How to Get Started with Amazon Route 53 Resolver DNS Firewall for Amazon VPC

A DNS lookup is typically the starting point for establishing outbound connections within a network. Unwanted direct communication between Amazon Virtual Private Cloud (VPC) resources and internet services could be prevented using AWS services like security groups, network access control lists (ACLs) or AWS Network Firewall. These services filter network traffic, but they do not block outbound DNS requests heading to the Amazon Route 53 Resolver that automatically answers DNS queries for public DNS records, Amazon Virtual Private Cloud (VPC) – specific DNS names, and Amazon Route 53 private hosted zones.

DNS exfiltration could potentially allow a bad actor to extract data through a DNS query to a domain they control. For instance, if a bad actor controlled the domain “example.com” and wanted to exfiltrate “sensitive-data,” they could issue a DNS lookup for “sensitive-data.example.com” from a compromised instance within a VPC. To prevent this, previously customers needed to incur costs to operate their own DNS servers in order to filter DNS lookups for malicious activity.

Today I am happy to announce Amazon Route 53 Resolver DNS Firewall (DNS Firewall) that enables you to defend against these types of DNS-level threats. With DNS Firewall, you can protect against data exfiltration attempts by defining domain name allowlists that allow resources within your Amazon Virtual Private Cloud (VPC) to make outbound DNS requests only for the sites your organization trusts.

You can block malicious domains, denying DNS requests for known bad names such as phishing domains. DNS Firewall is fully integrated with AWS Firewall Manager, giving security administrators a central place to enable, monitor and audit firewall activity across all their VPCs and AWS accounts in AWS Organizations. DNS Firewall is also integrated with Route 53 Resolver Query Logs, Amazon CloudWatch, and CloudWatch Contributor Insights that can analyze your firewall’s logs. You also have access to AWS Managed Domain Lists for protections against common threats like malware and botnets.

How to Use Amazon Route 53 Resolver DNS Firewall
You can get started with DNS Firewall in the AWS Management Console, AWS Command Line Interface (CLI), and AWS SDKs, where you can create domain lists and rules as well as configure rule actions and enable AWS Managed Rules. In the left navigation pane in the VPC or Route 53 console, expand DNS Firewall and then choose Rule Groups in the menu.

To get started, choose Add rule group and input the group name and description.

Rules define how to answer DNS requests. They define domain names to look for and the action to take when a DNS query matches one of the names.

Similar to AWS Web Application Firewall and AWS Network Firewall, a rule group is an object used to store a set of rules. Each rule consists of two key components: (a) a domain list, which is the list of domain names that you wish to block or allow private query resolution for, and (b) an action, which is the response you configure a rule to take if one of the domains within your domain list is queried.

For domain lists, two types of domains are supported: wildcard domains (subdomains of some domain, e.g. *.example.com) and fully qualified domain names (FQDNs) which are the complete domain names for a specific host (e.g. foo.example.com).

You can configure one action per rule, and it gives you flexibility in configuring the actions most aligned to your organizations’ security posture. For allowlists, you can choose an allow action, and for denylists, you can choose a block action.

When configuring a block action, by default a NODATA response is chosen, which means there is no response available for the requested domain name. If this default response is not suitable for your use case, you can modify it and select from either an OVERRIDE or NXDOMAIN response. An override allows you to configure the custom DNS record to send the query of a malicious domain to a “sinkhole” and provide a custom message explaining why the action occurred. An NXDOMAIN response is an error message which denotes a domain does not exist.

For either an allowlist or a denylist, you also have the option to enable an ALERT response which allows you to monitor rule activity. This is useful when you wish to test a rule or rule group before deploying it into production.

When you finish creating a rule group, you can see details and associate VPCs.

To associate your VPCs, select Associate VPC. You will be able to associate up to 5 rule groups with a VPC.

Enforcing Route 53 Resolver DNS Firewall Rules
You are able to create a DNS Firewall policy from within the AWS Firewall Manager, a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. With Firewall Manager, your security administrator can deploy a baseline set of VPC security group rules for EC2 instances, Application Load Balancers (ALBs) and Elastic Network Interfaces (ENIs) in your AWS accounts and VPCs.

To get started with Firewall Manager for DNS Firewall, you’ll need to complete the prerequisites as a security administrator belonging to a central security and compliance team.

The DNS Firewall policy you create allows you to specify the rule groups you want to associate to the VPCs within your organization as well as the priority these rule groups should be assigned. You can include or exclude accounts, organizational units (OUs) and VPCs (tagged), from having the DNS Firewall rules. Once this policy is configured and associated to your AWS Organization, all accounts are immediately within its purview.

If a new account is added to the organization, Firewall Manager automatically applies the policy and the rule group(s) to the VPCs in the account that are under the scope of the policy. Rule groups can be added with a specific priority reserved for Firewall Manager, preventing individual developers/accounts from overriding those rules at the account level.

Available Now
Amazon Route 53 Resolver DNS Firewall is now available in US East (N. Virginia), US West (Oregon), EU (Ireland), Asia Pacific (Mumbai) with all other AWS commercial regions and AWS GovCloud (US) Regions rolling out over the next few days. Take a look at the product page, pricing, and documentation to learn more. Give this a try, and please send us feedback either through your usual AWS Support contacts or the AWS forum for Amazon VPC or Route 53.

Learn all the details about Amazon Route 53 Resolver DNS Firewall and get started with the new feature today.

Channy