The CloudifyOps team recommended using a Route 53 Resolver DNS Firewall to block DNS queries from known malicious domains, while allowing queries from trusted domains.

Let us consider an example here. You have an EC2 instance with Docker, which you use every time to run the Docker image. This allows you to restrict all domains and only allow hub.docker.com to pull the image. No user has access to any domain from your Virtual Private Cloud (VPC). The DNS Firewall can be used to create deny lists that include the names of all malicious domains that your organization is aware of.

What does Route 53 Resolver DNS Firewall do?

Route 53 Resolver DNS Firewall is a managed firewall used to block DNS queries from known malicious domains or those domains which should not be resolved in your VPC and allow queries from trusted domains. The DNS Firewall provides more granular control over the DNS querying behavior of resources within your VPCs.

Solution approach:

To secure an application, the first step is identifying all required endpoints. Cloud companies in India can leverage Amazon GuardDuty to scan VPC flow logs and detect suspicious communications. Additionally, Amazon CloudWatch can be used to gather DNS query data from the AWS Route 53 Resolver query log configuration.

resource “aws_route53_resolver_firewall_domain_list” “dns_filter_allow” {

name = var.domain_list_name_allow

domains = var.domain_list_allow

}

resource “aws_route53_resolver_firewall_domain_list” “dns_filter_block” {

name = var.domain_list_name_block

domains = var.domain_list_block

}

resource “aws_route53_resolver_firewall_rule_group” “rule_group” {

name = var.rule_group_name

}

resource “aws_route53_resolver_firewall_rule” “rules_allow” {

name                    = var.rule_name_allow

action                  = “ALLOW”

firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.dns_filter_allow.id

firewall_rule_group_id  = aws_route53_resolver_firewall_rule_group.rule_group.id

priority                = var.priority_allow

}

resource “aws_route53_resolver_firewall_rule” “rules_blcok” {

name                    = var.rule_name_block

action                  = “BLOCK”

block_response          = “NODATA”

firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.dns_filter_block.id

firewall_rule_group_id  = aws_route53_resolver_firewall_rule_group.rule_group.id

priority                = var.priority_block

}

resource “aws_route53_resolver_firewall_rule_group_association” “Prod_api_vpc” {

name                   = var.rule_group_name

firewall_rule_group_id = aws_route53_resolver_firewall_rule_group.rule_group.id

priority               = var.priority_association

vpc_id                 = var.aws_vpc_id

}

resource “aws_cloudwatch_log_group” “Eks_Vpc_Domain_Logs” {

name = var.aws_cloudwatch_log_group_name

retention_in_days = var.retention_days

}

resource “aws_route53_resolver_query_log_config” “Eks_Vpc_Domain” {

name            = var.query_log_name

destination_arn = aws_cloudwatch_log_group.Eks_Vpc_Domain_Logs.arn

}

resource “aws_route53_resolver_query_log_config_association” “example” {

resolver_query_log_config_id = aws_route53_resolver_query_log_config.Eks_Vpc_Domain.id

resource_id                  = var.aws_vpc_id

}

Once completed, you will see a domain list, a rule group with 2 rules, CloudWatch log group with the AWS Route 53 Resolver query logs.

You should note that if you hit any endpoint which is not in the list, you will be unable to resolve it.

To summarize, an AWS Route 53 Resolver DNS Firewall lets us create “blocklists” for the domains we don’t want our AWS resources to communicate with via DNS. By creating a whitelist, it ensures that communication access is much stricter.

Follow us on our LinkedIn Page. To know more about our services, visit our website.