After adding a website domain name to Anti-DDoS Pro or Anti-DDoS Premium, change the DNS records to redirect traffic through Anti-DDoS Pro or Anti-DDoS Premium for protection. Map the domain name to a CNAME assigned by Anti-DDoS Pro or Anti-DDoS Premium, or to the IP address of an Anti-DDoS Pro or Anti-DDoS Premium instance.
CNAME record vs. A record
Anti-DDoS Pro and Anti-DDoS Premium support two DNS mapping methods. Use the CNAME record unless it is unavailable or conflicts with other DNS records.
| Criteria | CNAME record (recommended) | A record |
|---|---|---|
| Maps domain to | A CNAME assigned by Anti-DDoS Pro or Anti-DDoS Premium | The IP address of an Anti-DDoS Pro or Anti-DDoS Premium instance |
| IP address changes | Automatic. Traffic redirects based on the CNAME without DNS updates. | Manual. Update the DNS record each time the instance IP address changes. |
| Multiple instances | Anti-DDoS Pro or Anti-DDoS Premium schedules traffic across instances automatically. | Manually schedule traffic across instances. |
| When to use | Default choice for most configurations. | Use only when CNAME records are unavailable or conflict with existing DNS records (for example, a CNAME at the zone apex). |
Prerequisites
Before changing DNS records, complete the following steps:
Add the website to an Anti-DDoS Pro or Anti-DDoS Premium instance. For more information, see Add websites.
Add back-to-origin IP addresses to the whitelist of the origin server. If third-party security software such as a firewall is deployed on the origin server, also add the back-to-origin IP addresses to the whitelist of that software. For more information, see Allow back-to-origin IP addresses to access the origin server.
Verify traffic forwarding settings on a local machine before switching service traffic to the Anti-DDoS Pro or Anti-DDoS Premium instance. For more information, see Verify traffic forwarding settings on a local machine.
Switching service traffic to Anti-DDoS Pro or Anti-DDoS Premium before the forwarding settings take effect may cause service interruption.
Procedure
The following steps use Alibaba Cloud DNS as an example. If you use a third-party DNS provider, refer to your provider's documentation and use the same values described below.
The DNS records must be consistent with the CNAME assigned by Anti-DDoS Pro or Anti-DDoS Premium, or with the IP address of an Anti-DDoS Pro or Anti-DDoS Premium instance. This ensures that service traffic is forwarded as expected.
Step 1: Get the CNAME or IP address
Log on to the Anti-DDoS Pro console.
Choose Provisioning > Website Config.
Locate your domain name and copy the CNAME or instance IP address.
Step 2: Configure the DNS record
Log on to the Alibaba Cloud DNS console.
On the Domain Name Resolution page, find the domain name and click DNS Settings in the Actions column.
On the DNS Settings page, find the DNS record to modify and click Modify in the Actions column.
NoteIf no matching DNS record exists, click Add DNS Record to create one.
In the Modify DNS Record or Add DNS Record panel, set the record fields based on your chosen method:
CNAME record
Field Value Record Type CNAME Hostname Your subdomain prefix (for example, www)Record Value The CNAME assigned by Anti-DDoS Pro or Anti-DDoS Premium A record
Field Value Record Type A Hostname Your subdomain prefix (for example, www)Record Value The IP address of the Anti-DDoS Pro or Anti-DDoS Premium instance (for example, 203.0.113.50)Click OK and wait for the settings to take effect.
Third-party DNS providers
If you manage DNS through a third-party provider, log in to your provider's DNS management console. Create or modify a CNAME or A record using the same values described above. Refer to your provider's documentation for detailed steps.
Verify the result
Open a browser and access your website. Confirm that the site loads correctly.
If the website is unreachable or slow, see How do I handle the issues of slow response, high latency, and access failure on my service that is protected by an Anti-DDoS Pro or Anti-DDoS Premium instance?
What to do next
Enable Sec-Traffic Manager and configure scheduling rules between Anti-DDoS Pro or Anti-DDoS Premium and protected cloud resources. These rules trigger Anti-DDoS Pro or Anti-DDoS Premium only in specific scenarios. For more information, see Overview.
Change the public IP address of the Elastic Compute Service (ECS) origin server: If the IP address of your origin server is exposed, attackers may bypass Anti-DDoS Pro or Anti-DDoS Premium and attack the origin server directly. Change the public IP address of the ECS instance in the Anti-DDoS Pro or Anti-DDoS Premium console to prevent this. For more information, see Change the public IP address of an ECS origin server.