Reach Us

DNS query management with Route 53 Resolver DNS Firewall

Our customer, an e-learning company, needed stricter security and network controls with a stringent approval process for all outbound DNS queries. The team also wanted a clear demarcation between their internal and production environments. This will block any external users from making calls to the internal environment or vice versa.

The CloudifyOps team recommended using a Route 53 Resolver DNS Firewall to block DNS queries from known malicious domains, while allowing queries from trusted domains.

Let us consider an example here. You have an EC2 instance with Docker, which you use every time to run the Docker image. This allows you to restrict all domains and only allow hub.docker.com to pull the image. No user has access to any domain from your Virtual Private Cloud (VPC). The DNS Firewall can be used to create deny lists that include the names of all malicious domains that your organization is aware of.

What does Route 53 Resolver DNS Firewall do?

Route 53 Resolver DNS Firewall is a managed firewall used to block DNS queries from known malicious domains or those domains which should not be resolved in your VPC and allow queries from trusted domains. The DNS Firewall provides more granular control over the DNS querying behavior of resources within your VPCs.

Solution approach:

First, you need to identify all of the required endpoints of the application. To do this, we can use Amazon GuardDuty to scan VPC flow logs and detect specious communications. You can also use Amazon CloudWatch to collate all the DNS calls of your VPC by the AWS Route 53 Resolver query log config.

With this identified domain list, the team can now decide what to allow and deny, based on which rules are created from the domain list. Create a domain list with allow rule for all domains that can send DNS queries. Create a deny rule for the domain list containing the names of all domains to be blocked. Setup the required resources using Terraform.

resource “aws_route53_resolver_firewall_domain_list” “dns_filter_allow” {

name = var.domain_list_name_allow

domains = var.domain_list_allow

}

resource “aws_route53_resolver_firewall_domain_list” “dns_filter_block” {

name = var.domain_list_name_block

domains = var.domain_list_block

}

resource “aws_route53_resolver_firewall_rule_group” “rule_group” {

name = var.rule_group_name

}

resource “aws_route53_resolver_firewall_rule” “rules_allow” {

name                    = var.rule_name_allow

action                  = “ALLOW”

firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.dns_filter_allow.id

firewall_rule_group_id  = aws_route53_resolver_firewall_rule_group.rule_group.id

priority                = var.priority_allow

}

resource “aws_route53_resolver_firewall_rule” “rules_blcok” {

name                    = var.rule_name_block

action                  = “BLOCK”

block_response          = “NODATA”

firewall_domain_list_id = aws_route53_resolver_firewall_domain_list.dns_filter_block.id

firewall_rule_group_id  = aws_route53_resolver_firewall_rule_group.rule_group.id

priority                = var.priority_block

}

 

resource “aws_route53_resolver_firewall_rule_group_association” “Prod_api_vpc” {

name                   = var.rule_group_name

firewall_rule_group_id = aws_route53_resolver_firewall_rule_group.rule_group.id

priority               = var.priority_association

vpc_id                 = var.aws_vpc_id

}

resource “aws_cloudwatch_log_group” “Eks_Vpc_Domain_Logs” {

name = var.aws_cloudwatch_log_group_name

retention_in_days = var.retention_days

}

resource “aws_route53_resolver_query_log_config” “Eks_Vpc_Domain” {

name            = var.query_log_name

destination_arn = aws_cloudwatch_log_group.Eks_Vpc_Domain_Logs.arn

}

resource “aws_route53_resolver_query_log_config_association” “example” {

resolver_query_log_config_id = aws_route53_resolver_query_log_config.Eks_Vpc_Domain.id

resource_id                  = var.aws_vpc_id

}

Once completed, you will see a domain list, a rule group with 2 rules, CloudWatch log group with the AWS Route 53 Resolver query logs.

You should note that if you hit any endpoint which is not in the list, you will be unable to resolve it.

To summarize, an AWS Route 53 Resolver DNS Firewall lets us create “blocklists” for the domains we don’t want our AWS resources to communicate with via DNS. By creating a whitelist, it ensures that communication access is much stricter.

Follow us on our LinkedIn Page. To know more about our services, visit our website.

 

 

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound
Contact Us