Stop the CNAME chain battle: Simplified administration with Route 53 Resolver DNS Firewall

0
2699
Stop the CNAME chain battle: Simplified administration with Route 53 Resolver DNS Firewall


Voiced by Polly

Starting right this moment, you may configure your DNS Firewall to robotically belief all domains in a decision chain (akin to aCNAME, DNAME, or Alias chain).

Let’s stroll by this in nontechnical phrases for these unfamiliar with DNS.

Why use DNS Firewall?
DNS Firewall gives safety for outbound DNS requests out of your personal community within the cloud (Amazon Virtual Private Cloud (Amazon VPC)). These requests route by Amazon Route 53 Resolver for area title decision. Firewall directors can configure guidelines to filter and regulate the outbound DNS visitors.

DNS Firewall helps to guard in opposition to a number of safety dangers.

Let’s think about a malicious actor managed to put in and run some code in your Amazon Elastic Compute Cloud (Amazon EC2) situations or containers working inside one in all your digital personal clouds (VPCs). The malicious code is prone to provoke outgoing community connections. It would possibly achieve this to hook up with a command server and obtain instructions to execute in your machine. Or it would provoke connections to a third-party service in a coordinated distributed denial of service (DDoS) assault. It may additionally attempt to exfiltrate knowledge it managed to gather in your community.

Fortunately, your community and safety teams are appropriately configured. They block all outgoing visitors besides the one to well-known API endpoints utilized by your app. So far so good—the malicious code can not dial again dwelling utilizing common TCP or UDP connections.

But what about DNS visitors? The malicious code could ship DNS requests to an authoritative DNS server they management to both ship management instructions or encoded knowledge, and it could obtain knowledge again within the response. I’ve illustrated the method within the following diagram.

DNS exfiltration illustrated

To stop these situations, you should utilize a DNS Firewall to observe and management the domains that your purposes can question. You can deny entry to the domains that you recognize to be unhealthy and permit all different queries to go by. Alternately, you may deny entry to all domains besides these you explicitly belief.

What is the problem with CNAME, DNAME, and Alias data?
Imagine you configured your DNS Firewall to permit DNS queries solely to particular well-known domains and blocked all others. Your software communicates with alexa.amazon.com; due to this fact, you created a rule permitting DNS visitors to resolve that hostname.

However, the DNS system has a number of forms of data. The ones of curiosity on this article are

  • A data that map a DNS title to an IP deal with,
  • CNAME data which can be synonyms for different DNS names,
  • DNAME data that present redirection from part of the DNS title tree to a different a part of the DNS title tree, and
  • Alias data that present a Route 53 particular extension to DNS performance. Alias data allow you to route visitors to chose AWS assets, akin to Amazon CloudEntrance distributions and Amazon S3 buckets

When querying alexa.amazon.com, I see it’s truly a CNAME document that factors to pitangui.amazon.com, which is one other CNAME document that factors to tp.5fd53c725-frontier.amazon.com, which, in flip, is a CNAME to d1wg1w6p5q8555.cloudfront.internet. Only the final title (d1wg1w6p5q8555.cloudfront.internet) has an A document related to an IP deal with 3.162.42.28. The IP deal with is prone to be totally different for you. It factors to the closest Amazon CloudEntrance edge location, doubtless the one from Paris (CDG52) for me.

An analogous redirection mechanism occurs when resolving DNAME or Alias data.

DNS resolution for alexa.amazon.com

To permit the entire decision of such a CNAME chain, you would be tempted to configure your DNS Firewall rule to permit all names underneath amazon.com (*.amazon.com), however that will fail to resolve the final CNAME that goes to cloudfront.internet.

Worst, the DNS CNAME chain is managed by the service your software connects to. The chain would possibly change at any time, forcing you to manually keep the listing of guidelines and licensed domains inside your DNS Firewall guidelines.

Introducing DNS Firewall redirection chain authorization
Based on this rationalization, you’re now geared up to know the brand new functionality we launch right this moment. We added a parameter to the UpdateFirewallRule API (additionally accessible on the AWS Command Line Interface (AWS CLI) and AWS Management Console) to configure the DNS Firewall in order that it follows and robotically trusts all of the domains in a CNAME, DNAME, or Alias chain.

This parameter permits firewall directors to solely permit the area your purposes question. The firewall will robotically belief all intermediate domains within the chain till it reaches the A document with the IP deal with.

Let’s see it in motion
I begin with a DNS Firewall already configured with a area listing, a rule group, and a rule that ALLOW queries for the area alexa.amazon.com. The rule group is connected to a VPC the place I’ve an EC2 occasion began.

When I connect with that EC2 occasion and subject a DNS question to resolve alexa.amazon.com, it solely returns the primary title within the area chain (pitangui.amazon.com) and stops there. This is predicted as a result of pitangui.amazon.com will not be licensed to be resolved.

DNS query for alexa.amazon.com is blocked at first CNAME

To clear up this, I replace the firewall rule to belief your complete redirection chain. I take advantage of the AWS CLI to name the update-firewall-rule API with a brand new parameter firewall-domain-redirection-action set to TRUST_REDIRECTION_DOMAIN.

AWS CLI to update the DNS firewall rule

The following diagram illustrates the setup at this stage.

DNS Firewall rule diagram

Back to the EC2 occasion, I strive the DNS question once more. This time, it really works. It resolves your complete redirection chain, all the way down to the IP deal with 🎉.

DNS resolution for the full CNAME chain

Thanks to the trusted chain redirection, community directors now have a simple solution to implement a technique to dam all domains and authorize solely recognized domains of their DNS Firewall with out having to care about CNAME, DNAME, or Alias chains.

This functionality is on the market at no extra price in all AWS Regions. Try it out right this moment!

— seb

LEAVE A REPLY

Please enter your comment!
Please enter your name here