All Products
Search

This Product

    Web Application Firewall:Local verification

    Document Center

    Web Application Firewall:Local verification

    Last Updated:Mar 31, 2026

    Before updating your Domain Name System (DNS) records to route traffic through Web Application Firewall (WAF), test your WAF configuration locally by modifying the hosts file on your computer. This confirms that WAF protects your domain correctly without affecting live traffic.

    Prerequisites

    Before you begin, ensure that you have:

    How it works

    Modifying the hosts file on your computer overrides DNS resolution locally — only your machine is affected. By pointing your domain to the WAF instance IP in the hosts file, you can access the site through WAF and confirm that protection works before switching the DNS record for all users.

    Verify WAF domain settings

    The following steps use a Windows computer as the example. On Linux, the hosts file is at /etc/hosts.

    Step 1: Get the IP address of your WAF instance

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region where your WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, click Website Configuration.

    3. On the CNAME Record tab, find your domain name and click the copy icon to copy the Canonical Name (CNAME) assigned by WAF.

    4. Open Command Prompt and run:

      ping <CNAME that you copied>

    5. Record the IP address returned in the output. This is the IP address of your WAF instance.

    Step 2: Update the hosts file

    1. Open File Explorer and enter the following path in the address bar:

      C:\Windows\System32\drivers\etc\hosts

    2. Open the hosts file with a text editor and add the following entry:

      <IP address of your WAF instance> <Protected domain name>

      Format: WAF instance IP address, a space, then the domain name you added to WAF. Example: If your domain is test.aliyundoc.com and the WAF instance IP is 47.23.XX.XX:

      47.23.XX.XX test.aliyundoc.com

    3. Save the hosts file.

    Step 3: Confirm the hosts file change

    Run the following command to verify the change:

    ping <Protected domain name>

    Step 4: Test website access

    In your browser address bar, enter the protected domain name.

    • Accessible — WAF domain settings are valid. Restore the hosts file, then update your DNS record to route production traffic through WAF. See Modify a DNS record.

    • Not accessible — WAF domain settings may be incorrect. Review and fix the settings in WAF, then repeat this verification. See Add a domain name to WAF.

    Step 5: (Optional) Simulate a web attack

    To verify that WAF blocks attacks, enter the following URL in your browser:

    <Protected domain name>/alert(xss)

    Check whether WAF blocks this cross-site scripting (XSS) attempt.

    Step 6: Remove the hosts file entry

    Remove the entry added in Step 2 from the hosts file.

    Important

    If you skip this step, requests to the protected domain from your computer will continue to route through the WAF instance IP in the hosts file and may cause access issues.

    What's next

    After confirming that WAF protects your domain correctly, update the DNS record to route all traffic through WAF: