After you add a domain name to Web Application Firewall (WAF), we recommend that you
change the DNS record on your computer to verify domain name settings in WAF. Then,
you can change the DNS record in the WAF console to redirect requests to WAF to protect
your service. This topic provides an example on how to verify domain name settings
on an on-premises computer. In the following example, a Windows machine is used.
Prerequisites
A domain name of your website is added to WAF in CNAME mode. For more information,
see
Add domain names.
Background information
You can modify the hosts file to reconfigure the DNS record on your computer. In this scenario, the DNS record
takes effect only on your computer. To verify the domain name settings on your computer,
you must resolve the domain name of your website to the IP address of your WAF instance
on your computer. If you can access the domain name from your computer, the domain
name settings configured in WAF are valid. The step on your computer prevents access
exceptions caused by inappropriate domain name settings.
Procedure
In the following example, your computer runs a Windows operating system.
- Open File Server Resource Manager on your computer.
- Enter C:\Windows\System32\drivers\etc\hosts in the address bar and open the hosts file by using a text editor.
- Append the following content to the hosts file:
<IP address of your WAF instance> <Protected domain name>
In the content,
<Protected domain name>
is the domain name that you add to WAF.
<IP address of your WAF instance>
is the IP address that is mapped to the domain name. Separate
<IP address of your WAF instance>
and
<Protected domain name>
with a space.
To obtain the IP address of your WAF instance, perform the following steps:
- Log on to the Web Application Firewall console.
- In the top navigation bar, select the resource group and region to which the WAF instance
belongs. The region can be Mainland China or International.
- In the left-side navigation pane, choose .
- On the Domain Names tab, move the pointer over the domain name that you add and click the
icon to copy the CNAME of the domain name.
- Open Command Prompt in Windows.
- Run the following command to obtain the IP address of your WAF instance:
ping <CNAME that you copy>
- Record the IP address of your WAF instance in the output of the
ping
command.
Assume that you add the domain name
test.aliyundoc.com
to WAF and the IP address of your WAF instance is
47.XX.XX.213
. Append the following content to the
hosts file:
47.XX.XX.213 test.aliyundoc.com
- Save changes to the hosts file and run the
ping <Protected domain name>
command to verify that your changes are in effect. If your changes are in effect, the IP address in the output of the
ping
command is the IP address of your WAF instance.
If the IP address of the origin server is displayed in the command output, refresh
the local DNS cache. You can run the .\ipconfig /flushdns
command to refresh the DNS cache. Then, run the ping command again until the changes
take effect.
- In the address bar of your browser, enter the protected domain name.
- If the website can be accessed, the domain name settings in the WAF console are correct
and valid. In this case, you can restore the hosts file. Then, you can change the DNS record in the WAF console to redirect requests
to WAF for protection. For more information, see Change a DNS record.
- If the website cannot be accessed, the domain name settings may be inappropriate.
We recommend that you check the domain name settings in the WAF console. After you
fix errors in the domain name settings, verify the domain name settings on your computer
again. For more information, see Add a website.
- Optional:Simulate simple web attack commands to check whether WAF runs as expected.
For example, in the address bar of your browser, enter
<Protected domain name>/alert(xss)
, which is a web attack request. Then, check whether WAF blocks the request.
If the request is blocked, the following page appears.
- After the verification is complete, delete the record that you add in Step 3 from
the hosts file.
Notice If you do not delete the record after the verification is complete, exceptions may
occur when your computer sends requests to the protected domain name.
Contact technical support
If you cannot identify errors in domain name settings, contact technical support by
using one of the following methods:
- Log on to the WAF console. In the lower part of the left-side navigation pane, click Meet Expert. Then, use your DingTalk to scan the QR code to join the DingTalk group 21715946.
This way, you can contact Alibaba Cloud security experts for assistance.
- Submit a ticket.