CNAME Reuse

Created at:
Avatar
Updated

This topic describes how to link multiple domains under the same Incapsula site configuration and policy.

Note: Available for Enterprise plan customers only.

Overview

Incapsula enables the use of site settings for several different domains that share the same IP address. This is implemented by using a CNAME.

Using a CNAME is the most common way to “symlink” one DNS record to another. Queries asking for a specific destination are referred by domain name to the target destination, which may be located somewhere else on the internet.

This setup is called CNAME reuse. When you reuse a CNAME, Incapsula proxies make a public DNS query in order to find the host and resolve it to the original site.

To reuse a CNAME, use the CNAME provided by Incapsula for all relevant domains that you want to link under the same site configuration and policy used by the target record.

When configuring CNAME reuse keep in mind that:
  • Any domain can use the CNAME of any other domain.
  • The sites sharing the CNAME will also share the Incapsula console configuration (dashboards, statistics, settings, WAF, etc), which is located under the domain that is registered to Incapsula.
  • CNAME reuse can be used only for domains hosted by the same origin server (same IP address).
  • CNAME reuse can be applied on multiple sites with SSL, only if they can use the same wildcard SAN- *.example.com. If not, each site should be registered separately in Incapsula and cannot reuse CNAMEs.

 

CNAME reuse example

Here is a subset of a BIND zone file format with CNAME reuse:

example.com. 3600 IN A 1.1.1.1
www.example.com. 3600 IN CNAME incap.abc123.com.
blog.example.com. 3600 IN CNAME incap.abc123.com.
e-store.example.com. 3600 IN CNAME incap.abc123.com.

In this example:

  • the same CNAMEincap.abc123.com, is used across all three domains
  • the customer's Incapsula account contains one site configured in Incapsula: example.com (naked domain)
  • the customer used its assigned CNAME for two other non-registered sites

For additional examples, see CNAME reuse examples.

 

The Incapsula CNAME reuse flow

  1. The HTTP request is received on the Incapsula server.
  2. The system checks whether the Host header value (i.e., domain name) exists as a site on Incapsula.
  3. If the domain name is registered on Incapsula, the request is sent to that site.
  4. If the domain name is not registered on Incapsula, it sends the request to the site that is linked with the specific CNAME.
  5. If the request is a cache hit, a response is returned from the site's CDN cache.
  6. If the request is a cache miss, it is sent to the origin server IP.
  7. The origin recognizes the host name based on the value of the Host header and sends it to the relevant site.

 

CNAME reuse and third-party CDNs

In some cases, the customer won't be able to point the reused sites directly to the Incapsula CNAME. For example, if there is another CDN in front of Incapsula. In that case, the Incapsula Support team can create a special CNAME mapping to ensure that the Incapsula proxy correlates between the third-party CDN entry and the relevant Incapsula CNAME.

Note: There can be a situation in which a site is already configured on Incapsula and in addition, also points to a CNAME value of a different site on Incapsula. In this case, the Incapsula proxy sends the request to the Host which is explicitly configured on Incapsula, and not to the derived site that the CNAME value belongs to.

 

CNAME reuse examples

Use Case 1 - SUPPORTED: Non-SSL sites, different domains, all served by the same origin IP

www.somedomain.com > 1.1.1.1

blog.somedomain.com > 1.1.1.1

www.someotherdomain.com > 1.1.1.1

www.yetanotherdomain.es > 1.1.1.1

In this example, an Incapsula customer onboards one site only, such as www.somedomain.com, gets an Incapsula CNAME such as xyz.x.incapdns.net, and points all of their domains to the same CNAME.

www.somedomain.com > xyz.x.incapdns.net

blog.somedomain.com > xyz.x.incapdns.net

www.someotherdomain.com > xyz.x.incapdns.net

www.yetanotherdomain.es > xyz.x.incapdns.net

xyz.x.incapdns.net > 1.1.1.1

Use Case 2 - SUPPORTED: SSL sites, all subdomains covered by same wildcard, served by the same origin IP

Wildcard: *.somedomain.com

 

Sites:

www.somedomain.com > 1.1.1.1

blog.somedomain.com > 1.1.1.1

api.somedomain.com > 1.1.1.1

In this example, an Incapsula customer onboards one site only, such as www.somedomain.com, performs wildcard domain validation for SSL, gets an Incapsula CNAME such as xyz.x.incapdns.net, and points all their sites to the same CNAME.

www.somedomain.com > xyz.x.incapdns.net

blog.somedomain.com > xyz.x.incapdns.net

api.somedomain.com > xyz.x.incapdns.net

xyz.x.incapdns.net > 1.1.1.1

Was this article helpful?
12 out of 13 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    Gavin Engel

    So, it seems that Incapsula allows uses to add A records only? I'm interested in adding a CNAME, for instance to a OpenShift or Heroku instance. The IP address is ephemeral in those services. Do you have advice?

  • Avatar
    qiu songsong

    Yes,I need to use CNAME too.Not so like to A records.

Powered by Zendesk