Tuesday, June 25, 2024
HomeCloud ComputingCease the CNAME chain battle: Simplified administration with Route 53 Resolver DNS...

Cease the CNAME chain battle: Simplified administration with Route 53 Resolver DNS Firewall

Voiced by Polly

Up to date 2 Might 2024: I eliminated the reference to Route53 Alias that was incorrectly referred as a series

Beginning right now, you’ll be able to configure your DNS Firewall to robotically belief all domains in a decision chain (comparable to aCNAMEor DNAMEchain).

Let’s stroll by means of this in nontechnical phrases for these unfamiliar with DNS.

Why use DNS Firewall?
DNS Firewall gives safety for outbound DNS requests out of your non-public community within the cloud (Amazon Digital Personal Cloud (Amazon VPC)). These requests route by means of Amazon Route 53 Resolver for area identify decision. Firewall directors can configure guidelines to filter and regulate the outbound DNS visitors.

DNS Firewall helps to guard in opposition to a number of safety dangers.

Let’s think about a malicious actor managed to put in and run some code in your Amazon Elastic Compute Cloud (Amazon EC2) cases or containers working inside one in all your digital non-public clouds (VPCs). The malicious code is more likely to provoke outgoing community connections. It’d accomplish that to connect with a command server and obtain instructions to execute in your machine. Or it would provoke connections to a third-party service in a coordinated distributed denial of service (DDoS) assault. It may also attempt to exfiltrate information it managed to gather in your community.

Fortuitously, your community and safety teams are accurately configured. They block all outgoing visitors besides the one to well-known API endpoints utilized by your app. To date so good—the malicious code can not dial again house utilizing common TCP or UDP connections.

However what about DNS visitors? The malicious code could ship DNS requests to an authoritative DNS server they management to both ship management instructions or encoded information, and it may well obtain information again within the response. I’ve illustrated the method within the following diagram.

DNS exfiltration illustrated

To stop these eventualities, you need to use a DNS Firewall to watch and management the domains that your purposes can question. You possibly can deny entry to the domains that you realize to be unhealthy and permit all different queries to cross by means of. Alternately, you’ll be able to deny entry to all domains besides these you explicitly belief.

What’s the problem with CNAME and DNAME data?
Think about you configured your DNS Firewall to permit DNS queries solely to particular well-known domains and blocked all others. Your utility communicates with alexa.amazon.com; subsequently, you created a rule permitting DNS visitors to resolve that hostname.

Nonetheless, the DNS system has a number of sorts of data. Those of curiosity on this article are

  • A data that map a DNS identify to an IP deal with,
  • CNAME data which might be synonyms for different DNS names,
  • DNAME data that present redirection from part of the DNS identify tree to a different a part of the DNS identify tree, and

When querying alexa.amazon.com, I see it’s truly a CNAME document that factors to pitangui.amazon.com, which is one other CNAME document that factors to tp.5fd53c725-frontier.amazon.com, which, in flip, is a CNAME to d1wg1w6p5q8555.cloudfront.internet. Solely the final identify (d1wg1w6p5q8555.cloudfront.internet) has an A document related to an IP deal with The IP deal with is more likely to be totally different for you. It factors to the closest Amazon CloudFront edge location, possible the one from Paris (CDG52) for me.

An identical redirection mechanism occurs when resolving DNAME data.

DNS resolution for alexa.amazon.com

To permit the entire decision of such a CNAME chain, you possibly can be tempted to configure your DNS Firewall rule to permit all names underneath amazon.com (*.amazon.com), however that might fail to resolve the final CNAME that goes to cloudfront.internet.

Worst, the DNS CNAME chain is managed by the service your utility connects to. The chain would possibly change at any time, forcing you to manually keep the record of guidelines and licensed domains inside your DNS Firewall guidelines.

Introducing DNS Firewall redirection chain authorization
Primarily based on this clarification, you’re now outfitted to know the brand new functionality we launch right now. We added a parameter to the UpdateFirewallRule API (additionally out there on the AWS Command Line Interface (AWS CLI) and AWS Administration Console) to configure the DNS Firewall in order that it follows and robotically trusts all of the domains in a CNAMEor DNAMEchain.

This parameter permits firewall directors to solely enable the area your purposes question. The firewall will robotically belief all intermediate domains within the chain till it reaches the A document with the IP deal with.

Let’s see it in motion
I begin with a DNS Firewall already configured with a area record, a rule group, and a rule that ALLOW queries for the area alexa.amazon.com. The rule group is connected to a VPC the place I’ve an EC2 occasion began.

After I connect with that EC2 occasion and problem a DNS question to resolve alexa.amazon.com, it solely returns the primary identify within the area chain (pitangui.amazon.com) and stops there. That is anticipated as a result of pitangui.amazon.com shouldn’t be licensed to be resolved.

DNS query for alexa.amazon.com is blocked at first CNAME

To resolve this, I replace the firewall rule to belief the complete redirection chain. I take advantage of the AWS CLI to name the update-firewall-rule API with a brand new parameter firewall-domain-redirection-action set to TRUST_REDIRECTION_DOMAIN.

AWS CLI to update the DNS firewall rule

The next diagram illustrates the setup at this stage.

DNS Firewall rule diagram

Again to the EC2 occasion, I attempt the DNS question once more. This time, it really works. It resolves the complete redirection chain, right down to the IP deal with 🎉.

DNS resolution for the full CNAME chain

Because of the trusted chain redirection, community directors now have a straightforward solution to implement a method to dam all domains and authorize solely recognized domains of their DNS Firewall with out having to care about CNAMEor DNAMEchains.

This functionality is accessible at no extra price in all AWS Areas. Attempt it out right now!

— seb



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments