|
Beginning at present, you’ll be able to configure your DNS Firewall to mechanically belief all domains in a decision chain (similar to aCNAME, DNAME, or Alias chain).
Let’s stroll by this in nontechnical phrases for these unfamiliar with DNS.
Why use DNS Firewall?
DNS Firewall gives safety for outbound DNS requests out of your non-public community within the cloud (Amazon Digital Non-public Cloud (Amazon VPC)). These requests route by Amazon Route 53 Resolver for area title decision. Firewall directors can configure guidelines to filter and regulate the outbound DNS visitors.
DNS Firewall helps to guard towards a number of safety dangers.
Let’s think about a malicious actor managed to put in and run some code in your Amazon Elastic Compute Cloud (Amazon EC2) situations or containers operating inside one in all your digital non-public clouds (VPCs). The malicious code is prone to provoke outgoing community connections. It’d achieve this to connect with a command server and obtain instructions to execute in your machine. Or it’d provoke connections to a third-party service in a coordinated distributed denial of service (DDoS) assault. It may also attempt to exfiltrate knowledge it managed to gather in your community.
Luckily, your community and safety teams are appropriately configured. They block all outgoing visitors besides the one to well-known API endpoints utilized by your app. Up to now so good—the malicious code can not dial again residence utilizing common TCP or UDP connections.
However what about DNS visitors? The malicious code might ship DNS requests to an authoritative DNS server they management to both ship management instructions or encoded knowledge, and it may well obtain knowledge again within the response. I’ve illustrated the method within the following diagram.
To stop these situations, you need to use a DNS Firewall to watch and management the domains that your functions can question. You’ll be able to deny entry to the domains that to be dangerous and permit all different queries to cross by. Alternately, you’ll be able to deny entry to all domains besides these you explicitly belief.
What’s the problem with CNAME, DNAME, and Alias information?
Think about you configured your DNS Firewall to permit DNS queries solely to particular well-known domains and blocked all others. Your utility communicates with alexa.amazon.com; due to this fact, you created a rule permitting DNS visitors to resolve that hostname.
Nonetheless, the DNS system has a number of sorts of information. Those of curiosity on this article are
Ainformation that map a DNS title to an IP deal with,CNAMEinformation which are synonyms for different DNS names,DNAMEinformation that present redirection from part of the DNS title tree to a different a part of the DNS title tree, andAliasinformation that present a Route 53 particular extension to DNS performance. Alias information allow you to route visitors to chose AWS sources, similar to Amazon CloudFront distributions and Amazon S3 buckets
When querying alexa.amazon.com, I see it’s truly a CNAME file that factors to pitangui.amazon.com, which is one other CNAME file that factors to tp.5fd53c725-frontier.amazon.com, which, in flip, is a CNAME to d1wg1w6p5q8555.cloudfront.web. Solely the final title (d1wg1w6p5q8555.cloudfront.web) has an A file related to an IP deal with 3.162.42.28. The IP deal with is prone to be totally different for you. It factors to the closest Amazon CloudFront edge location, seemingly the one from Paris (CDG52) for me.
The same redirection mechanism occurs when resolving DNAME or Alias information.
To permit the entire decision of such a CNAME chain, you possibly can be tempted to configure your DNS Firewall rule to permit all names beneath amazon.com (*.amazon.com), however that may fail to resolve the final CNAME that goes to cloudfront.web.
Worst, the DNS CNAME chain is managed by the service your utility connects to. The chain would possibly change at any time, forcing you to manually keep the checklist of guidelines and licensed domains inside your DNS Firewall guidelines.
Introducing DNS Firewall redirection chain authorization
Primarily based on this clarification, you’re now outfitted to grasp the brand new functionality we launch at present. We added a parameter to the UpdateFirewallRule API (additionally out there on the AWS Command Line Interface (AWS CLI) and AWS Administration Console) to configure the DNS Firewall in order that it follows and mechanically trusts all of the domains in a CNAME, DNAME, or Alias chain.
This parameter permits firewall directors to solely enable the area your functions question. The firewall will mechanically belief all intermediate domains within the chain till it reaches the A file with the IP deal with.
Let’s see it in motion
I begin with a DNS Firewall already configured with a area checklist, a rule group, and a rule that ALLOW queries for the area alexa.amazon.com. The rule group is hooked up to a VPC the place I’ve an EC2 occasion began.
Once I hook up with that EC2 occasion and concern a DNS question to resolve alexa.amazon.com, it solely returns the primary title within the area chain (pitangui.amazon.com) and stops there. That is anticipated as a result of pitangui.amazon.com will not be licensed to be resolved.
To resolve this, I replace the firewall rule to belief the whole redirection chain. I exploit the AWS CLI to name the update-firewall-rule API with a brand new parameter firewall-domain-redirection-action set to TRUST_REDIRECTION_DOMAIN.
The next diagram illustrates the setup at this stage.
Again to the EC2 occasion, I attempt the DNS question once more. This time, it really works. It resolves the whole redirection chain, right down to the IP deal with 🎉.
Due to the trusted chain redirection, community directors now have a straightforward option to implement a technique to dam all domains and authorize solely identified domains of their DNS Firewall with out having to care about CNAME, DNAME, or Alias chains.
This functionality is on the market at no extra value in all AWS Areas. Strive it out at present!
