Posted On: Mar 31, 2021

Today, AWS announced the launch of Amazon Route 53 Resolver DNS Firewall, a managed firewall that enables customers to block DNS queries made for known malicious domains and to allow queries for trusted domains. DNS Firewall provides more granular control over the DNS querying behavior of resources within your Amazon Virtual Private Clouds (VPCs).  

Route 53 Resolver is a DNS server (sometimes referred to as “AmazonProvidedDNS” or the “.2 resolver”) that is available by default in all Amazon VPCs. Route 53 Resolver responds to DNS queries from AWS resources within a VPC for public DNS records, VPC-specific domain names, and Route 53 private hosted zones. Customers have asked for finer control over the DNS queries that resources within their VPCs are allowed to make. These customers may be concerned about DNS exfiltration (where malicious actors use DNS queries to smuggle sensitive data out of networks) or may simply want to exert more control over sites that users within their organization are allowed to access.

Route 53 Resolver DNS Firewall lets you create “blocklists” for domains you don’t want your VPC resources to communicate with via DNS. You can also take a stricter, “walled-garden” approach by creating “allowlists” that permit outbound DNS queries only to domains you specify. You can also create alerts for when outbound DNS queries match certain firewall rules, allowing you to test your rules before deploying for production traffic. Route 53 Resolver DNS Firewall offers two managed domain lists—malware domains and botnet command and control domains—enabling you to get started quickly with managed protections against common threats.

If you use AWS Organizations to manage multiple AWS accounts, you can use AWS Firewall Manager to deploy Route 53 Resolver DNS Firewall rules across multiple accounts and VPCs from a single administrator account. Firewall Manager provides security administrators a single place to centrally configure and manage different sets of firewall rules for their organizations, and automatically detects any new accounts and resources to bring them into compliance with the organization’s set of security rules. With Route 53 Resolver DNS Firewall, customers can centrally deploy DNS firewall rules across accounts, organizational units (OUs), and VPCs in their organization. Alternately, customers can also choose to directly share their firewall rules across their accounts by using AWS Resource Access Manager (RAM). AWS Resource Access Manager enables customers to centrally share AWS resources from various AWS services with other AWS accounts. They can utilize Amazon CloudWatch Metrics to understand the number of DNS queries being blocked or allowed by their firewall, down to the rule level. They can also enable logging by using Route 53 Resolver Query Logs to get instance-level information on blocked and allowed queries for each VPC resource. If you choose to store your logs in CloudWatch log groups, you can use CloudWatch Contributor Insights to create rules to generate high cardinality data, such as the top resources making the most queries which are getting blocked by the firewall.

Amazon Route 53 Resolver DNS Firewall is now available in US East (N. Virginia), EU (Ireland), Asia Pacific (Mumbai) and US West (Oregon) with all other AWS commercial regions and AWS GovCloud (US) Regions rolling out over the next few days. To get started with this feature, visit the Route 53 documentation and Route 53 Resolver DNS Firewall announcement in the AWS News blog. To learn more about pricing, you can visit the Route 53 pricing page