After you add a domain to Web Application Firewall (WAF) in CNAME record mode, point the domain's DNS record to the CNAME assigned by WAF. This routes all incoming traffic through WAF before it reaches your origin server.
WAF supports only CNAME records. Do not add an A record pointing to the WAF virtual IP address (VIP). WAF enables VIP isolation by default and may change the VIP when you enable or disable an exclusive IP address or intelligent load balancing. An A record causes service interruptions when the VIP changes. If node failures or data center failures occur, WAF uses a different IP address or forwards requests to the origin server to ensure service continuity — this is why a CNAME record is required instead of an A record.
This topic applies when your website has no upstream proxies such as Alibaba Cloud CDN, Anti-DDoS Pro, or Anti-DDoS Premium. If you use those services together with WAF, see Use WAF together with CDN or Protect a website service by using Anti-DDoS Pro or Anti-DDoS Premium and WAF.
Prerequisites
Before you begin, make sure that:
The website is added to WAF in CNAME mode. See Add a domain name to WAF
You have permission to modify DNS records at your DNS service provider
The WAF back-to-origin CIDR blocks are allowed on your origin server. If you use third-party security software or access control policies, add these CIDR blocks to the allowlist. See Allow access from back-to-origin CIDR blocks of WAF
The website forwarding configurations are correct and in effect. See Verify domain name settings
Modifying the DNS record before the forwarding configurations take effect causes service interruptions.
Get the WAF CNAME for your domain
Log on to the WAF console.
In the left-side navigation pane, choose Asset Center > Website Access.
In the domain name list, find your domain and move the pointer over it. Copy the CNAME assigned by WAF.
Update the DNS record
The following steps use Alibaba Cloud DNS. If you use a third-party DNS service provider, follow the same logic in that provider's console.
Log on to the Alibaba Cloud DNS console.
On the Authoritative DNS Resolution page, find your domain and click DNS Settings in the Actions column.
On the DNS Settings page, find the hostname to update and click Modify in the Actions column. Hostname patterns for
example.com:Hostname Matches wwwwww.example.com@example.com(root domain)*All subdomains, such as blog.example.comDelete any existing A, MX, or TXT records for the same hostname. CNAME records cannot coexist with A, MX, or TXT records for the same hostname.
WarningDelete all conflicting DNS records before proceeding. Leaving them in place makes the domain inaccessible.
In the Modify DNS Record panel, set Record Type to CNAME and Record Value to the WAF CNAME you copied. Keep all other settings unchanged.
NoteSet the time-to-live (TTL) to 10 minutes. A larger TTL value specifies a longer period of time to synchronize and update DNS records.
Click OK and wait for the DNS record to take effect.
Verify the update
Ping your domain or use a DNS lookup tool to confirm the record resolves to the WAF CNAME.
DNS propagation is not immediate. If verification fails, wait 10 minutes and try again.
What's next
Protect your origin server — If your origin IP address is exposed, attackers can bypass WAF and target your server directly. Configure an Elastic Compute Service (ECS) security group or Server Load Balancer (SLB) allowlist to block direct access. See Configure protection for an origin server.
Retrieve client IP addresses — After traffic flows through WAF, your origin server receives requests from WAF's IP addresses rather than end users. Read the
X-Forwarded-Forheader to get the actual client IP. See Retrieve the originating IP addresses of clients.