Our customer, an e-learning company, needed stricter security and network controls with a stringent approval process for all outbound DNS queries. The team also wanted a clear demarcation between their internal and production environments. This will block any external users from making calls to the internal environment or vice versa.
The CloudifyOps team recommended using a Route 53 Resolver DNS Firewall to block DNS queries from known malicious domains, while allowing queries from trusted domains.
Let us consider an example here. You have an EC2 instance with Docker, which you use every time to run the Docker image. This allows you to restrict all domains and only allow hub.docker.com to pull the image. No user has access to any domain from your Virtual Private Cloud (VPC). The DNS Firewall can be used to create deny lists that include the names of all malicious domains that your organization is aware of.
Route 53 Resolver DNS Firewall is a managed firewall used to block DNS queries from known malicious domains or those domains which should not be resolved in your VPC and allow queries from trusted domains. The DNS Firewall provides more granular control over the DNS querying behavior of resources within your VPCs.
First, you need to identify all of the required endpoints of the application. To do this, we can use Amazon GuardDuty to scan VPC flow logs and detect specious communications. You can also use Amazon CloudWatch to collate all the DNS calls of your VPC by the AWS Route 53 Resolver query log config.
With this identified domain list, the team can now decide what to allow and deny, based on which rules are created from the domain list. Create a domain list with allow rule for all domains that can send DNS queries. Create a deny rule for the domain list containing the names of all domains to be blocked. Setup the required resources using Terraform.
resource “aws_route53_resolver_firewall_domain_list” “dns_filter_allow” {
name = var.domain_list_name_allow
domains = var.domain_list_allow
}
resource “aws_route53_resolver_firewall_domain_list” “dns_filter_block” {
name = var.domain_list_name_block
domains = var.domain_list_block
}
resource “aws_route53_resolver_firewall_rule_group” “rule_group” {
name = var.rule_group_name
}
resource “aws_route53_resolver_firewall_rule” “rules_allow” {
name = var.rule_name_allow
action = “ALLOW”
firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.dns_filter_allow.id
firewall_rule_group_id = aws_route53_resolver_firewall_rule_group.rule_group.id
priority = var.priority_allow
}
resource “aws_route53_resolver_firewall_rule” “rules_blcok” {
name = var.rule_name_block
action = “BLOCK”
block_response = “NODATA”
firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.dns_filter_block.id
firewall_rule_group_id = aws_route53_resolver_firewall_rule_group.rule_group.id
priority = var.priority_block
}
resource “aws_route53_resolver_firewall_rule_group_association” “Prod_api_vpc” {
name = var.rule_group_name
firewall_rule_group_id = aws_route53_resolver_firewall_rule_group.rule_group.id
priority = var.priority_association
vpc_id = var.aws_vpc_id
}
resource “aws_cloudwatch_log_group” “Eks_Vpc_Domain_Logs” {
name = var.aws_cloudwatch_log_group_name
retention_in_days = var.retention_days
}
resource “aws_route53_resolver_query_log_config” “Eks_Vpc_Domain” {
name = var.query_log_name
destination_arn = aws_cloudwatch_log_group.Eks_Vpc_Domain_Logs.arn
}
resource “aws_route53_resolver_query_log_config_association” “example” {
resolver_query_log_config_id = aws_route53_resolver_query_log_config.Eks_Vpc_Domain.id
resource_id = var.aws_vpc_id
}
Once completed, you will see a domain list, a rule group with 2 rules, CloudWatch log group with the AWS Route 53 Resolver query logs.
You should note that if you hit any endpoint which is not in the list, you will be unable to resolve it.
To summarize, an AWS Route 53 Resolver DNS Firewall lets us create “blocklists” for the domains we don’t want our AWS resources to communicate with via DNS. By creating a whitelist, it ensures that communication access is much stricter.
Follow us on our LinkedIn Page. To know more about our services, visit our website.
CloudifyOps Pvt Ltd, Ground Floor, Block C, DSR Techno Cube, Survey No.68, Varthur Rd, Thubarahalli, Bengaluru, Karnataka 560037
Indiqube Vantage, 3rd Phase, No.1, OMR Service Road, Santhosh Nagar, Kandhanchavadi, Perungudi, Chennai, Tamil Nadu 600096.
CloudifyOps Inc.,
200, Continental Dr Suite 401,
Newark, Delaware 19713,
United States of America
Copyright 2024 CloudifyOps. All Rights Reserved