Verify the ownership of a domain name - Web Application Firewall

If you want to add a domain name to Web Application Firewall (WAF), you must verify your ownership of the domain name. The ownership verification is required only when you add the domain name to WAF for the first time. After you prove your ownership of the domain name, you can add subdomains of the domain name without the need to verify the ownership of the subdomains. This topic describes how to verify your ownership of a domain name.

Scenarios

If you want to add a domain name to WAF by using one of the following methods and it is the first time that the domain name is added to WAF, you must verify your ownership of the domain name:

Add the domain name to WAF in CNAME record mode. For more information, see Add a domain name to WAF 3.0 and Add a domain name to WAF 2.0.
Add the domain name to WAF by using the asset center feature of WAF 3.0. For more information, see Asset center.

Verification methods

Method 1: Use a DNS record (recommended)

To use Domain Name System (DNS) records to verify domain ownership, add a TXT record to your DNS settings in the system of your DNS service provider.

Prerequisites

You have the permission to modify the DNS records of the domain name.

Procedure

Go to the verification page.
- Scenario 1: You add the domain name to WAF 3.0 in CNAME record mode.
  On the CNAME Record tab of the Website Configuration page, click Add.
- Scenario 2: You add the domain name to WAF 3.0 by using the asset center feature.
  On the Overview tab of the Asset Center page, click the icon.
- Scenario 3: You add the domain name to WAF 2.0 in CNAME record mode.
  On the Add Domain Name page, select CNAME Record as Access Mode.
Enter the domain name that you want to add to WAF and click on an empty area.
In the verification prompt section, click the Method 1: DNS Record tab.
Important
The verification fails in specific cases. Do not close the verification page before the verification is complete. If the verification fails, you can verify your ownership of the domain name by uploading a verification file. For more information, see Method 2: Upload a verification file.

Add a TXT record to your DNS settings based on the record type, hostname, and record value that are displayed in the WAF console.

This step describes how to add a TXT record to your DNS settings if you use Alibaba Cloud DNS.

Log on to the Alibaba Cloud DNS console.
On the Domain Name Resolution page, find the domain name that you want to add to WAF and click DNS Settings in the Actions column.

Click Add DNS Record, enter the record type, hostname, and record value, and then click OK. image..png

Parameter	Description	Example
Record Type	Select TXT from the Record Type drop-down list.	TXT
Hostname	Enter the prefix of the domain name.	verification
DNS Request Source	Select the Internet service provider (ISP) of the domain name.	Default
Record Value	Enter the record value provided by WAF.	verify_8bdd3fd23c3540ea90ed94161c53****
TTL	Enter a time-to-live (TTL) value for the TXT record. A smaller value specifies a shorter period of time to apply record updates. The default TTL value is 10 minutes.	Default

After the record is added, the record appears in the record list. By default, the record is enabled. The value in the Status column is Enabled.

Wait for the record to take effect.

If the domain name fails the verification, check whether the TXT record is correctly configured.

Sample success responses:

Note

If you add a TXT record, it immediately takes effect. If you modify a TXT record, the time that is required for the modification to take effect depends on the TTL value. The default TTL value is 10 minutes.
If your Linux operating system does not have dig installed, you can run the yum install bind-utils command to install dig.

Windows

D:\example>nslookup -qt=txt verification.example.com
DNS request timed out.
    timeout was 2 seconds.
Server: UnKnown
Address:  10.10.XX.XX

DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
verification.example.com text =

        "verify_8bdd3fd23c3540ea90ed94161c53****"

Linux

 [rot@example ~]# dig verification.example.com txt

; << > > DiG 9.11.26-RedHat-9.11.26-3.1.al8 << > > verification.example.com txt
;; global options: +cmd
;; Got answer:
;; - > >HEADER<<- opcode: QUERY, status: NOERROR, id: 63246
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 13561416e9b77d0701000000615fb0d7304d137ea064**** (good)
;; QUESTION SECTION:
;verification.example.com.                IN      TXT

;; ANSWER SECTION:
verification.example.com. 600     IN      TXT     "verify_8bdd3fd23c3540ea90ed94161c53****"

;; Query time: 152 msec
;; SERVER: 100.100.XX.XX#53(100.100.XX.XX)
;; WHEN: Fri May 26 10:45:43 CST 2023
;; MSG SIZE  rcvd: 143

Go back to the WAF console and click Verify.
If Succeeded is displayed, the domain name passes the verification. If the verification fails, modify the corresponding configurations based on the cause of the failure that is displayed in the console. Then, verify your ownership of the domain name again. For information about how to handle verification failures, see FAQ.

