Secure your Amazon VPC DNS resolution with Amazon Route 53 Resolver DNS Firewall

Introduction

There are many services that help you configure network security within your Amazon Virtual Private Cloud (VPC), including security groups (SGs), network access control lists (network ACLs), and the AWS Network Firewall. These services inspect and filter network traffic, but they do not apply to DNS queries provided by Route 53 Resolver, potentially allowing bad-actors to exfiltrate data using DNS. A DNS lookup is an integral part of outbound network communication and is typically used as a starting point for establishing outbound connectivity.

Recently, we’ve launched Amazon Route 53 Resolver DNS Firewall – a service that enables customers to defend against DNS-level threats such as DNS Exfiltration. Throughout this post, we’ll refer to the Amazon Route 53 Resolver DNS Firewall as “DNS Firewall”.

With DNS Firewall, customers protect against data exfiltration attempts by building rules, specifying a list of domains to filter, and configuring actions for each rule to take when listed entries are queried. Customers group these rules together known as rule groups. Additionally, customers use AWS managed domain lists to easily apply rules to known bad domains.

It’s easy to manage these rules and policies in a small number of AWS accounts. However, when managing policies at scale with hundreds or thousands of VPCs across multiple AWS accounts, we recommend using AWS Firewall Manager, which can centrally manage and apply policies across the AWS Organization. Together with AWS Network Firewall, customers can perform domain-filtering across HTTP/S traffic, centrally managed from AWS Firewall Manager.

In this post, we’ll focus on DNS Firewall rules and rule groups, both at an individual account level and from a centralized location, by using AWS Firewall Manager to enforce security controls in order to safeguard domain lists against inadvertent changes that could result in DNS data exfiltration.

Introduction to Amazon VPC DNS resolution

By default, queries that are issued within the VPC are directed towards the Route 53 Resolver service to handle the resolution, which has the VPC CIDR address +2. For example, the DNS Server on a 10.0.0.0/16 network is located at 10.0.0.2. This VPC CIDR +2 acts as a gateway endpoint to a shared resolver service represented by zonal fleets of resolver instances. This shared resolver service is known as Route 53 Resolver, and it provides DNS query capability in your VPC that resolves public domain names and private hosted zones (PHZ).

When a DNS query is issued, the following resolution process is followed:

1. First, the Route 53 Resolver checks Private Hosted Zone (PHZ) associations and determines if the query is destined for private DNS.
2. Then, Route 53 Resolver checks if the query is destined for AWS internal domain names that cover AWS resources, such as EC2 instance names, VPC endpoints, and others.
3. If none of the preceding are matched and no Route 53 forwarding rules exist, the query is sent to a public DNS authority.

It is important to note, Route 53 Resolver does not use the Internet Gateway (IGW), Security Groups, or network ACLs attached to your VPC to resolve public DNS zones. That means DNS queries will be resolved even if the VPC does not have an Internet Gateway attached, or a route to the internet. DNS Firewall is applied at the Route 53 Resolver, giving you the ability to configure rules to protect your infrastructure.

Figure 1: Resolution of DNS queries using the Amazon Route 53 Resolver

Concepts of DNS Firewall

DNS Firewall is made up of the following components:

Rules – A DNS Firewall rule specifies a single domain list and action to take when the DNS domain query matches a domain in the domain list. You can allow, block, or alert on the matching queries. Each rule has a unique priority in the rule group, and rules are processed from lowest priority to highest priority.

Domain List – A domain list can be reused across many rules, but a single rule has only one domain list. You specify domains in a domain list, associate them with a rule, and provide an action to take (allow, block, alert) when any of those domains are matched in the DNS query. You create your own domain lists or use AWS managed domain lists.

Rule Group – A DNS Firewall rule group is a collection of rules that define how to inspect and handle DNS queries. A rule group can be associated with many VPCs, hence providing protection to multiple VPCs in an AWS account. With AWS Firewall Manager, you apply this rule group to VPCs across your organization and centrally manage it from an AWS Firewall Manager administrator account, which will be discussed later.

Capacity Units – Each rule group includes up to 100 rules. Within each rule, you specify a domain list that can have multiple domains defined. Additionally, you can attach multiple rule groups to the VPC.

Figure 2: Association of a DNS Firewall Rule Group to multiple VPCs

Rule Evaluation

DNS Firewall evaluates rules using the following logic:

1. All rule groups associated with the VPC are evaluated, starting with the VPC association with the lowest priority.
2. When evaluating a rule group, each rule within that rule group is evaluated from lowest priority to highest priority. If a rule is matched, then the request will be either allowed, blocked, or alerted on the matching queries.
3. If no rule is matched within the rule group, DNS Firewall move onto the next rule group to evaluate (if one exists). At this stage, DNS Firewall keeps going through Steps 2 and 3 until a match is found.
4. If no match is found and there are no more rule groups to evaluate, the DNS query is allowed.  In other words, default behavior is to allow DNS queries unless an explicit block is applied somewhere in the rule sets.

