After you add the domain name of your website to Web Application Firewall (WAF), you must use the CNAME that is assigned by WAF to the domain name or the IP address of your WAF instance to change the DNS record to redirect requests destined for your website to WAF. This topic describes how to change the DNS record.

Background information

WAF redirects requests in one of the following methods:

  • CNAME record: resolves the domain name to the CNAME that is assigned by WAF.

    We recommend that you use the CNAME record method. If failures such as node failures or failures in a data center occur, WAF can use the IP address of your WAF instance or directly forwards requests to the origin server. This ensures service continuity and provides high availability and disaster recovery capabilities.

  • A record: WAF resolves the domain name to the IP address of your WAF instance

    We recommend that you use the A record method only when the CNAME record conflicts with the existing DNS settings. For example, the CNAME record conflicts with the MX record, and the MX record must be retained.

You can refer to this topic if you do not deploy proxies such as Alibaba Cloud Content Delivery Network (CDN), Anti-DDoS Pro, or Anti-DDoS Premium on your website. If you want to deploy WAF and other proxies, see the following topics:

Prerequisites

  • The website is manually added to WAF in CNAME mode. For more information, see Manually add domain name configurations.
  • You have the permissions to change the DNS record at your DNS service provider.
  • Optional:Requests from WAF back-to-origin CIDR blocks are allowed on the origin server. For more information, see Allow access from back-to-origin CIDR blocks of WAF.
    Notice If you use security software such as FortiGate for your origin server, you must add the back-to-origin CIDR blocks of WAF to the whitelist of the software. This prevents normal traffic from being blocked by access control policies.
  • Optional:The forwarding configurations for your website are correct and in effect. Before you change the DNS record, you must verify that the website forwarding configurations are valid. This prevents service interruptions caused by invalid configurations. For more information, see Verify domain name settings.
    Warning If you change the DNS record before the forwarding configurations for your website take effect, service interruptions may occur.

Obtain the CNAME or IP address of your WAF instance

You must obtain the CNAME that is assigned to the domain name or IP address of your WAF instance before you change the DNS record. If you have already obtained the CNAME that is assigned to the domain name or IP address of your WAF instance, skip the following steps.

  1. Log on to the WAF console.
  2. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select the Chinese Mainland or Outside Chinese Mainland region.
  3. In the left-side navigation pane, choose Asset Center > Website Access.
  4. On the Domain Names tab of the Website Access page, move the pointer over the domain name and copy the CNAME.
  5. Optional:Obtain the IP address of your WAF instance.
    Note Perform this step only when you use the A record method. If you use the CNAME record method, skip this step.
    1. Open Command Prompt.
    2. Run the following command to obtain the IP address of your WAF instance:
      ping <WAF CNAME that you have copied>
    3. Record the IP address of the WAF instance in the command output.

Use Alibaba Cloud DNS to change the DNS record

The following example demonstrates how to change the DNS record in Alibaba Cloud DNS. If your domain name is hosted on Alibaba Cloud DNS, perform the following steps to change the DNS record. If your domain name is not hosted on Alibaba Cloud DNS, refer to the following steps to change the DNS record at your DNS service provider.

  1. Log on to the Alibaba Cloud DNS console.
  2. On the Manage DNS page, find the domain name and click Configure in the Actions column.
  3. On the DNS Settings page, find the record in the Host column and click Edit in the Actions column.
    In the following example, aliyun.com is used:
    • www: matches domain names that begin with www such as www.aliyun.com.
    • @: matches the root domain name such as aliyun.com.
    • *: matches all wildcard domain names, such as blog.aliyun.com, www.aliyun.com, and aliyun.com. The wildcard domain names include root domain names and subdomain names.
  4. In the Edit Record panel, select the CNAME record method or the A record method to change the DNS record.
    • CNAME record: Set Type to CNAME- Canonical name and Value to the CNAME and keep other settings unchanged.
      Note We recommend that you set the TTL to 10 minutes. A larger TTL value indicates a longer time to synchronize and update DNS records.
      Change a CNAME record

      Take note of the following descriptions of conflicts:

      • You can specify only one CNAME value for each record. Set the Value parameter to the CNAME assigned by WAF.
      • Different types of DNS records conflict with one another. For example, you cannot add a CNAME record and an A, MX, or TXT record for the same value of the Host parameter at the same time. If you cannot change the record type, delete all conflicting records and add a new CNAME record.
        Warning You must delete all conflicting records and add the new CNAME record in a short period of time. Otherwise, your domain name becomes inaccessible.
      • If you must retain the MX record, we recommend that you use the A record method to resolve the domain name to the IP address of your WAF instance.
    • A record: Set Type to A and Value to the IP address of your WAF instance and keep other settings unchanged.
      Note We recommend that you set the TTL to 10 minutes. A larger TTL value indicates a longer time to synchronize and update DNS records.
      A record
  5. Click OK and wait for the new DNS record to take effect
  6. Verify the DNS record. You can ping the domain name of your website or use a DNS detection tool to verify whether the DNS record takes effect.
    Note The DNS record does not take effect immediately. If the verification fails, verify the DNS record again after 10 minutes.

References

  • Protect the origin server.

    If your origin IP address is exposed, attackers may bypass WAF and launch attacks on your origin server. To avoid such attacks, we recommend that you configure an ECS security group or SLB whitelist. For more information, see Configure protection for an origin server.

  • Retrieve originating IP addresses of clients

    After you add your website to WAF, WAF processes all requests destined for your website and forwards normal requests to the origin server. In this case, the origin server uses the X-Forwarded-For header to retrieve the originating IP addresses of clients. For more information, see Retrieve actual IP addresses of clients.