Website built by Alibaba Cloud, fool-proof way to prohibit foreign IP access

1. Introduction

The solution is suitable for technology novices, while the blog website content publishing is aimed at the domestic group.

Access from foreign IP addresses can be blocked through domain name resolution providers.

For example: This website is mainly aimed at the domestic Chinese community to share relevant knowledge.

Recently, we found a large number of attack visits from foreign IPs through the logs in nginx. It is cumbersome to use firewalls to intercept IPs.

No matter what kind of manual protection is used, it is inevitable to be attacked.

Finally, I summarized that there are also various automatic attacks in China, but more of them are visits from foreign IPs.

So, I wonder if there is any way to ban it directly?

Yes, and the method is relatively simple.

2. Alibaba Cloud DNS resolution

First, access the Cloud DNS function through the Alibaba Cloud Workbench. Then find the domain name you want to restrict and add the resolution configuration.

Click the Add Record button in the image above.

First, configure the record type: A, host record: * represents all sub-domains under the domain name, etc.

The most important thing is to parse the two parameters of request source and record value.

We choose: Overseas

When all regions and countries outside mainland China access our domain name, they will be directly directed to the address of the record value filled in below.

2.1 Explanation

Let me briefly explain the relationship between the request source and the record value.

All domain name addresses are ultimately pointed to a specific IP address through a DNS server.

The various parameters we configure here are to tell the DNS server what kind of IP address you should return if someone visits our domain name.

The recorded value is the IP to be returned.

For example, when configuring access to all overseas IP addresses, we assign the domain name to the IP address 127.0.0.1. This IP address is the local IP address of all computers.

That is to say, all foreign visitors who visit our domain name will eventually access its local machine.

PS1: You can also use this to allow visitors to access other servers. Adjust according to your actual needs.

When we have finished the configuration, we save it.

PS2: After the configuration is completed, according to actual experience, it is not the case that after 10 minutes, all the IP addresses accessed from abroad will point to the address we defined.

Instead, there will be a gradual update process. After all, it takes time for the server to update and synchronize. Especially the refresh of the DNS configuration. So, wait a little longer.

From my personal experience, after two days, nginx logs still show visits from foreign IP addresses, but the number has obviously decreased.

3. Others

After we configure the foreign IP to access the domain name, please note that if the other party directly accesses our server through the IP, it can still be used.

At this time, we can filter through nginx and directly return 404 or 444 to all IP address accesses. For details, please refer to my article:

Nginx configuration, prohibit direct access to Web services via IP addresses

3.1 Record Type

To expand on this, we have many options when adding DNS record types:

You just need to grasp one core point: no matter what kind of record it is, the goal is to guide users to a specific server for processing when they visit our domain name.

Different record types affect the type of record value and parameter format.

• A: Point the domain name to an IPV4 address. After configuring this record type, when we add the record value below, we can only fill in an IPv4 address.
• CNAME: Point a domain name to another domain name. Usually it is a CDN service, etc. The other party accesses our domain name address, but the actual data needs to be provided by a third-party service provider, such as OSS, CDN, etc.
• AAAA: Point the domain name to an IPv6 address. If we have an IPv6 server address, we need to configure this option to direct the domain name to the IPv6 server.
• NS: Point subdomains to other DNS servers for resolution. We can specify that other subdomains such as secondary domains be resolved by the DNS server of the giant group. (Rarely used by individuals)
• MX: points the domain name to the mail server address. It is usually used when setting up a mail server, but it is rarely used by individuals nowadays.
• SRV: A server that provides specific services. In fact, this identifier records the service information provided by the server, which is generally used when setting up Microsoft's Active Directory. (Special server configurations are more common, but less common for individuals)
• TXT: text record type, length limit 512, usually used as SPF record. Commonly, various manufacturers need to verify whether our domain name belongs to us, and add txt records. It will not affect the normal access of the domain name.
• CAA: CA certificate authority authorization verification. It is similar to txt, but it is used for domain name authentication detection by CA certificate. (You can temporarily ignore it, it will not affect you)
• Explicit URL: redirects a domain name to another address. For example, if we want to redirect all requests to a certain secondary domain name to other domain names, we can use this configuration directly without using the redirection function of software such as nginx.
• Hidden URL: redirects the domain name to another address, but hides the real target address. Unlike the explicit URL, when redirecting, it will not tell the visitor which URL you are visiting.