After you add the domain name of your website to Web Application Firewall (WAF), you must use the CNAME that is assigned by WAF to the domain name or the IP address of your WAF instance to change the DNS record to redirect requests destined for your website to WAF. This topic describes how to change the DNS record.
Background information
WAF redirects requests in one of the following methods:
- CNAME record: resolves the domain name to the CNAME that is assigned by WAF.
We recommend that you use the CNAME record method. If failures such as node failures or failures in a data center occur, WAF can use the IP address of your WAF instance or directly forwards requests to the origin server. This ensures service continuity and provides high availability and disaster recovery capabilities.
- A record: WAF resolves the domain name to the IP address of your WAF instance
We recommend that you use the A record method only when the CNAME record conflicts with the existing DNS settings. For example, the CNAME record conflicts with the MX record, and the MX record must be retained.
Prerequisites
- The website is manually added to WAF in CNAME mode. For more information, see Manually add domain name configurations.
- You have the permissions to change the DNS record at your DNS service provider.
- Optional:Requests from WAF back-to-origin CIDR blocks are allowed on the origin server. For
more information, see Allow access from back-to-origin CIDR blocks of WAF.
Notice If you use security software such as FortiGate for your origin server, you must add the back-to-origin CIDR blocks of WAF to the whitelist of the software. This prevents normal traffic from being blocked by access control policies.
- Optional:The forwarding configurations for your website are correct and in effect. Before you
change the DNS record, you must verify that the website forwarding configurations
are valid. This prevents service interruptions caused by invalid configurations. For
more information, see Verify domain name settings.
Warning If you change the DNS record before the forwarding configurations for your website take effect, service interruptions may occur.
Obtain the CNAME or IP address of your WAF instance
You must obtain the CNAME that is assigned to the domain name or IP address of your WAF instance before you change the DNS record. If you have already obtained the CNAME that is assigned to the domain name or IP address of your WAF instance, skip the following steps.
Use Alibaba Cloud DNS to change the DNS record
The following example demonstrates how to change the DNS record in Alibaba Cloud DNS. If your domain name is hosted on Alibaba Cloud DNS, perform the following steps to change the DNS record. If your domain name is not hosted on Alibaba Cloud DNS, refer to the following steps to change the DNS record at your DNS service provider.
References
- Protect the origin server.
If your origin IP address is exposed, attackers may bypass WAF and launch attacks on your origin server. To avoid such attacks, we recommend that you configure an ECS security group or SLB whitelist. For more information, see Configure protection for an origin server.
- Retrieve originating IP addresses of clients
After you add your website to WAF, WAF processes all requests destined for your website and forwards normal requests to the origin server. In this case, the origin server uses the
X-Forwarded-For
header to retrieve the originating IP addresses of clients. For more information, see Retrieve actual IP addresses of clients.