Figure 3: DNS Firewall rule evaluation flowchart

DNS Firewall management for individual AWS Accounts

Managing DNS Firewalls begins inside the VPC Console under DNS Firewall. When you navigate to the rule groups, you are presented with a list of DNS Firewall rule groups that are configured within the selected Region. DNS Firewall Rule Groups are a Regional construct (meaning that it applies to one Region only). Rule groups will be created in different Regions, if required.

DNS Firewall rule groups can be associated with one or more VPCs that require protection. This allows you to create common rule groups that are associated and re-used across VPCs. Additionally, if you have multiple AWS Accounts, you can share DNS Firewall rule groups via the AWS Resource Access Manager (RAM).

First, you’ll add a rule group, which is a collection of rules with actions to block or allow specific DNS queries. Specifying a meaningful name and description will help to easily identify the rule group in the future. Next, you add rules to the rule group. A rule defines how to filter DNS network traffic. Rules define the domain names to look for and the action to take when a DNS query matches one of the names. You specify an existing domain list, an AWS managed domain list, bulk upload a domain list, or create a new domain list directly from within the wizard.

Figure 4: Creating a new domain list within the Add Rule Group wizard

You then specify an action to take when the rule group has been matched. Choosing the Block action allows you to specify the type of response, whether that be NODATA, NXDOMAIN or OVERRIDE with a custom DNS record value response.

Figure 5: Specifying an action within the Add Rule Group wizard

After the rule group has been created, it can then be associated with VPCs. After association, DNS Firewall will take effect.

VPCs can be associated with multiple rule groups. Rules and rule groups are evaluated in order of priority, with the lowest number being evaluated first.

As described earlier in this post in the section about DNS Firewall concepts, the DNS Firewall allows all DNS requests by default. For a workload that has well-defined requirements for outbound communication, customers may opt to block all DNS requests except for specific allowed domains. To achieve this, you can create a *. rule in a rule group, with a block action. This rule group must have a higher number (lower priority) than the other rule groups associated to the VPC.

Centralized Management of DNS Firewalls using AWS Firewall Manager

AWS Firewall Manager is a security management service that allows security administrators to centrally configure and manage firewall rules across the accounts and applications in your organization. As new applications are created, Firewall Manager makes it easy to bring new applications and resources into compliance by enforcing a common set of security rules. DNS Firewall integrates with the AWS Firewall Manager to manage rules and associations across your AWS Organization.

Firewall Manager prerequisites

Complete the following prerequisites before you create and apply a Firewall Manager policy:

1. AWS Organizations: Your company must be using AWS Organizations to manage your accounts, and All Features must be enabled. For more information, see Creating an organization and Enabling all features in your organization.
2. A Firewall Manager administrator account: Designate one of the AWS accounts in your organization as the Firewall Manager administrator. This gives the account permission to deploy security policies across the organization.
3. AWS Config: Enable AWS Config for all of the accounts in your organization so that Firewall Manager can detect newly created resources. To enable AWS Config for all of the accounts in your organization, use the Enable AWS Config template from the StackSets sample templates.
4. AWS Resource Access Manager (AWS RAM): You must enable AWS RAM for all accounts in your AWS Organization so that Firewall Manager can apply DNS Firewall Rule Group configurations.

To begin managing DNS Firewalls across your AWS organization, you first log into the AWS Firewall Manager administration account and navigate to the WAF & Shield console. Within the console, drop down the AWS Firewall Manager menu and choose Getting Started. AWS Firewall Manager will check that the prerequisites have been completed. To continue, click Create Policy.

Figure 6: Getting started with the AWS Firewall Manager

When you pick the type of policy in the Firewall Manager console, you will specify a Region where the policy is applied. Security policies within AWS Firewall Manager are a Regional construct, which means the policy is scoped to the Region where it was created. You can create additional policies in different Regions.

Figure 7: Choose a Policy Type and Region

Next, we’ll specify the DNS Firewall rule groups, that will be applied via this policy.

DNS Firewall Rule Groups and Priorities with AWS Firewall Manager

AWS Firewall Manager is able to apply additional higher and lower priority DNS Firewall rule groups, across VPCs, within the scope of the policy. For example, consider that you have identified a bad-domain, that must be blocked across all VPCs within your AWS Organization. You can use AWS Firewall Manager to apply that rule group before evaluating individual rule groups defined within member accounts across the AWS Organization.

Figure 8: First Rule Groups and Last Rule Groups are defined within the AWS Firewall Manager DNS Firewall policy.

A Firewall Manager DNS Firewall rules policy has three evaluation sections, each with a set of reserved priority numbers. The first rule groups and the last rule groups sections are assigned to rule groups specified by the Firewall Manager administrator. When rule groups are shared by the Firewall Manager across accounts, each account owner adds their own rule groups to this user-defined section, specific to their AWS account. These sections provide a higher level of priority depending on whether you want your centrally administered rule groups to be evaluated before or after any user-defined rule groups.

