Beginning immediately, you may configure your DNS Firewall to robotically belief all domains in a decision chain (reminiscent of aCNAME
, DNAME
, or Alias
chain).
Let’s stroll by means of this in nontechnical phrases for these unfamiliar with DNS.
Why use DNS Firewall?
DNS Firewall offers safety for outbound DNS requests out of your personal community within the cloud (Amazon Digital Non-public Cloud (Amazon VPC)). These requests route by means of Amazon Route 53 Resolver for area identify decision. Firewall directors can configure guidelines to filter and regulate the outbound DNS site visitors.
DNS Firewall helps to guard in opposition to a number of safety dangers.
Let’s think about a malicious actor managed to put in and run some code in your Amazon Elastic Compute Cloud (Amazon EC2) cases or containers working inside considered one of your digital personal clouds (VPCs). The malicious code is prone to provoke outgoing community connections. It would achieve this to hook up with a command server and obtain instructions to execute in your machine. Or it would provoke connections to a third-party service in a coordinated distributed denial of service (DDoS) assault. It may additionally attempt to exfiltrate information it managed to gather in your community.
Thankfully, your community and safety teams are appropriately configured. They block all outgoing site visitors besides the one to well-known API endpoints utilized by your app. Thus far so good—the malicious code can not dial again residence utilizing common TCP or UDP connections.
However what about DNS site visitors? The malicious code might ship DNS requests to an authoritative DNS server they management to both ship management instructions or encoded information, and it could possibly obtain information again within the response. I’ve illustrated the method within the following diagram.
To stop these eventualities, you should use a DNS Firewall to observe and management the domains that your purposes can question. You’ll be able to deny entry to the domains that you realize to be dangerous and permit all different queries to move by means of. Alternately, you may deny entry to all domains besides these you explicitly belief.
What’s the problem with CNAME, DNAME, and Alias data?
Think about you configured your DNS Firewall to permit DNS queries solely to particular well-known domains and blocked all others. Your software communicates with alexa.amazon.com;
due to this fact, you created a rule permitting DNS site visitors to resolve that hostname.
Nonetheless, the DNS system has a number of forms of data. Those of curiosity on this article are
A
data that map a DNS identify to an IP tackle,CNAME
data which are synonyms for different DNS names,DNAME
data that present redirection from part of the DNS identify tree to a different a part of the DNS identify tree, andAlias
data that present a Route 53 particular extension to DNS performance. Alias data allow you to route site visitors to chose AWS sources, reminiscent of Amazon CloudFront distributions and Amazon S3 buckets
When querying alexa.amazon.com
, I see it’s truly a CNAME
report that factors to pitangui.amazon.com
, which is one other CNAME
report that factors to tp.5fd53c725-frontier.amazon.com
, which, in flip, is a CNAME
to d1wg1w6p5q8555.cloudfront.internet
. Solely the final identify (d1wg1w6p5q8555.cloudfront.internet
) has an A
report related to an IP tackle 3.162.42.28
. The IP tackle is prone to be completely different for you. It factors to the closest Amazon CloudFront edge location, doubtless the one from Paris (CDG52
) for me.
The same redirection mechanism occurs when resolving DNAME
or Alias
data.
To permit the whole decision of such a CNAME
chain, you can be tempted to configure your DNS Firewall rule to permit all names beneath amazon.com (*.amazon.com
), however that might fail to resolve the final CNAME
that goes to cloudfront.internet
.
Worst, the DNS CNAME chain is managed by the service your software connects to. The chain would possibly change at any time, forcing you to manually keep the listing of guidelines and licensed domains inside your DNS Firewall guidelines.
Introducing DNS Firewall redirection chain authorization
Primarily based on this clarification, you’re now geared up to grasp the brand new functionality we launch immediately. We added a parameter to the UpdateFirewallRule API (additionally obtainable on the AWS Command Line Interface (AWS CLI) and AWS Administration Console) to configure the DNS Firewall in order that it follows and robotically trusts all of the domains in a CNAME
, DNAME
, or Alias
chain.
This parameter permits firewall directors to solely permit the area your purposes question. The firewall will robotically belief all intermediate domains within the chain till it reaches the A
report with the IP tackle.
Let’s see it in motion
I begin with a DNS Firewall already configured with a area listing, a rule group, and a rule that ALLOW queries for the area alexa.amazon.com
. The rule group is hooked up to a VPC the place I’ve an EC2 occasion began.
Once I hook up with that EC2 occasion and problem a DNS question to resolve alexa.amazon.com
, it solely returns the primary identify within the area chain (pitangui.amazon.com
) and stops there. That is anticipated as a result of pitangui.amazon.com
just isn’t licensed to be resolved.
To resolve this, I replace the firewall rule to belief your complete redirection chain. I take advantage of the AWS CLI to name the update-firewall-rule
API with a brand new parameter firewall-domain-redirection-action
set to TRUST_REDIRECTION_DOMAIN
.
The next diagram illustrates the setup at this stage.
Again to the EC2 occasion, I attempt the DNS question once more. This time, it really works. It resolves your complete redirection chain, all the way down to the IP tackle 🎉.
Because of the trusted chain redirection, community directors now have a straightforward solution to implement a method to dam all domains and authorize solely identified domains of their DNS Firewall with out having to care about CNAME
, DNAME
, or Alias
chains.
This functionality is obtainable at no further price in all AWS Areas. Strive it out immediately!