There are many services that help you configure network security within your Amazon Virtual Private Cloud (VPC), including security groups (SGs), network access control lists (network ACLs), and the AWS Network Firewall. These services inspect and filter network traffic, but they do not apply to DNS queries provided by Route 53 Resolver, potentially allowing bad-actors to exfiltrate data using DNS. A DNS lookup is an integral part of outbound network communication and is typically used as a starting point for establishing outbound connectivity.
Recently, we’ve launched Amazon Route 53 Resolver DNS Firewall – a service that enables customers to defend against DNS-level threats such as DNS Exfiltration. Throughout this post, we’ll refer to the Amazon Route 53 Resolver DNS Firewall as “DNS Firewall”.
With DNS Firewall, customers protect against data exfiltration attempts by building rules, specifying a list of domains to filter, and configuring actions for each rule to take when listed entries are queried. Customers group these rules together known as rule groups. Additionally, customers use AWS managed domain lists to easily apply rules to known bad domains.
It’s easy to manage these rules and policies in a small number of AWS accounts. However, when managing policies at scale with hundreds or thousands of VPCs across multiple AWS accounts, we recommend using AWS Firewall Manager, which can centrally manage and apply policies across the AWS Organization. Together with AWS Network Firewall, customers can perform domain-filtering across HTTP/S traffic, centrally managed from AWS Firewall Manager.
In this post, we’ll focus on DNS Firewall rules and rule groups, both at an individual account level and from a centralized location, by using AWS Firewall Manager to enforce security controls in order to safeguard domain lists against inadvertent changes that could result in DNS data exfiltration.
By default, queries that are issued within the VPC are directed towards the Route 53 Resolver service to handle the resolution, which has the VPC CIDR address +2. For example, the DNS Server on a 10.0.0.0/16 network is located at 10.0.0.2. This VPC CIDR +2 acts as a gateway endpoint to a shared resolver service represented by zonal fleets of resolver instances. This shared resolver service is known as Route 53 Resolver, and it provides DNS query capability in your VPC that resolves public domain names and private hosted zones (PHZ).
When a DNS query is issued, the following resolution process is followed:
It is important to note, Route 53 Resolver does not use the Internet Gateway (IGW), Security Groups, or network ACLs attached to your VPC to resolve public DNS zones. That means DNS queries will be resolved even if the VPC does not have an Internet Gateway attached, or a route to the internet. DNS Firewall is applied at the Route 53 Resolver, giving you the ability to configure rules to protect your infrastructure.
Figure 1: Resolution of DNS queries using the Amazon Route 53 Resolver
DNS Firewall is made up of the following components:
Rules – A DNS Firewall rule specifies a single domain list and action to take when the DNS domain query matches a domain in the domain list. You can allow, block, or alert on the matching queries. Each rule has a unique priority in the rule group, and rules are processed from lowest priority to highest priority.
Domain List – A domain list can be reused across many rules, but a single rule has only one domain list. You specify domains in a domain list, associate them with a rule, and provide an action to take (allow, block, alert) when any of those domains are matched in the DNS query. You create your own domain lists or use AWS managed domain lists.
Rule Group – A DNS Firewall rule group is a collection of rules that define how to inspect and handle DNS queries. A rule group can be associated with many VPCs, hence providing protection to multiple VPCs in an AWS account. With AWS Firewall Manager, you apply this rule group to VPCs across your organization and centrally manage it from an AWS Firewall Manager administrator account, which will be discussed later.
Capacity Units – Each rule group includes up to 100 rules. Within each rule, you specify a domain list that can have multiple domains defined. Additionally, you can attach multiple rule groups to the VPC.
Figure 2: Association of a DNS Firewall Rule Group to multiple VPCs
DNS Firewall evaluates rules using the following logic:
Figure 3: DNS Firewall rule evaluation flowchart
Managing DNS Firewalls begins inside the VPC Console under DNS Firewall. When you navigate to the rule groups, you are presented with a list of DNS Firewall rule groups that are configured within the selected Region. DNS Firewall Rule Groups are a Regional construct (meaning that it applies to one Region only). Rule groups will be created in different Regions, if required.
DNS Firewall rule groups can be associated with one or more VPCs that require protection. This allows you to create common rule groups that are associated and re-used across VPCs. Additionally, if you have multiple AWS Accounts, you can share DNS Firewall rule groups via the AWS Resource Access Manager (RAM).
First, you’ll add a rule group, which is a collection of rules with actions to block or allow specific DNS queries. Specifying a meaningful name and description will help to easily identify the rule group in the future. Next, you add rules to the rule group. A rule defines how to filter DNS network traffic. Rules define the domain names to look for and the action to take when a DNS query matches one of the names. You specify an existing domain list, an AWS managed domain list, bulk upload a domain list, or create a new domain list directly from within the wizard.
Figure 4: Creating a new domain list within the Add Rule Group wizard
You then specify an action to take when the rule group has been matched. Choosing the Block action allows you to specify the type of response, whether that be NODATA, NXDOMAIN or OVERRIDE with a custom DNS record value response.
Figure 5: Specifying an action within the Add Rule Group wizard
After the rule group has been created, it can then be associated with VPCs. After association, DNS Firewall will take effect.
VPCs can be associated with multiple rule groups. Rules and rule groups are evaluated in order of priority, with the lowest number being evaluated first.
As described earlier in this post in the section about DNS Firewall concepts, the DNS Firewall allows all DNS requests by default. For a workload that has well-defined requirements for outbound communication, customers may opt to block all DNS requests except for specific allowed domains. To achieve this, you can create a *. rule in a rule group, with a block action. This rule group must have a higher number (lower priority) than the other rule groups associated to the VPC.
