Posted On: Jan 10, 2024

Starting today, you can enable Route 53 Resolver DNS Firewall to filter DNS traffic based on the query type (QTYPE) contained in the question section of the DNS query format.

Route 53 Resolver DNS Firewall is a managed service that enables customers to block DNS queries made for domains identified as low-reputation or suspected to be malicious, and to allow queries for trusted domains. The response to an unblocked query provides information about a domain, such as the IP address and the name server associated with the domain. With this launch, you can now create DNS Firewall rules based on both the query domain name (QNAME) and the QTYPE to filter outbound DNS traffic for your Amazon Virtual Private Clouds (VPCs). For example, a QTYPE rule now provides you with the option of preventing outbound queries to any TXT records. TXT records can carry more data than A or AAAA records in response to queries, and are therefore commonly used for DNS tunneling infiltration.

The Route 53 Resolver DNS Firewall is available in all Regions where Route 53 is available, including the AWS GovCloud (US) Regions. Visit the AWS Region Table to see all AWS Regions where Amazon Route 53 is available.

You can get started with QTYPE filtering on the Route 53 Resolver DNS Firewall from the Amazon Route 53 Resolver DNS Firewall Console or the API, at no additional cost. To learn more about the Route 53 Resolver DNS Firewall, including pricing, visit the Route 53 Resolver website, pricing page, and documentation.