Method 2: Upload a verification file

To verify domain your ownership of a domain name by uploading a verification file, upload the verification file provided by WAF to the root directory of the origin server of the domain name.

Go to the verification page.
- Scenario 1: You add the domain name to WAF 3.0 in CNAME record mode.
  On the CNAME Record tab of the Website Configuration page, click Add.
- Scenario 2: You add the domain name to WAF 3.0 by using the asset center feature.
  On the Overview tab of the Asset Center page, click the icon.
- Scenario 3: You add the domain name to WAF 2.0 in CNAME record mode.
  On the Add Domain Name page, select CNAME Record as Access Mode.
Enter your domain name and click on an empty area.
In the verification prompt section, click Method 2: Verification File.
Important
Do not close the current panel before the verification is complete.
Click the link to the right of Download Verification File (labeled as 1 in the following figure) to download the verification file.
Important
- The verification file is valid only for three days after it is downloaded. If you fail to complete the verification within three days, you must download the verification file again.
- Do not perform operations on the verification file, such as opening, modifying, or renaming the file.
Upload the verification file to the root directory of the origin server of the domain name. The origin server can be an Elastic Compute Service (ECS) instance, an Object Storage Service (OSS) bucket, a Cloud Virtual Machine (CVM) instance, a Container-Optimized OS (COS) instance, or an Elastic Compute Cloud (EC2) instance.
Note
If the domain name that you want to add to WAF is a wildcard domain, upload the verification file to the root directory of the origin server of the primary domain name. For example, if you want to add *.aliyun.com, upload the verification file to the root directory of the origin server of aliyun.com.

WAF accesses your origin server and obtains the verification file to check whether you uploaded the verification file as required based on the protocol type. Make sure that the verification file is accessible.
Go back to the WAF console and click Verify.
If Succeeded is displayed, the domain name passes the verification. If the verification fails, modify the corresponding configurations based on the cause of the failure that is displayed in the console. Then, verify your ownership of the domain name again. For information about how to handle verification failures, see FAQ.

FAQ

Verification method	Problem	Description	Solution
Use a DNS record	Empty TXT record	The returned result shows that the TXT record of the domain name is empty.	After you add a record to your DNS settings, the record does not immediately take effect. The record takes effect after the TTL value that you specified for your DNS server elapses. We recommend that you wait for 10 minutes before you perform verification operations. If the verification fails, re-add a TXT record to your DNS settings. For more information, see the Method 1: Use a DNS record (recommended) section in this topic.
Use a DNS record	Inconsistent record value	The returned result shows that the record value is inconsistent with the specified record value.	You can perform the following steps to delete the TXT record and re-add a TXT record to your DNS settings. Go to the system of your DNS service provider and delete the TXT record. The following example demonstrates how to delete a record in the Alibaba Cloud DNS console. Log on to the Alibaba Cloud DNS console. On the Domain Name Resolution page, find the domain name that you want to add to WAF and click the domain name. On the DNS Settings page, find the record value that you want to delete and click Delete in the Actions column. On the DNS settings page, re-add a TXT record for the domain name. For more information, see Method 1: Use a DNS record (recommended).
Upload a verification file	Inaccessible domain name	The returned result shows that the domain name cannot be accessed.	No DNS records for the domain name Go to the system of your DNS service provider and add a DNS record for the domain name. For information about how to add a DNS record in the Alibaba Cloud DNS console, see Add a DNS record. Inaccessible domain name The reason may be that a whitelist is configured for the origin server. You can troubleshoot the issue based on actual scenarios.
	No verification files	The returned result shows that the verification file does not exist.	The reason may be that you did not upload the verification file to the root directory of the origin server or you failed to upload the verification file. Re-download the verification file and upload it to the origin server. For more information, see the Method 2: Upload a verification file section in this topic.
	Incorrect file content	The returned result shows that the verification file does not exist.	Log on to the origin server of the domain name and delete the incorrect verification file. Re-upload the verification file to the origin server of the domain name. For more information, see the Method 2: Upload a verification file section in this topic.

Web Application Firewall:Verify the ownership of a domain name