All Products
Search

This Product

    Web Application Firewall:Verify domain name settings

    Document Center

    Web Application Firewall:Verify domain name settings

    Last Updated:Feb 05, 2024

    After you add a domain name to Web Application Firewall (WAF), we recommend that you modify the Domain Name System (DNS) record on your on-premises machine to verify domain name settings in WAF. This topic describes how to verify domain name settings on an on-premises machine. In this topic, a Windows machine is used as an example.

    Background information

    You can modify the hosts file to reconfigure the DNS record on your on-premises machine. In this case, the DNS record takes effect only for your on-premises machine. To verify the domain name settings on your on-premises machine, you must point the domain name of your website to the IP address of your WAF instance on your on-premises machine. If you can access the domain name from your on-premises machine, the domain name settings that are configured in WAF are valid. This prevents access exceptions that are caused by invalid domain name settings.

    Prerequisites

    The domain name of your website is added to WAF in CNAME record mode. For more information, see Add a domain name to WAF.

    Procedure

    In the following example, an on-premises machine that runs a Windows operating system is used.

    1. Open File Server Resource Manager on your on-premises machine.

    2. Enter C:\Windows\System32\drivers\etc\hosts in the address bar and open the hosts file by using a text editor.

    3. Add the following content to the hosts file:

      <IP address of your WAF instance> <Protected domain name>

      In the content, <Protected domain name> specifies the domain name that you want to add to WAF. <IP address of your WAF instance> specifies the IP address that is mapped to the domain name. Separate <IP address of your WAF instance> and <Protected domain name> with a space.

      To obtain the IP address of your WAF instance, perform the following steps:

      1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

      2. In the left-side navigation pane, click Website Configuration.

      3. On the CNAME Record tab, find the domain name that you added to WAF and click the image.png icon to copy the CNAME that is assigned by WAF to the domain name.

      4. Open Command Prompt.

      5. Run the following command:

        ping <CNAME that you copy>

      6. Record the IP address of your WAF instance in the output of the ping command.

        For example, you add the domain name test.aliyundoc.com to WAF, and the IP address of your WAF instance is 47.23.XX.XX. Add the following content to the hosts file: 

        47.23.XX.XX test.aliyundoc.com

    4. Save the changes to the hosts file and run the ping <Protected domain name> command to verify that your changes are in effect.

      If your changes are in effect, the IP address in the output of the ping command is the IP address of your WAF instance.

      If the IP address of the origin server is displayed in the command output, refresh the local DNS cache. You can run the ipconfig /flushdns command to refresh the DNS cache. Then, rerun the ping command until the changes take effect.

    5. In the address bar of your browser, enter the protected domain name.

      • If the website can be accessed, the domain name settings in the WAF console are correct and valid. In this case, you can restore the hosts file. Then, you can change the DNS record of the domain name to redirect requests to WAF for protection. For more information, see Modify a DNS record.

      • If the website cannot be accessed, the domain name settings may be invalid. We recommend that you check the domain name settings in WAF. After you fix errors in the domain name settings, reverify the domain name settings on your on-premises machine. For more information, see Add a domain name to WAF.

    6. Optional: Simulate simple web attack commands to check whether WAF runs as expected.

      For example, enter <Protected domain name>/alert(xss), which specifies a web attack, in the address bar of your browser. Then, check whether WAF blocks the attack.

      If the request is blocked, a block page appears.

    7. After the verification is complete, remove the record that you added in Step 3 from the hosts file.

      Important

      If you do not delete the record after the verification is complete, exceptions may occur when your on-premises machine sends requests to the protected domain name.

    Contact technical support

    If you cannot identify errors in the domain name settings, contact technical support by using the following method:

    • Log on to the WAF console. In the lower part of the left-side navigation pane, click Expert Consultation to join the DingTalk group to obtain technical support.