AWS Cloud Chronicles

Implementing AWS Route 53 resolver DNS firewall to safeguard your AWS network environment step by step

The AWS Route 53 Resolver DNS firewall is a great tool to limit exposure to known malicious domains. Generally for a connection to happen, DNS is used to resolve the FQDN used, which means before the connection is established, it can be analyzed if it is towards a legit destination or not, and this is where the AWS Route 53 resolver DNS firewall comes into play. The AWS route resolver DNS firewall provides AWS managed domain lists, and the option to create customs allow or block list. DNS firewall can be considered one of the first layers to protect egress traffic. The below step-by-step will cater for the following design.

The following will be created multiple AWS DNS firewall rule groups to deny custom domain lists, allow custom domain lists and block AWS-managed bad domain lists.

Adding custom rules group

Adding AWS Managed rules group

Repeat the process for all the rule groups and VPCs

In the case of the DNS firewall not working properly, the queries are blocked and a SERVFAIL response is sent to the client. If you want to allow the queries without being inspected go to the Resolvers menu and choose the VPC option

Exit mobile version