After you add a domain name to Web Application Firewall (WAF) in CNAME record mode, you must modify the Domain Name System (DNS) record of the domain name to map the domain name to the CNAME that is provided by WAF. This way, requests to the domain name are redirected to WAF. This topic describes how to modify the DNS record of a domain name.
Background information
You can use only a CNAME record to map a protected domain name to WAF.
If failures such as node failures or data center failures occur, WAF uses another WAF IP address or directly forwards requests to the origin server. This ensures service continuity and provides high availability and disaster recovery capabilities.
WAF does not support A records.
By default, WAF enables the virtual IP address (VIP) isolation mechanism for domain names that are added to WAF to improve system stability and security. If you add an A record to map your domain name to the VIP, service interruptions may occur when the VIP is changed, such as when you enable or disable an exclusive IP address or intelligent load balancing.
If you use an A record, the DNS resolution status of the domain name is abnormal. You must delete the A record and add a CNAME record to map your domain name to the CNAME that is provided by WAF.
If you do not deploy proxies such as Alibaba Cloud CDN, Anti-DDoS Pro, or Anti-DDoS Premium, on your website, you can refer to this topic. If you want to deploy WAF and other proxy services, see the following topics:
Prerequisites
The website is added to WAF in CNAME mode. For more information, see Add a domain name to WAF.
You have permissions to modify the DNS records in the system of your DNS service provider.
Requests from back-to-origin CIDR blocks of WAF are allowed on the origin server.
If you use third-party security software or specific access control policies for your origin server, you must add the back-to-origin CIDR blocks of WAF to the whitelist. This way, normal requests are not blocked. For more information, see Allow access from back-to-origin CIDR blocks of WAF.
The forwarding configurations of your website are correct and in effect.
Before you modify the DNS record, you must verify that the website forwarding configurations are correct. This prevents service interruptions that are caused by invalid configurations. For more information, see Verify domain name settings.
WarningIf you modify the DNS record before the forwarding configurations take effect, service interruptions may occur.
Obtain the CNAME that is assigned by WAF to your domain name
You must obtain the CNAME that is assigned by WAF to your domain name before you modify the DNS record. If you already obtained the CNAME, skip the following steps.
Log on to the WAF console.
In the left-side navigation pane, choose .
In the domain name list, find the domain name you added to WAF and move the pointer over the domain name. View and copy the CNAME that is assigned by WAF to the domain name.
Use Alibaba Cloud DNS to modify the DNS record
If you use Alibaba Cloud DNS, perform the following steps to modify the DNS record. If you use a third-party DNS service, refer to the following steps to modify the DNS record in the system of your DNS service provider.
Log on to the Alibaba Cloud DNS console.
On the Domain Name Resolution page, find the domain name whose DNS record you want to modify and click DNS Settings in the Actions column.
On the DNS Settings page, find the hostname and click Modify in the Actions column.
In the following example,
aliyun.com
is used:www: matches domain names that start with www, such as
www.aliyun.com
.@: matches the root domain name, such as
aliyun.com
.*: matches wildcard domain names, including all subdomains, such as
blog.aliyun.com
andwww.aliyun.com
.
In the Modify DNS Record dialog box, set the Record Type parameter to CNAME and the Record Value parameter to the WAF CNAME. Retain the other parameter settings.
When you modify a DNS record, take note of the following items:
We recommend that you set the time-to-live (TTL) to 10 minutes. A larger TTL value specifies a longer period of time to synchronize and update DNS records.
Different types of DNS records conflict with each other.
You can specify only one CNAME value for each DNS record. Set the Record Value parameter to the CNAME that is assigned by WAF.
Different types of DNS records conflict with each other. For example, you cannot add a CNAME record and an A, MX, or TXT record for the same value of the Hostname parameter at the same time. If you cannot change the record type, delete all conflicting DNS records and add a new CNAME record.
WarningYou must delete all conflicting DNS records and add the new CNAME record in a short period of time. Otherwise, your domain name becomes inaccessible.
Click OK and wait for the new DNS record to take effect.
Verify the DNS record. You can ping the domain name of your website or use a DNS detection tool to check whether the DNS record takes effect.
NoteThe DNS record does not immediately take effect. If the verification fails, verify the DNS record again after 10 minutes.
Related operations
Enable protection for the origin server
If your origin IP address is exposed, attackers may bypass WAF and launch attacks on your origin server. To avoid the attacks, we recommend that you configure an Elastic Compute Service (ECS) security group or Server Load Balancer (SLB) whitelist. For more information, see Configure protection for an origin server.
Obtain the actual IP addresses of clients
After you add your website to WAF, your origin server receives requests from WAF. You can obtain the actual IP addresses of clients from the
X-Forwarded-For
request header. For more information, see Retrieve the originating IP addresses of clients.