The AWS Route 53 Resolver DNS firewall is a great tool to limit exposure to known malicious domains. Generally for a connection to happen, DNS is used to resolve the FQDN used, which means before the connection is established, it can be analyzed if it is towards a legit destination or not, and this is where the AWS Route 53 resolver DNS firewall comes into play. The AWS route resolver DNS firewall provides AWS managed domain lists, and the option to create customs allow or block list. DNS firewall can be considered one of the first layers to protect egress traffic. The below step-by-step will cater for the following design.
The following will be created multiple AWS DNS firewall rule groups to deny custom domain lists, allow custom domain lists and block AWS-managed bad domain lists.
- Go to the Route 53 service menu and choose Rule Groups.
Adding custom rules group
- Click on the Add Rule group
- Enter the Name and description of the Rule Group and click Next
- Click on the Add rule button
- Enter the Rule name and the description
- Choose Add my own domain list and click create new domain list
- Enter the Domain list name and the domain list
- The domain list format has to be as follows:
- If an extensive list of domains needs to be added, use the bulk upload option by clicking on the Switch to bulk upload and enter the S3 bucket details.
- The next step is the Action needed. In this case choose the Allow action is needed click Add rule. The Allow action will let the query through but no logs are generated if logs are needed, choose the Alert action as it allows the query and log an alert in the Route 53 Resolver logs.
- and then click Next if no more rules are needed otherwise, click Add rule
- In our case, we are adding more rules so the add rule option is chosen. We will create a blocked domain list
- Since the domain needs to be blocked the action needs to be Block
- Choose the appropriate response needed. I prefer Override using dns-firewall-blocked as the record value and click Add rule. This configuration will allow to identify block queries using the DNS query logging
- Click Next
- Click the Add tags if needed
- Review the rules and click Create rule group if you need to modify something, click the Previous button
Adding AWS Managed rules group
- Click on the Add Rule group
- Enter the Name and description of the Rule Group and click Next
- Click on the Add Rule button
- Choose Add AWS managed domain list
- From the domain list choose AWSManagedDomainsAggregateThreatlist.
- Choose Block and Override using dns-firewall-blocked as the record value and click Add rule.
- Click Add rule to the reaming AWS Managed domain list
- AWSManagedDomainsMalwareDomainList
- AWSManagedDomainsBotnetCommandandControl
- AWSManagedDomainsAmazonGuardDutyThreatList
- Click Next (All AWS managed domain will be blocked)
- If needed change the priority of the rules by selecting the rule and click Move up or Move down and click Next
- Click the Add tags if needed
- Review the rules and click Create rule group if you need to modify something, click the Previous button
- Once all the rule are created a similar output should be visible, two rules one for managed rules and the other for custom rules
- The next step is to associate the rule with the VPCs. Click on the first rule and click on the VPCs associated tab
- Click the Associate VPC button
- Choose the VPC need and click Associate
Repeat the process for all the rule groups and VPCs
- The last step needed is to share the rules groups within the organization if it is configured. Click Share rule group button.
- Enter the resource share name
- Choose the Route 53 Resolver Firewall Rule Group and select all the rule groups configured
- Once selected, the rules groups will be visible in the selected resources section. If needed these can removed by selecting the rule and choose Deselect
- Add the appropriate tags and click Next
- Confirm the managed permissions and click Next
- Choose allow sharing only with organization and choose the principal type as Organization from the drop-down list.
- Type Organization in the search menu
- and Right click AWS Organizations option and open in a new tab
- Copy the Organization ID it starts with an o-
- Copy the Organization ID under the Enter your organization’s ID under the Principals section and click Add
- Once added under the selected principals, the organization id should be visible and click Next
- Review the settings and click Create resource share. It is to check the share with external principals is not allowed and that the organization id matches
- Once the resource share is created, the rule groups can be used within all the VPC used in the accounts of the organizations. The VPC association’s step must be repeated for each of the VPCs
- The last step for Route 53 Resolver DNS firewall is enabling query logging. From the Route 53 menu, choose Query logging under the resolver section.
- Click Configure query logging
- Enter the name and choose the query logs destination in the case of Cloudwatch enter the log group path
- whilst for S3 enter the s3 prefix. You can browse the S3 path or create a new destination
- Once the destination of the logs is chosen, click Add VPC
- From the list of VPC choose the VPC required for logging and click Add
- If tags are needed, click Add tag and the tags required otherwise, click Configure Query logging
In the case of the DNS firewall not working properly, the queries are blocked and a SERVFAIL response is sent to the client. If you want to allow the queries without being inspected go to the Resolvers menu and choose the VPC option
- Go to the DNS firewall fail open section and click the Enable fail open on this VPC. From a security perspective, this is not recommended, but it might be needed due to operational requirements.