Route 53 Resolver DNS Firewall¶
What Is Route 53 Resolver DNS Firewall?¶
Route 53 Resolver DNS Firewall is a managed DNS filtering service that controls DNS queries originating from VPC resources.
It evaluates DNS requests and can:
- allow domains
- block domains
- alert on lookups
before DNS resolution occurs.
Think of DNS Firewall as:
Domain-level protection for AWS DNS requests.
Why It Matters for Security¶
DNS Firewall helps organizations:
- block malicious domains
- prevent command-and-control communication
- reduce malware reachability
- enforce DNS governance
- support hybrid DNS security
Security teams use DNS Firewall for:
- threat prevention
- DNS policy enforcement
- exfiltration reduction
- centralized DNS controls
Core Concepts¶
- DNS filtering
- allow/deny domains
- DNS governance
- outbound DNS protection
- centralized policies
- DNS inspection
Important Integrations¶
Route 53 Resolver¶
DNS Firewall attaches to:
- Route 53 Resolver
Very important service identity.
Amazon VPC¶
Protects:
- DNS requests from VPC workloads
AWS Organizations¶
Supports:
- centralized DNS governance
- multi-account deployment
Amazon CloudWatch¶
Supports:
- monitoring
- logging
- investigations
Amazon S3¶
Supports:
- query archival
- analytics
AWS Security Hub¶
Can aggregate DNS-related findings.
Amazon GuardDuty¶
Supports:
- managed threat intelligence
Very important integration.
Security Features¶
Domain Filtering¶
Controls:
- allow
- block
- alert
Example:
allowed.example
blocked.example
Rule Groups¶
Rules are organized into:
→ Rule Groups
Can be reused across:
- VPCs
- accounts
Very important governance concept.
Domain Lists¶
Rules reference:
- domain lists
Examples:
trusted-domains
malware-domains
Response Actions¶
Allow¶
Resolve domain.
Block¶
Prevent resolution.
Alert¶
Log but allow.
Very important exam distinction.
Centralized DNS Governance¶
Pattern:
Organizations
↓
Security Account
↓
DNS Firewall
↓
Member Accounts
Advanced Security and Operational Concepts¶
DNS Firewall Filters Queries — Not Traffic¶
Evaluates:
Workload
↓
DNS Query
↓
Resolver
↓
DNS Firewall
Does NOT inspect:
- packets
- HTTP
- payloads
Very important distinction.
Rule Priority (Classic Trap)¶
Rules evaluate by:
→ Priority
Lower number wins.
Example:
Priority 100
↓
Priority 200
↓
Priority 300
Evaluation stops after first match.
Pattern:
Match
↓
Action
↓
Stop
Very important policy behavior.
VPC Association Requirement¶
Creating Rule Groups alone does nothing.
Must associate:
Rule Group
↓
VPC
Very important deployment step.
Fail Open Behavior¶
Supports:
→ Fail Open
If DNS Firewall fails:
Allow Query
↓
Continue Application
Tradeoff:
| Fail Open | Strict |
|---|---|
| availability | enforcement |
| continuity | protection |
Very important operational decision.
Domain Redirection Responses¶
Blocked queries can return:
| Response | Behavior |
|---|---|
| NODATA | empty response |
| NXDOMAIN | domain not found |
| OVERRIDE | redirect |
Very important operational nuance.
AWS Managed Domain Lists¶
Supports managed intelligence.
Examples:
- botnets
- malware
- crypto mining
- command-and-control
Pattern:
GuardDuty
↓
Managed Lists
↓
DNS Firewall
Very important automation capability.
CNAME Chain Inspection¶
DNS Firewall evaluates:
- queried domain
- CNAME targets
Example:
app.example.com
↓
CNAME
↓
malicious.com
If either matches:
→ Block
Prevents DNS bypass.
Hybrid DNS Protection¶
Protects:
On-Prem
↓
Resolver
↓
AWS
Very important hybrid architecture capability.
