Route 53 Resolver DNS Firewall lets you block DNS queries for domains that are known to be malicious.
Here’s a look at how it works:
Imagine a user in your VPC tries to access evil-malware-site.com. Without DNS Firewall, their request goes to a public DNS resolver, which might return an IP address for that malicious site. With DNS Firewall, the query first hits the Resolver, which checks its configured rules. If a rule matches evil-malware-site.com, the Resolver can be configured to return a special IP address (like 0.0.0.0) or an NXDOMAIN (Non-Existent Domain) response, effectively preventing the connection.
Let’s set up a scenario. Suppose you want to block domains associated with known phishing campaigns.
First, you need to create a DNS Firewall rule group. This group will contain your actual rules.
aws route53-resolver create-rule-group --name "PhishingBlockList" --edge-order "REGIONAL"
This command creates an empty rule group. The edge-order "REGIONAL" is important because it means the rules are evaluated within the AWS region where the Resolver endpoint resides, offering lower latency.
Next, you’ll add rules to this group. You can define custom domains or use AWS managed domains. For this example, let’s add a custom rule to block a specific phishing domain.
aws route53-resolver create-rule --creator-request-id "phishing-rule-001" --rule-group-id "your-rule-group-id" --rule-type "BLOCK" --domain-list "[ \"phishing-example.com\" ]" --name "BlockPhishingExample"
Replace "your-rule-group-id" with the ID returned from the create-rule-group command. The rule-type "BLOCK" instructs the Resolver to block queries for the specified domains. You can also use PASS to allow domains that might otherwise be blocked by a broader rule, or ALERT to log queries without blocking.
Now, you need to associate this rule group with your VPC. This is done by creating a Resolver endpoint and then associating the rule group with that endpoint.
aws route53-resolver create-resolver-endpoint --name "MyVPCResolver" --direction "INBOUND" --creator-request-id "my-vpc-resolver-001" --vpc-id "vpc-0123456789abcdef0" --security-group-ids "sg-0123456789abcdef0" --subnet-ids "subnet-0123456789abcdef0", "subnet-abcdef0123456789"
You’ll need to replace vpc-0123456789abcdef0, sg-0123456789abcdef0, and the subnet IDs with your actual VPC details. An inbound endpoint is typically used for DNS queries originating from your VPC that need to be inspected.
Finally, associate the rule group with the endpoint.
aws route53-resolver associate-resolver-rule-group-with-vpc --resolver-rule-group-id "your-rule-group-id" --vpc-id "vpc-0123456789abcdef0"
Once this association is active, any DNS query originating from instances within vpc-0123456789abcdef0 that attempts to resolve phishing-example.com will be blocked by the Route 53 Resolver. The client will receive an NXDOMAIN response.
One subtle but powerful aspect of DNS Firewall is its ability to leverage AWS Managed domains. Instead of manually listing thousands of known malicious domains, you can enable managed rule groups provided by AWS, which are regularly updated with threat intelligence. For instance, you can enable the "AWSManagedRulesAmazonIpReputationList" managed rule group. This group automatically blocks domains associated with known botnets and compromised instances, significantly reducing your attack surface without constant manual upkeep.
The Resolver will continue to evaluate DNS queries against your associated rule groups. If a query matches a rule with BLOCK action, the Resolver returns an NXDOMAIN response. If it matches ALERT, the query is logged to CloudWatch Logs. If it matches PASS, the query is forwarded to the next applicable rule or to the upstream resolver.
After blocking malicious domains, your next challenge will likely be monitoring and analyzing the blocked queries to understand your threat landscape.