The evaluation sections and priority numbers are:

• First rule groups section, with priority numbers between 1 and 100,
• User-defined section, with priority numbers between 101 and 9900,
• Last rule groups section, with priority numbers between 9901 and 10000.

Within each section, rule groups are evaluated based on the priority number assigned to it. Rule groups with the lowest priority are processed first.

You ensure that Firewall Manager administered rule groups are always evaluated first by slotting them in the first rule group section of the Firewall Manager policy. Rule groups slotted into the first rule group section, have a reserved priority between 1 and 100 and are evaluated before any rule groups defined by the member accounts.

Figure 9: DNS Firewall Policy Rule Groups and Priority

Next, we specify the scope of the policy, and the VPCs that we want the policy to apply to. For example; you may have different policies to apply against different networks, environments, or different organizational units. You can apply the policy to all VPCs within the AWS Organization, or you can be specific with inclusion or exclusion of VPCs using resource tags.

Figure 10: AWS Firewall Manager DNS Firewall policy scope

It’s recommended to use different priority numbers for rule groups. Rule group priority conflicts occur in either of the following cases:

• The AWS Firewall Manager administrator account has two or more policies that have rule groups with same priority for the same VPC.
• The AWS Firewall Manager administrator account and a member account both have created a rule group for the same VPC with the same priority.

In the case that rule group priorities do have a conflict using the same priority, the first associated rule group to the VPC is applied. AWS Firewall Manager provides a compliance status check, which determines any conflicting rule group priorities. Non-compliance is highlighted in the AWS Firewall Manager console.

Logging and monitoring

Route 53 Resolver Query Logging now expands its functionality by logging queries in response to DNS Firewall rule actions. Query Logging is a feature that’s enabled at the VPC level. You can configure it to log recursive DNS queries originating from within the VPC DNS query logs to Amazon S3 bucket, Amazon CloudWatch Logs, or Amazon Kinesis Data Firehose Delivery Stream. You then use this information for troubleshooting and security operations to have a better view of security posture.

There are fields added to the logs that provide insight into DNS Firewall actions against DNS queries:

• firewall_rule_group_id
• firewall_rule_action
• firewall_domain_list_id

Once a DNS Firewall rule group is associated with a VPC, it begins to send metrics to Amazon CloudWatch. There’s a AWS/Route53Resolver namespace that includes metrics all revolving around query volume:

• Number of queries from a VPC
• Number of queries from a VPC matching a DNS Firewall rule group
• Number of queries matching a DNS Firewall rule group
• Number of queries matching a DNS Firewall domain list from a rule group

Considerations

• DNS Firewall and Network Firewall work together for improved domain-filtering capability across HTTP/S traffic. A domain list configured in Network Firewall should reflect the domain list configured in DNS Firewall.
• Depending on the configuration that works best for your organization, you may want to take an ‘allow-lists’ approach where you block all DNS queries and only include domains you allow. Or, you can choose to do the inverse with a ‘block-list’, which allows all DNS queries but blocks domains you include in this list.
• Use DNS Firewall with Resolver query logs and Amazon GuardDuty for better visibility into DNS activity. Test your rules and rule groups by choosing the ALERT option, which streams data to GuardDuty for visibility before deploying into production.
• For improved security, Route 53 Resolver can also perform DNSSEC validation, which is off by default.
• If you have built existing user-defined rules in existing AWS accounts and you must override them, create a Firewall Manager DNS Firewall policy with first rule groups specified. This ensures the rules you that you centrally create via Firewall Manager have a lower associated priority than the rules you’ve manually created in your accounts. Alternatively, you can create last rule groups if you want to transition away from your user-defined rules.
• The default response from DNS Firewall for a block action is NODATA, which is essentially a timeout. If this isn’t suitable for your use case, modify it to redirect your DNS queries to a ‘sink hole’ by choosing the OVERRIDE option, and providing a custom message.

Conclusion

In this blog post, you learned how to secure your Amazon VPC DNS resolution with Amazon Route 53 Resolver DNS Firewall. You also learned how security administrators can use Firewall Manager to create security policies for the Amazon Route 53 Resolver DNS Firewall and push them out at scale to their organization.

As part of the walkthrough, you also learned how compliance auditors use Firewall Manager to see, in a single place, if DNS firewall policies are in compliance across the AWS Organization.

For further reading and to learn more about DNS resolution in your VPCs, see the Route 53 Resolver section of the Developer Guide. For AWS Firewall Manager, see the Firewall Manager Developer Guide. To learn about pricing for solutions using AWS Firewall Manager, check the AWS Firewall Manager pricing page for examples.

If you have questions about this post, start a new thread on the Amazon Route 53 forum or contact AWS Support.