After you add a domain name to Web Application Firewall (WAF), we recommend that you change the DNS record on your computer to verify domain name settings in WAF. Then, you can change the DNS record in the WAF console to redirect requests to WAF to protect your service. This topic provides an example on how to verify domain name settings on an on-premises computer. In the following example, a Windows machine is used.

Prerequisites

A domain name of your website is added to WAF in CNAME mode. For more information, see Add domain names.

Background information

You can modify the hosts file to reconfigure the DNS record on your computer. In this scenario, the DNS record takes effect only on your computer. To verify the domain name settings on your computer, you must resolve the domain name of your website to the IP address of your WAF instance on your computer. If you can access the domain name from your computer, the domain name settings configured in WAF are valid. The step on your computer prevents access exceptions caused by inappropriate domain name settings.

Procedure

In the following example, your computer runs a Windows operating system.

  1. Open File Server Resource Manager on your computer.
  2. Enter C:\Windows\System32\drivers\etc\hosts in the address bar and open the hosts file by using a text editor.
  3. Append the following content to the hosts file:
    <IP address of your WAF instance> <Protected domain name>
    In the content, <Protected domain name> is the domain name that you add to WAF. <IP address of your WAF instance> is the IP address that is mapped to the domain name. Separate <IP address of your WAF instance> and <Protected domain name> with a space.

    To obtain the IP address of your WAF instance, perform the following steps:

    1. Log on to the WAF console.
    2. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
    3. In the left-side navigation pane, choose Asset Center > Website Access.
    4. On the Domain Names tab, move the pointer over the domain name that you add and click the CNAME icon to copy the CNAME of the domain name.
    5. Open Command Prompt in Windows.
    6. Run the following command to obtain the IP address of your WAF instance:
      ping <CNAME that you copy>
    7. Record the IP address of your WAF instance in the output of the ping command.
    Assume that you add the domain name test.aliyundoc.com to WAF and the IP address of your WAF instance is 47.XX.XX.213. Append the following content to the hosts file: 
    47.XX.XX.213 test.aliyundoc.com
  4. Save changes to the hosts file and run the ping <Protected domain name> command to verify that your changes are in effect.
    If your changes are in effect, the IP address in the output of the ping command is the IP address of your WAF instance.

    If the IP address of the origin server is displayed in the command output, refresh the local DNS cache. You can run the .\ipconfig /flushdns command to refresh the DNS cache. Then, run the ping command again until the changes take effect.

  5. In the address bar of your browser, enter the protected domain name.
    • If the website can be accessed, the domain name settings in the WAF console are correct and valid. In this case, you can restore the hosts file. Then, you can change the DNS record in the WAF console to redirect requests to WAF for protection. For more information, see Change a DNS record.
    • If the website cannot be accessed, the domain name settings may be inappropriate. We recommend that you check the domain name settings in the WAF console. After you fix errors in the domain name settings, verify the domain name settings on your computer again. For more information, see Add a domain name.
  6. Optional:Simulate simple web attack commands to check whether WAF runs as expected.
    For example, in the address bar of your browser, enter <Protected domain name>/alert(xss), which is a web attack request. Then, check whether WAF blocks the request.

    If the request is blocked, the following page appears.

  7. After the verification is complete, delete the record that you add in Step 3 from the hosts file.
    Notice If you do not delete the record after the verification is complete, exceptions may occur when your computer sends requests to the protected domain name.

Contact technical support

If you cannot identify errors in domain name settings, contact technical support by using one of the following methods:
  • Log on to the WAF console. In the lower part of the left-side navigation pane, click Meet Expert. Then, use your DingTalk to scan the QR code to join the DingTalk group 21715946. This way, you can contact Alibaba Cloud security experts for assistance.
  • Submit a ticket.