AWS DNS Firewall Technical Analysis

AWS DNS Firewall is a managed firewall service that helps to protect you against DNS exfiltration. It was released on Mar 31, 2021. You can run AWS DNS Firewall in blacklist or whitelist mode.

This article assumed you have the basic knowledge about AWS DNS Firewall (e.g. Rule groups, rules and domain lists). If not, you can refer to “How Route 53 Resolver DNS Firewall works” to find out more.

Blacklist Mode

By default, if you do not have any rules in your rule group, all the DNS queries will be allowed to go through. To use blacklist mode, you just simply have to create a domain list that contains the bad domains and create a rule with an action BLOCK on the new domain list.

Whitelist Mode

Since queries are allowed to go through by default, you will have to create two domain lists to use this mode.

• Block Domain List: only contains a wildcard domain (i.e. “*”). This will be used to block everything by default.
• Allow Domain List: contains a list of allowed domains (a.k.a. whitelist)

Then, create one rule in your rule group with an action ALLOW on the Allow Domain List, and another rule with an action BLOCK on the Block Domain List. For the latter rule, it must have a lower priority (higher priority number) than the former. This is because we want the ALLOW rule to be evaluated first and block everything by default.