain name settings on a local computer that runs Windows.

  1. Open File Server Resource Manager on your local computer.
  2. In the address bar, enter C:\Windows\System32\drivers\etc\hosts and open the hosts file with Notepad or Notepad++.
  3. Append the following content to the hosts file:
    <WAF IP address> <Protected domain name>
    where, <Protected domain name> is the domain name that you added to WAF. <WAF IP address> is the WAF IP address that is mapped to the domain name. Separate <WAF IP address> and <Protected domain name> with a space.

    To obtain the WAF IP address, follow these steps:

    1. Log on to the Web Application Firewall console.
    2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
    3. In the left-side navigation pane, choose Asset Center > Website Access.
    4. On the Website Access page, move the pointer over the domain name, view and copy the WAF CNAME address of the domain name.CNAME address
    5. Open Command Prompt in Windows.
    6. Run the following command to obtain the WAF IP address:
      ping <WAF CNAME address that you have copied>
    7. Record the WAF IP address in the command output.
    Assume that you have added the domain name test.wafqa3.com to the WAF console and the WAF IP address is 47. ***. ***.213. Append the following content to the hosts file:
    47.***. ***.213 test.wafqa3.com
    Add a record to the hosts file
  4. Save changes to the hosts file and run the ping <Protected domain name> command to verify that your changes are in effect.
    If your changes are in effect, the IP address in the command output is the WAF IP address that is mapped to the domain name.

    If the origin IP address is displayed, try refreshing the local DNS cache. You can run the ipconfig or flushdns command to refresh the DNS cache. Then, run the ping command again until the changes take effect.

  5. In the address bar of your local browser, enter the protected domain name.
    • If you can access the website, the domain name settings added to the WAF console are correct. In this case, you can restore the hosts file and update the DNS record to redirect traffic to WAF for protection. For more information, see Change the DNS settings.
    • If you are unable to access your website, the domain name settings added may be incorrect. We recommend that you check the domain name settings in the WAF console and perform the verification again after troubleshooting. For more information, see Add domain names.
  6. Optional:Simulate simple web attack commands to verify whether WAF works properly.
    For example, in your browser's address bar, enter <Protected domain name>/alert(xss), a web attack request, and verify whether WAF blocks the attack.
  7. After the verification is complete, delete the record added in Step 3 from the hosts file.
    Notice Delete the record after the verification is complete. Otherwise, exceptions may occur when the local computer sends requests to the protected domain name.

Contact technical support

If you cannot identify any faults in domain name settings, contact technical support for help with the following ways:
  • Log on to the WAF console. At the lower part of the left-side navigation pane, click Meet Expert, join the WAF emergency handling DingTalk group by scanning the DingTalk code, and contact Alibaba Cloud security experts for assistance.
  • Submit a ticket.