AWS Firewall Manager is a security management service that allows security administrators to centrally configure and manage firewall rules across the accounts and applications in your organization. As new applications are created, Firewall Manager makes it easy to bring new applications and resources into compliance by enforcing a common set of security rules. DNS Firewall integrates with the AWS Firewall Manager to manage rules and associations across your AWS Organization.
Complete the following prerequisites before you create and apply a Firewall Manager policy:
To begin managing DNS Firewalls across your AWS organization, you first log into the AWS Firewall Manager administration account and navigate to the WAF & Shield console. Within the console, drop down the AWS Firewall Manager menu and choose Getting Started. AWS Firewall Manager will check that the prerequisites have been completed. To continue, click Create Policy.
Figure 6: Getting started with the AWS Firewall Manager
When you pick the type of policy in the Firewall Manager console, you will specify a Region where the policy is applied. Security policies within AWS Firewall Manager are a Regional construct, which means the policy is scoped to the Region where it was created. You can create additional policies in different Regions.
Figure 7: Choose a Policy Type and Region
Next, we’ll specify the DNS Firewall rule groups, that will be applied via this policy.
AWS Firewall Manager is able to apply additional higher and lower priority DNS Firewall rule groups, across VPCs, within the scope of the policy. For example, consider that you have identified a bad-domain, that must be blocked across all VPCs within your AWS Organization. You can use AWS Firewall Manager to apply that rule group before evaluating individual rule groups defined within member accounts across the AWS Organization.
Figure 8: First Rule Groups and Last Rule Groups are defined within the AWS Firewall Manager DNS Firewall policy.
A Firewall Manager DNS Firewall rules policy has three evaluation sections, each with a set of reserved priority numbers. The first rule groups and the last rule groups sections are assigned to rule groups specified by the Firewall Manager administrator. When rule groups are shared by the Firewall Manager across accounts, each account owner adds their own rule groups to this user-defined section, specific to their AWS account. These sections provide a higher level of priority depending on whether you want your centrally administered rule groups to be evaluated before or after any user-defined rule groups.
The evaluation sections and priority numbers are:
Within each section, rule groups are evaluated based on the priority number assigned to it. Rule groups with the lowest priority are processed first.
You ensure that Firewall Manager administered rule groups are always evaluated first by slotting them in the first rule group section of the Firewall Manager policy. Rule groups slotted into the first rule group section, have a reserved priority between 1 and 100 and are evaluated before any rule groups defined by the member accounts.
Figure 9: DNS Firewall Policy Rule Groups and Priority
Next, we specify the scope of the policy, and the VPCs that we want the policy to apply to. For example; you may have different policies to apply against different networks, environments, or different organizational units. You can apply the policy to all VPCs within the AWS Organization, or you can be specific with inclusion or exclusion of VPCs using resource tags.
Figure 10: AWS Firewall Manager DNS Firewall policy scope
It’s recommended to use different priority numbers for rule groups. Rule group priority conflicts occur in either of the following cases:
In the case that rule group priorities do have a conflict using the same priority, the first associated rule group to the VPC is applied. AWS Firewall Manager provides a compliance status check, which determines any conflicting rule group priorities. Non-compliance is highlighted in the AWS Firewall Manager console.
Route 53 Resolver Query Logging now expands its functionality by logging queries in response to DNS Firewall rule actions. Query Logging is a feature that’s enabled at the VPC level. You can configure it to log recursive DNS queries originating from within the VPC DNS query logs to Amazon S3 bucket, Amazon CloudWatch Logs, or Amazon Kinesis Data Firehose Delivery Stream. You then use this information for troubleshooting and security operations to have a better view of security posture.
There are fields added to the logs that provide insight into DNS Firewall actions against DNS queries:
Once a DNS Firewall rule group is associated with a VPC, it begins to send metrics to Amazon CloudWatch. There’s a AWS/Route53Resolver namespace that includes metrics all revolving around query volume:
In this blog post, you learned how to secure your Amazon VPC DNS resolution with Amazon Route 53 Resolver DNS Firewall. You also learned how security administrators can use Firewall Manager to create security policies for the Amazon Route 53 Resolver DNS Firewall and push them out at scale to their organization.
As part of the walkthrough, you also learned how compliance auditors use Firewall Manager to see, in a single place, if DNS firewall policies are in compliance across the AWS Organization.
For further reading and to learn more about DNS resolution in your VPCs, see the Route 53 Resolver section of the Developer Guide. For AWS Firewall Manager, see the Firewall Manager Developer Guide. To learn about pricing for solutions using AWS Firewall Manager, check the AWS Firewall Manager pricing page for examples.
If you have questions about this post, start a new thread on the Amazon Route 53 forum or contact AWS Support.
Mahmoud is a Technical Account Manager based in Melbourne, Australia specializing in Networking. Prior to joining AWS, he worked for some of the biggest Telco providers in Australia. He has a passion for learning new technology and helping customers achieve operational excellence. In his spare time, he loves spending time with family and playing sport.
Mike Bentzen is a Solutions Architect based out of Brisbane, Australia specializing in Networking & Cloud Infrastructure. He has a Bachelor of Information Technology majoring in Software Architecture. He’s passionate about helping customers build and deliver scalable, highly available, and well-designed cloud solutions with great outcomes.
About The Author
More Stories
The Shift in Peering Threatening the Internet’s Foundations
Remembering Alan Barrett: A Builder of the African Internet
From Email to Case Study: What We Learned About Connecting Refugee Communities in Just One Year