Web Application Firewall:Verify domain name settings

Background information

You can modify the hosts file to modify the DNS record on your computer. In this case, the DNS record takes effect only for your computer. To verify the domain name settings on your computer, you must modify the DNS record to point the domain name of your website to the IP address of your WAF instance on your computer. This way, you can access the domain name to check whether WAF protects the domain name as expected. This prevents access exceptions that are caused by invalid domain name settings.

Prerequisites

The domain name of your website is added to WAF in CNAME record mode. For more information, see Add a domain name to WAF.

Procedure

In the following example, an on-premises computer that runs a Windows operating system is used.

1. Open File Explorer on your computer.

2. Enter C:\Windows\System32\drivers\etc\hosts in the address bar and open the hosts file by using a text editor.

3. Add the following content to the hosts file:

   <IP address of your WAF instance> <Protected domain name>

   In the preceding content, <Protected domain name> specifies the domain name that you added to WAF, and <IP address of your WAF instance> specifies the IP address that is mapped to the domain name. Separate <IP address of your WAF instance> and <Protected domain name> with a space.

   To obtain the IP address of your WAF instance, perform the following steps:

   1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.

   2. In the left-side navigation pane, click Website Configuration.

   3. On the CNAME Record tab, find the domain name that you added to WAF and click the icon to copy the CNAME that is assigned by WAF to the domain name.

   4. Open Command Prompt.

   5. Run the following command:

      ping <CNAME that you copied>

   6. Record the IP address of your WAF instance in the output of the ping command.

      For example, you added the test.aliyundoc.com domain name to WAF and the IP address of your WAF instance is 47.23.XX.XX. Add the following content to the hosts file:

      47.23.XX.XX test.aliyundoc.com

4. Save the changes to the hosts file and run the ping <Protected domain name> command to check whether your changes take effect.

   If your changes take effect, the IP address in the output of the ping command is the IP address of your WAF instance.

   If the IP address of the origin server is displayed in the command output, run the \ipconfig /flushdns command to refresh the DNS cache. Then, run the ping command again until the changes take effect.

5. In the address bar of your browser, enter the protected domain name.

   • If you can access the website, the domain name settings in the WAF console are valid. In this case, you can restore the hosts file. Then, you can modify the DNS record of the domain name to redirect requests to WAF for protection. For more information, see Modify a DNS record.

   • If you cannot access the website, the domain name settings may be invalid. We recommend that you check the domain name settings in WAF. After you fix errors in the domain name settings, verify the domain name settings on your computer. For more information, see Add a domain name to WAF.

6. Optional: Simulate simple web attack commands to check whether WAF runs as expected.

   For example, enter <Protected domain name>/alert(xss), which specifies a web attack, in the address bar of your browser. Then, check whether WAF blocks the attack.

7. After the verification is complete, remove the record that you added in Step 3 from the hosts file.

   Important

   If you do not delete the record after the verification is complete, exceptions may occur when the protected domain name is accessed on your computer.