After you add your domain name to Web Application Firewall (WAF) in CNAME record mode, you must change the Domain Name System (DNS) record of the domain name to resolve the domain name to the CNAME or IP address of WAF. This way, the requests that are destined for the domain name are redirected to WAF. This topic describes how to change the DNS record of a domain name.

Prerequisites

  • You have the permissions to change the DNS record at your DNS service provider.
  • Your domain name is added to WAF in CNAME record mode.

    For more information, see Add a domain name.

  • Requests from back-to-origin CIDR blocks of WAF are allowed on the origin server.

    If you use security software such as SafeDog or Yunsuo for your origin server, you must add the back-to-origin CIDR blocks of WAF to the IP address whitelist of the security software. This way, the security software does not block the normal traffic forwarded by WAF to the origin server.

    For more information, see Allow access from back-to-origin CIDR blocks of WAF.

  • Optional:The forwarding configurations for your website are correct and in effect.

    Before you change the DNS record, you must verify that the website forwarding configurations are correct. This prevents service interruptions caused by invalid configurations.

    Warning If you change the DNS record before the forwarding configurations for your website take effect, service interruptions may occur.

    For more information, see Verify domain name settings.

Background information

WAF redirects requests in one of the following methods:

  • CNAME record: WAF resolves the domain name to the CNAME assigned by WAF. We recommend that you use this method.

    If failures such as node failures or failures in a data center occur, WAF can use another WAF IP address or directly forwards requests to the origin server. This ensures service continuity and provides high availability and disaster recovery capabilities.

  • A record: WAF resolves the domain name to the WAF IP address.

    We recommend that you use the A record method only when the CNAME record conflicts with the existing DNS settings. For example, the CNAME record conflicts with the MX record, and the MX record must be retained for business reasons.

    For more information about DNS record conflicts, see Record conflicts.

Obtain the WAF CNAME and WAF IP address

You must obtain the WAF CNAME or WAF IP address of your domain name before you change the DNS record. If you have already obtained the WAF CNAME or IP address, skip the following steps.

  1. Log on to the WAF 3.0 console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. You can select the Chinese Mainland or Outside Chinese Mainland region.
  3. In the left-side navigation pane, click Website Configuration.
  4. Click the CNAME Record tab.
  5. Find the domain name and click the Copy icon next to CNAME to copy the WAF CNAME of the domain name.
    Copy CNAME
  6. Obtain the WAF IP address of the domain name.
    Perform this step only when you use the A record method. If you use the CNAME record method, skip this step.

    The following steps show how to obtain the WAF IP address of the domain name in Windows:

    1. Open Command Prompt.
    2. Run the following command to obtain the WAF IP address:
      ping WAF CNAME
    3. Record the WAF IP address in the command output.

Use Alibaba Cloud DNS to change the DNS record

The following example demonstrates how to change the DNS record in Alibaba Cloud DNS. If your domain name is hosted on Alibaba Cloud DNS, perform the following steps to change the DNS record. If your domain name is not hosted on Alibaba Cloud DNS, refer to the following steps to change the DNS record at your DNS service provider.

  1. Log on to the Alibaba Cloud DNS console.
  2. On the Manage DNS page, find the domain name and click Configure in the Actions column.
  3. On the DNS Settings page, find the record in the Host column and click Edit in the Actions column.
    In the following example, aliyun.com is used:
    • www: matches domain names that begin with www, such as www.aliyun.com.
    • @: matches the root domain name, for example, aliyun.com.
    • *: matches all wildcard domain names, such as blog.aliyun.com, www.aliyun.com, and aliyun.com. The wildcard domain names include root domain names and subdomain names.
  4. In the Add Record dialog box, select the CNAME record or the A record to change the DNS record.
    • CNAME record: Set Type to CNAME and Value to the WAF CNAME and keep other settings unchanged.
      Note We recommend that you set the TTL to 10 minutes. The greater the TTL is, the longer it takes to synchronize and change the DNS record.
      Change a DNS record

      Note the following descriptions about conflicts:

      • You can specify only one CNAME value for each record name. Set Value to the CNAME assigned by WAF.
      • Different types of DNS records conflict with each other. For example, you cannot add a CNAME record and an A, MX, or TXT record with the same record name. If you cannot change the record type, delete all conflicting records and add a new CNAME record.
        Warning You must delete all conflicting records and add the new CNAME record in a short period of time. Otherwise, your domain name becomes inaccessible.
      • If you must retain the MX record, we recommend that you use the A record method to resolve the domain name to the WAF IP address.
    • A record: Set Type to A and Value to the WAF IP address and keep other settings unchanged.
      Note We recommend that you set the TTL to 10 minutes. The greater the TTL is, the longer it takes to synchronize and change the DNS record.
      A record
  5. Click OK and wait for the new DNS record to take effect
  6. Verify the DNS record. You can ping the domain name of your website or use a DNS detection tool to verify whether the DNS record takes effect.
    Note The DNS record does not take effect immediately. If the verification fails, verify the DNS record again after 10 minutes.