After you add a domain name to Web Application Firewall (WAF) in CNAME record mode, you must modify the Domain Name System (DNS) record of the domain name to map the domain name to the CNAME that is assigned by WAF. This way, requests to the domain name are redirected to WAF. This topic describes how to modify the DNS record of a domain name.
You can use only a CNAME record to map a protected domain name to WAF.
If failures such as node failures or data center failures occur, WAF uses a different IP address or forwards requests to the origin server to ensure service continuity and provides high availability and disaster recovery capabilities.
WAF does not support A records.
By default, WAF enables the virtual IP address (VIP) isolation mechanism for domain names that are added to WAF to improve system stability and security. WAF assigns a VIP to your domain name. If you add an A record to map your domain name to the VIP, service interruptions may occur when the VIP is changed, such as when you enable or disable an exclusive IP address or intelligent load balancing.
If you use an A record, the DNS resolution status of the domain name is abnormal. You must delete the A record and add a CNAME record to map your domain name to the CNAME that is assigned by WAF.
You have permissions to modify the DNS records in the system of your DNS service provider.
Your domain name is added to WAF in CNAME record mode. For more information, see Add a domain name to WAF.
Requests from back-to-origin CIDR blocks of WAF are allowed on the origin server.
If you use third-party security software or specific access control policies for your origin server, you must add the back-to-origin CIDR blocks of WAF to the whitelist. This way, normal requests are not blocked. For more information, see Allow access from back-to-origin CIDR blocks of WAF.
The forwarding configurations of your website are correct and in effect.
Before you modify the DNS record, you must verify that the website forwarding configurations are correct to prevent service interruptions that are caused by invalid configurations. For more information, see Verify domain name settings.Warning
If you modify the DNS record before the forwarding configurations take effect, service interruptions may occur.
Obtain the CNAME that is assigned by WAF
Before you modify the DNS record, you must obtain the CNAME that is assigned by WAF to your domain name. If you already obtained the CNAME, skip the following steps:
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, click Website Configuration.
Click the CNAME Record tab.
Find the domain name whose DNS record you want to modify and click the icon to copy the CNAME that is assigned by WAF to the domain name.
Use Alibaba Cloud DNS to modify the DNS record
If you use Alibaba Cloud DNS, perform the following steps to modify the DNS record. If you use a third-party DNS service, refer to the following steps to modify the DNS record in the system of your DNS service provider:
Log on to the Alibaba Cloud DNS console.
On the Domain Name Resolution page, find the domain name whose DNS record you want to modify and click DNS Settings in the Actions column.
On the DNS Settings page, find the hostname and click Modify in the Actions column.
In the following example,
www: matches domain names that start with www, such as
@: matches the root domain name, such as
*: matches wildcard domain names, including all subdomains such as
In the Modify DNS Record panel, set the Record Type parameter to CNAME and the Record Value parameter to the CNAME that is assigned by WAF. Retain the other parameter settings.
When you modify a DNS record, take note of the following items:
We recommend that you set the time-to-live (TTL) to 10 minutes. A larger TTL value specifies a longer period of time to synchronize and update DNS records.
Different types of DNS records conflict with each other.
You can specify only one CNAME value for each DNS record. Set the Value parameter to the CNAME that is assigned by WAF.
Different types of DNS records conflict with each other. For example, you cannot add a CNAME record and an A, MX, or TXT record for a hostname at the same time. If you cannot change the record type, delete all conflicting DNS records and add a new CNAME record.Warning
You must delete all conflicting DNS records and add a CNAME record at the earliest opportunity. Otherwise, your domain name becomes inaccessible.
Click OK and wait for the new DNS record to take effect.
Verify the DNS record. You can ping the domain name of your website or use a DNS detection tool to check whether the DNS record takes effect.Note
The DNS record does not immediately take effect. If the verification fails, verify the DNS record again after 10 minutes.