Architecture Example¶
Centralized DNS Protection¶
flowchart LR
APP[Applications]
RES[Resolver]
FW[DNS Firewall]
RULE[Rule Groups]
LOG[CloudWatch]
DNS[DNS Resolution]
APP --> RES
RES --> FW
RULE --> FW
FW --> DNS
FW --> LOG
classDef dns fill:#e3f2fd,stroke:#1565c0,color:#0d47a1;
classDef security fill:#e8f5e9,stroke:#2e7d32,color:#1b5e20;
class APP,RES,DNS dns;
class FW,RULE,LOG security;Use case: centralized DNS policy enforcement.
DNS Filtering Workflow¶
sequenceDiagram
autonumber
participant APP
participant RES as Resolver
participant FW as DNS Firewall
participant RULE
participant DNS
APP->>RES: DNS lookup
RES->>FW: Evaluate Rule Group
FW->>RULE: Apply priority
alt Allowed
RULE->>DNS: Resolve
DNS-->>APP: Response
else Blocked
RULE-->>APP: Block response
endUse case: prevent malicious lookups before resolution.
Threat Prevention Workflow¶
sequenceDiagram
autonumber
participant APP
participant RES
participant FW
participant DOMAIN
APP->>RES: Resolve domain
RES->>FW: Inspect query
alt Denied
FW-->>APP: Block
else Allowed
FW->>DOMAIN: Resolve
DOMAIN-->>APP: Response
endUse case: prevent command-and-control communication.
DNS Firewall vs AWS Network Firewall¶
| DNS Firewall | Network Firewall |
|---|---|
| DNS filtering | packet inspection |
| domain rules | traffic rules |
| DNS only | Layer 3–7 |
Use DNS Firewall when:
- controlling domains
Use Network Firewall when:
- inspecting traffic
DNS Firewall vs Security Groups¶
| DNS Firewall | Security Groups |
|---|---|
| DNS decisions | connection control |
| domains | IP rules |
DNS Firewall vs Route 53¶
| DNS Firewall | Route 53 |
|---|---|
| filtering | DNS service |
| protection | resolution |
Common Exam Traps¶
Trap 1 — DNS Filtering ≠ Network Filtering¶
DNS Firewall:
- DNS only
Network Firewall:
- packets
Trap 2 — DNS Firewall Does Not Block Active Connections¶
Blocks:
- DNS queries
Not:
- established sessions
Trap 3 — Forgetting Rule Groups¶
Rules require:
→ Rule Groups
Trap 4 — Forgetting Resolver Dependency¶
DNS Firewall requires:
→ Resolver
Trap 5 — Alert Does Not Block¶
Alert:
- logs
Does not:
- deny
Trap 6 — Forgetting Rule Priority¶
Lower number:
→ higher priority
Trap 7 — Forgetting VPC Association¶
Rule Groups must:
→ attach to VPC
Trap 8 — Forgetting Fail Open¶
Need maximum availability?
→ Fail Open
Trap 9 — Forgetting CNAME Inspection¶
Evaluates:
- query
- target chain
Trap 10 — Forgetting Managed Lists¶
Need automated threat blocking?
→ GuardDuty + Managed Lists
5-Second Recall¶
Identity¶
Route 53 Resolver DNS Firewall = DNS query filtering
Keywords¶
If the scenario mentions:
- malicious domains
- DNS filtering
- command-and-control
- DNS governance
- allow lists
Answer:
→ Route 53 Resolver DNS Firewall
Need Traffic Inspection?¶
→ Network Firewall
Need Domain Blocking?¶
→ DNS Firewall
Need Hybrid DNS?¶
→ Resolver
Need Availability?¶
→ Fail Open
Need Managed Intelligence?¶
→ GuardDuty + Managed Lists
Quick Revision Notes¶
- DNS filtering
- Resolver integration
- Rule Groups
- priorities
- VPC association
- fail open
- domain lists
- allow/block/alert
- CNAME inspection
- GuardDuty integration
- centralized governance
- not packet inspection