AWS Route 53 Resolver DNS Firewall
We make use of AWS Route 53 Resolver DNS Firewall to control access to sites and block DNS-level threats for DNS queries going out from all Modernisation Platform VPCs.
We also benefit from using AWS’s curated lists of domain names that are associated with malicious activity or other potential threats which are constantly updated from their own sources and partners such as Recorded Future.
What is AWS R53 Resolver DNS Firewall?
To learn more about how AWS R53 Resolver DNS firewall works see the following documentation:
What’s enabled by default?
We have created a r53-dns-firewall terraform module to enable the service across all Mod Platform VPCs.
This creates a standard set of rules per VPC which are applied in the following priority order:
- an
ALLOWrule for a custom list of allowed domains (empty by default) - a set of rules that
BLOCKany domains that match the AWS-managed threat domain lists - a
BLOCKrule for a custom list of blocked domains (empty by default)
If any queried domains match the BLOCK rules then they will not resolve. Instead they will return with an NXDOMAIN error message, indicating that the domain doesn’t exist.
This module also sets up some central alerting to make the Modernisation Platform aware of any blocked requests. If we are alerted to any spikes in activity then we will contact platform members directly.
Custom domain lists
In addition to the default protections enabled it is possible to add a set of custom domains to the allow or block lists that have been described above. The README for the module gives an example of how this could be configured.
Please note that this is configured at VPC level and as they are shared per business area, any custom domains/rules updated would apply to all workloads within the VPC.