All Products
Search

This Product

    Web Application Firewall:Verify the ownership of a domain name

    Document Center

    Web Application Firewall:Verify the ownership of a domain name

    Last Updated:Sep 27, 2024

    The first time you add a domain name to Web Application Firewall (WAF), you must verify your ownership of the domain name. After you pass the verification, you can add subdomains of the domain name without the need to verify the ownership of the subdomains. This topic describes how to verify the ownership of a domain name.

    Scenarios

    The first time you add a domain name to WAF by using one of the following methods, you must verify your ownership of the domain name:

    Verification methods

    Method 1: DNS verification (recommended)

    If you use the Domain Name System (DNS) verification method, you must use the record value displayed in the WAF console to add a DNS TXT record to the system of your DNS service provider.

    Prerequisites

    You have permissions to modify the DNS records of your domain name.

    Procedure

    1. Go to the verification page.

      • Scenario 1: Add a domain name to WAF 3.0 in CNAME record mode.

        On the CNAME Record tab of the Website Configuration page, click Add.

      • Scenario 2: Add a domain name to WAF 3.0 by using the asset center feature.

        Go to the Asset Center page. On the Overview tab, click the image..png icon.

      • Scenario 3: Add a domain name to WAF 2.0 in CNAME record mode.

        On the Add Domain Name page, select CNAME Record for Access Mode.

    2. Enter the domain name that you want to add to WAF and click on an empty area.

    3. In the verification section, click the Method 1: DNS Record tab.

      Important

      In several cases, verification may fail. Do not close the Add Domain Name panel before your verification is complete. If the verification fails, you can use the file verification method to verify the ownership of your domain name. For more information, see Method 2: File verification.

    4. Add a TXT record to the system of your DNS service provider based on the values of the Record Type, Hostname, and Record Value parameters in the WAF console.

      In this example, a TXT record is added to Alibaba Cloud DNS. If you use a different DNS service provider, you can perform similar operations to add a TXT record.

      1. Log on to the Alibaba Cloud DNS console.

      2. On the Domain Name Resolution page, find the domain name that you want to add to WAF and click DNS Settings in the Actions column.

        Note

        For this example, add the www.aliyundemo.com domain name to WAF in CNAME record mode.

      3. Click Add DNS Record. In the dialog box that appears, configure the Record Type, Hostname, and Record Value parameters, and click OK. image..png

        Parameter

        Description

        Example

        Record Type

        Select TXT from the drop-down list.

        TXT

        Hostname

        Enter the prefix of the domain name.

        verification

        DNS Request Source

        Select the Internet service provider (ISP) of the domain name.

        Default

        Record Value

        Enter the record value displayed in the WAF console.

        verify_8fca29dec22746a7841daf2b3af6****

        TTL Period

        Enter a time-to-live (TTL) value for the TXT record. A smaller value indicates that the record is updated faster. The default value is 10 minutes.

        10 (Recommended)

        After you add the TXT record, you can view it in the record list. By default, the record is enabled. The value in the Status column is Enable.

    5. Wait for the TXT record to take effect.

      If the verification fails, check whether the TXT record is correctly configured.

      The following codes provide sample success responses in different operating systems.

      Note

      • If you add a TXT record, it immediately takes effect. If you modify a TXT record, the amount of time that is required for the modification to take effect varies based on the TTL value. The default TTL value is 10 minutes.

      • If the dig program is not installed in your Linux operating system, you can run the yum install bind-utils command to install the program.

      Windows

      D:\example>nslookup -qt=txt verification.example.com
DNS request timed out.
    timeout was 2 seconds.
Server: Unknown
Address:  10.10.XX.XX

DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
verification.example.com text =

        "verify_165871adfd49413894ec9d3555e5****"

      Linux

       [rot@example ~]# dig verification.example.com txt

; << > > DiG 9.11.26-RedHat-9.11.26-3.1.al8 << > > verification.example.com txt
;; global options: +cmd
;; Got answer:
;; - > >HEADER<<- opcode: QUERY, status: NOERROR, id: 63246
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 13561416e9b77d0701000000615fb0d7304d137ea064**** (good)
;; QUESTION SECTION:
;verification.example.com.                IN      TXT

;; ANSWER SECTION:
verification.example.com. 600     IN      TXT     "verify_165871adfd49413894ec9d3555e5****"

;; Query time: 152 msec
;; SERVER: 100.100.XX.XX#53(100.100.XX.XX)
;; WHEN: Fri May 26 10:45:43 CST 2023
;; MSG SIZE  rcvd: 143

    6. Go back to the WAF console and click Verify.

      If the The verification succeeds. message appears, the domain name passes the ownership verification. If the verification fails, modify the related settings based on the cause of the failure that is displayed in the console. Then, verify your ownership of the domain name again. For more information about how to handle verification failures, see FAQ.

