Published in · 6 min read · 2 days ago
--
DNS (Domain Name System) is a crucial component of network management, translating human-friendly domain names into IP addresses that machines use to communicate. AWS provides robust tools to manage and filter DNS queries, enhancing security and performance for your applications. In this article, we’ll explore how DNS query filtering on AWS works and provide a step-by-step guide on how to configure this solution.
Understanding DNS Query Filtering on AWS
DNS query filtering helps control which DNS queries are allowed or blocked based on predefined rules. This is particularly useful for enhancing security by preventing access to malicious domains, enforcing compliance, and improving network performance by blocking unnecessary or harmful queries.
Key Components
- Amazon Route 53: A scalable and highly available DNS web service that translates domain names into IP addresses.
- Route 53 Resolver: A recursive DNS service that answers DNS queries for domain names.
- Route 53 Resolver DNS Firewall: Allows you to filter and manage DNS queries for your VPC (Virtual Private Cloud).
How DNS Query Filtering Works
- Define DNS Firewall Rule Groups: Rule groups consist of one or more rules that specify which domains to allow or block.
- Associate Rule Groups with VPCs: Apply these rule groups to the VPCs where you want to enforce DNS query filtering.
- Monitor and Manage DNS Queries: Use AWS CloudWatch and other monitoring tools to review DNS query logs and adjust rules as needed.
Prerequisites
Before delving into the lab setup, ensure that you have the following prerequisites in place:
- An AWS account with the appropriate permissions to create and manage network resources.
- A foundational understanding of Amazon VPC concepts, EC2, and AWS services.
- Deployment of a VPC, public subnet, and internet gateway should be completed prior to commencing this lab.
To filter outbound DNS traffic from your VPC, we need to create a DNS Firewall.
Navigate to the DNS Firewall console:
- Open the AWS Management Console.
- Go to the VPC service >> DNS Firewall
Create a Domain List:
A Domains List is a collection of domain names that we define and manage. It serves as the basis for creating DNS Firewall rules that allow or block DNS queries
- In the left navigation pane, choose “DNS Firewall.”
- Click “Domain List” and “Add Domain List”
Note: Here we will list all the domains that we want to block.
- Enter a name, and the list of domains to block.
- Click on “Add Domain List”
Create a Rule Group:
A rule group is a collection of rules that specify the actions to take on DNS queries. Rule groups allow you to organize and manage multiple DNS Firewall rules efficiently.
- Go back to “DNS Firewall”
- Click “Rule Groups” >> “Create Rule Group”
- Enter a name and click on “Add rule group”
- Once the group is created, go the “Rules” and click on “Add Rule”
- Enter a Name
- At “Configurations” choose the Domain List created on the previous step.
- At the “Action” choose “Block”
- As for the Response, choose “NXDOMAIN”
- Click on “Add Rule”
At the Rule Group created on Step one, navigate to Associated VPCs:
- Click “Associate VPC.”
- Choose the VPC you want to associate with this rule group.
Complete the Association:
- Click “Associate” to apply the rule group to the selected VPC.
Enable Query Logging:
- In the Route 53 console, go to “Resolver” >> “VPCs”
- Click at the VPC associated with the Rule Group from step 2.
- At “Query Logging Configurations” click “Configure Query Logging”
- Enter a name for the logging configuration
- For this simple lab we will use “CloudWatch Logs Group”
- Create a new log group, then click at “Create query logging”
Deploy a EC2 Instance and test the DNS request:
Note: Refer to the following guide on how to deploy an EC2 Instace: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html
Once your instance is deployed, connect to it via SSH or “EC2 Instance Connect”, and run the following commands at the CLI:
nslookup amazon.com
nslookup gaming.amazon.com
nslookup google.com
nslookup nytimes.com
The result should be similar to:
[ec2-user@ip-10–0–3–76 ~]$ nslookup amazon.com
Server: 10.0.0.2
Address: 10.0.0.2#53
** server can't find amazon.com: NXDOMAIN[ec2-user@ip-10–0–3–76 ~]$ nslookup gaming.amazon.com
Server: 10.0.0.2
Address: 10.0.0.2#53
** server can't find gaming.amazon.com: NXDOMAIN
[ec2-user@ip-10–0–3–76 ~]$ nslookup google.com
Server: 10.0.0.2
Address: 10.0.0.2#53
Non-authoritative answer:
Name: google.com
Address: 142.251.179.101
Name: google.com
Address: 142.251.179.102
Name: google.com
Address: 142.251.179.113
Name: google.com
Address: 142.251.179.138
Name: google.com
Address: 142.251.179.139
Name: google.com
Address: 142.251.179.100
Name: google.com
Address: 2607:f8b0:4004:c06::8a
Name: google.com
Address: 2607:f8b0:4004:c06::8b
Name: google.com
Address: 2607:f8b0:4004:c06::64
Name: google.com
Address: 2607:f8b0:4004:c06::65
[ec2-user@ip-10–0–3–76 ~]$ nslookup nytimes.com
Server: 10.0.0.2
Address: 10.0.0.2#53
** server can't find nytimes.com: NXDOMAIN
As you can see from the output, we received a NXDOMAIN response for those domains blocked.
Review Logs in CloudWatch:
- Open the CloudWatch console.
- Navigate to “Log Groups” and find the log group you specified.
- Click on “Search all Logs”
- Review the DNS query logs to ensure your rule group is functioning as expected.
- Regularly Update Rule Groups: Keep your rule groups updated to include new threats and domains as they are identified.
- Monitor DNS Query Logs: Continuously monitor logs to detect and respond to suspicious activity.
- Implement Least Privilege: Apply the principle of least privilege when creating rules, allowing only necessary domains and blocking everything else by default.
DNS query filtering on AWS using Route 53 and the Route 53 Resolver DNS Firewall is a powerful tool for enhancing the security and performance of your network. By following the steps outlined in this guide, you can effectively manage and control DNS queries within your AWS environment, ensuring a safer and more reliable infrastructure.
Thank you for being a part of the In Plain English community! Before you go: