Posted On: Apr 7, 2021

Last week, AWS announced the Amazon Route 53 Resolver DNS Firewall, a managed firewall that enables customers to block DNS queries made for known malicious domains and to allow queries for trusted domains. DNS Firewall provides more granular control over the DNS querying behavior of resources within your Amazon Virtual Private Clouds (VPCs).

Route 53 Resolver DNS Firewall lets you create “blocklists” for domains you don’t want your VPC resources to communicate with via DNS. You can also take a stricter, “walled-garden” approach by creating “allowlists” that permit outbound DNS queries only to domains you specify. You can also create alerts for when outbound DNS queries match certain firewall rules, allowing you to test your rules before deploying for production traffic. Route 53 Resolver DNS Firewall offers two managed domain lists—malware domains and botnet command and control domains—enabling you to get started quickly with managed protections against common threats.

The Route 53 Resolver DNS Firewall is integrated with AWS Firewall Manager, which allows you to push rules across multiple accounts and VPCs from a single administrator account. Alternately, customers can also choose to directly share their firewall rules across their accounts by using AWS Resource Access Manager (RAM). With Route 53 Resolver Query Logs, you can get logs on instance-level information for your firewall such as blocked and allowed queries for each VPC resource. If you choose to store your logs in CloudWatch log groups, you can use CloudWatch Contributor Insights to create rules to generate high cardinality data, such as the top resources making the most queries which are getting blocked by the firewall.

Amazon Route 53 Resolver DNS Firewall is now generally available in all AWS commercial regions and AWS GovCloud (US) regions. To get started with this feature, visit the Route 53 documentation. To learn more about pricing, you can visit the Route 53 pricing page.