Help Center> Anti-DDoS Service> User Guide> Advanced Anti-DDoS User Guide> Connecting Services to AAD> Connecting Domain Name Website Services to Advanced Anti-DDoS> Step 4: Modifying DNS Resolution
Updated on 2024-04-25 GMT+08:00
View PDF

Step 4: Modifying DNS Resolution

After adding a domain name to AAD, you need to modify the DNS resolution to connect the domain name to AAD. All public network traffic is diverted to the high-defense IP address, and therefore your services on the origin servers are protected against DDoS attacks.

AAD supports A record-based access and CNAME-based access. The later is recommended. The CNAME-based access has the following advantages:

  • Easy to use. You only need to modify the resolution configuration at a time during domain name resolution (for example, on Huawei Cloud DNS).
  • Automatic line switchover. If an AAD line encounters an exception, the CNAME resolution can be automatically switched to other properly working lines.
  • Service continuity. In a three-line package service, if a line is attacked and access is blocked, AAD automatically uses the other available lines to complete CNAME resolution, ensuring service availability.

This section uses Huawei Cloud DNS as an example to describe how to modify DNS record. The methods to modify DNS record on other platforms are similar.

Prerequisite

The domain name has been added to AAD.

Constraints

  • When adding a CNAME record, you must delete the existing A records from the DNS record set. If they are not deleted, you will fail to add the new record because resolution conflicts may occur. Some DNS service providers allow you to change A records to CNAME records.
  • The DNS configuration takes effect after a period of time. You can test the domain name resolution using some online test tools.

Impact on the System

The DNS configuration may affect current service operating. Therefore, you are advised to configure DNS during off-peak hours.

CNAME Access

After obtaining the CNAME value of the protected domain name, add the value to the DNS record set.

  1. Log in to the management console.
  2. Select a region in the upper part of the page, click in the upper left corner of the page, and choose Security & Compliance > Anti-DDoS Service. The Anti-DDoS Service Center page is displayed.
  3. In the navigation pane on the left, choose Advanced Anti-DDoS > Domain Name Access. The Domain Name Acess page is displayed.

    Figure 1 Domain name access

  4. In the CNAME column of the target domain name, click to copy the CNAME value of the domain name.
  5. Click in the upper left corner of the page and choose Networking > Domain Name Service.
  6. For details, see section Adding a CNAME Record Set.

If you have configured the hosts file in Step 3: Locally Verifying the Website Service Configuration for the test, delete the configuration after this step. Otherwise, protection exceptions may occur.

A Record-based Access

The following steps use the China Telecom line package as an example.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner of the page and choose Networking > Domain Name Service.
  4. Add and A record set. For details, see section Adding an A Record Set.