Posted On: Oct 27, 2022
Starting today, Amazon Route 53 Resolver DNS Firewall is available in the Amazon Web Services China (Beijing) region, operated by Sinnet, and Amazon Web Services China (Ningxia) region, operated by NWCD.
Route 53 DNS Firewall is a managed firewall that enables customers to block DNS queries made for known malicious domains and to allow queries for trusted domains. DNS Firewall provides more granular control over the DNS querying behavior of resources within your Amazon Virtual Private Clouds (VPCs). Route 53 Resolver DNS Firewall lets you create “blocklists” for domains you don’t want your VPC resources to communicate with via DNS. You can also take a stricter, “walled-garden” approach by creating “allowlists” that permit outbound DNS queries only to domains you specify.
To share DNS Firewall rules across accounts, you can use Amazon Resource Access Manager (RAM). Amazon Resource Access Manager enables customers to centrally share Amazon Web Services resources with other Amazon Web Services accounts. They can utilize Amazon CloudWatch Metrics to understand the number of DNS queries being blocked or allowed by their firewall, down to the rule level. They can also enable logging by using Route 53 Resolver Query Logs to get instance-level information on blocked and allowed queries for each VPC resource. If you choose to store your logs in CloudWatch log groups, you can use CloudWatch Contributor Insights to create rules to generate high cardinality data, such as the top resources making the most queries which are getting blocked by the firewall.