Posted On: May 1, 2024

Starting today, you can enable Route 53 Resolver DNS Firewall to automatically skip the inspection of domains included in a domain redirection chain, such as Canonical Name (CNAME) and Delegation Name (DNAME), thus avoiding the need to explicitly specify each domain from the chain in your Route 53 DNS Firewall rules when allow-listing domains.

Before today, when allow-listing domains, Route 53 DNS Firewall compared every DNS query from your VPC against the domains in the allow-list associated to a DNS Firewall rule. If an incoming query was for a domain present in a redirection chain (e.g. CNAME) that was not included in your allow-list of domains, DNS Firewall would block the DNS resolution for this domain, thereby requiring you to explicitly add each domain in the redirection chain to the allow-list. With this release, you can now configure the DNS Firewall rule to automatically apply to all domains in a redirection chain, such as CNAME or DNAME, without requiring you to add each domain in the chain to the allow-list.

Route 53 Resolver DNS Firewall support for domain redirection is available in all Regions where Route 53 is available, including the AWS GovCloud (US) Regions. Visit the AWS Region Table to see all AWS Regions where Amazon Route 53 is available. 

You can get started by using the AWS Console or Route 53 API. For more information, visit the Route 53 Resolver product detail page, the feature documentation, or the step-by-step guide in the AWS News Blog. For details on pricing, visit the pricing page.