    Method 2: File verification

    If you use the file verification method, you must upload the verification file provided by WAF to the root directory of the origin server for your domain name.

    1. Go to the verification page.

      • Scenario 1: Add a domain name to WAF 3.0 in CNAME record mode.

        On the CNAME Record tab of the Website Configuration page, click Add.

      • Scenario 2: Add a domain name to WAF 3.0 by using the asset center feature.

        Go to the Asset Center page. On the Overview tab, click the image..png icon.

      • Scenario 3: Add a domain name to WAF 2.0 in CNAME record mode.

        On the Add Domain Name page, select CNAME Record for Access Mode.

    2. Enter the domain name that you want to add to WAF and click on an empty area.

    3. In the verification section, click the Method 2: Verification File tab.

      Important

      Do not close the Add Domain Name panel before your verification is complete.

    4. Click the link to the right of Download Verification File to download the verification file. image..png

      Important

      • The verification file is valid only for three days after it is downloaded. If your verification is not complete within three days, you must download the verification file again.

      • Do not perform operations on the verification file, such as opening, modifying, or renaming the file.

    5. Upload the verification file to the root directory of the origin server for your domain name. The origin server can be an Elastic Compute Service (ECS) instance, an Object Storage Service (OSS) bucket, a Cloud Virtual Machine (CVM) instance, a Cloud Object Storage (COS) instance, or an Elastic Compute Cloud (EC2) instance.

      Note

      If you want to add a wildcard domain name, such as *.aliyun.com, upload the verification file to the root directory of the origin server for the primary domain name, such as aliyun.com.

      WAF accesses your origin server over the protocol type that you select to obtain the verification file and checks whether you uploaded the verification file as required. Make sure that the verification file is accessible.

    6. Go back to the WAF console and click Verify.

      If the The verification succeeds. message appears, the domain name passes the ownership verification. If the verification fails, modify the related settings based on the cause of the failure that is displayed in the console. Then, verify your ownership of the domain name again. For more information about how to handle verification failures, see FAQ.

    FAQ

    Verification method

    Problem

    Description

    Solution

    DNS verification

    Empty TXT record value

    The verification result shows that the TXT record value of the domain name is empty.

    After you add a DNS record, the record does not immediately take effect. The DNS record takes effect after the TTL of the record ends. The default TTL is 10 minutes. We recommend that you perform the verification after 10 minutes.

    If the verification fails, re-add a DNS record for the domain name. For more information, see Method 1: DNS verification (recommended).

    Inconsistent TXT record values

    The verification result shows that the TXT record value is inconsistent with the specified record value.

    Delete the TXT record from the system of your DNS service provider and re-add a TXT record for your domain name. Procedure:

    1. Go to the system of your DNS service provider and delete the TXT record.

      If you use Alibaba Cloud DNS, perform the following operations to delete the TXT record:

      1. Log on to the Alibaba Cloud DNS console.

      2. On the Domain Name Resolution page, find and click the domain name that you want to manage.

      3. On the DNS Settings tab, find the DNS record that has the specified record value and click Delete in the Actions column.

    2. On the DNS Settings tab, re-add a TXT record for the domain name. For more information, see Method 1: DNS verification (recommended).

    File verification

    Inaccessible domain name

    The verification result shows that the domain name cannot be accessed.

    • No DNS record exists for the domain name.

      Go to the system of your DNS service provider and add a DNS record for the domain name. For more information about how to add a DNS record in the Alibaba Cloud DNS console, see Add a DNS record.

    • The domain name is unreachable.

      A whitelist may be configured for the origin server. You can troubleshoot the issue based on the actual scenario.

    No verification file

    The verification result shows that the verification file does not exist.

    You did not upload the verification file to the root directory of the origin server or the upload operation failed. Re-download the verification file and upload it to the origin server. For more information, see Method 2: File verification.

    Incorrect file content

    The verification result shows that the file content is incorrect.

    1. Log on to the origin server of your domain name and delete the incorrect verification file.

    2. Re-upload the correct verification file to the origin server. For more information, see Method 2: File verification.

    References

    • For more information about how to add a domain name to WAF, see Add a domain name (WAF 3.0).

    • For more information about how to identify domain names in and outside Alibaba Cloud, assess risks based on the attack status of the domain names in the cloud, and enable protection for high-risk domain names, see Asset center of WAF 3.0.