Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AWS User Group - Perth - April 2021 - DNS

AWS User Group Perth discussion on DNSSEC, DNS Firewall, Route53 Resolvers and more.

  • Be the first to comment

  • Be the first to like this

AWS User Group - Perth - April 2021 - DNS

  1. 1. AWS USER GROUP – PERTH DNS IN AWS James Bromberger ( @JamesBromberger) April 2021
  2. 2. JAMES BROMBERGER Current: Global Head of Cloud for Modis (https://cloud.modis.com/) Previous: AWS Security Solution Architect Australia & New Zealand Previous: Vibrant Media (online advertising) Previous: Fotango (invented Serverless – see Wikipedia) Modis: 1,500 in Australia, 8,000 w/w in 17 countries. Established late 1980’s as Ajilon Parent company: Adecco Group (world’s largest HR recruiter) • Professional Consulting & Managed Services • Staffing & Placement/Recuiting • Training
  3. 3. JAMES BROMBERGER Current: Debian Gnu/Linux Developer (20 years): cloudfront.debian.net Previous: Debian AMI Maintainer Previous: Linux.conf.au chair Perth 2003, assisting Perth 2014 9x AWS Certified AWS Certification Subject Matter Expert (SA Pro, DevOps Pro, Networking, Security) AWS APN Partner Ambassador (ex Cloud Warrior)
  4. 4. TODAY WE SHALL BE LOOKING AT Route53 Outbound Resolvers and Resolver Rules Guard Duty (DNS findings) VPC Endpoints EXPLOT: DNS Data Exfiltration DNS Firewall DNSSEC
  5. 5. SECURITY: UNMONITORED
  6. 6. SECURITY: MONITOR
  7. 7. THE OLD ADAGE: DNS
  8. 8. DNS REQUIREMENTS 1. Reliable 2. Able to resolve VPC Endpoints (within each VPC) 3. Able to resolve on-premise (split horizon) Zones 4. Able to have Guard Duty alert on DNS activity
  9. 9. DNS BEST PRACTICE Do not let your instances use alternate DNS servers (security group egress, NAT, etc) Log DNS queries, set up some analysis and review Watch for DNS outages/SPOFs
  10. 10. Private subnet Private subnet Public subnet Public subnet LARGE ENTERPRISE (2019) VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Instance Endpoints Peering connection 10.0.0.0/16 10.1.0.0/16
  11. 11. Private subnet Private subnet Public subnet Public subnet LARGE ENTERPRISE (2019) VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Bind DNS 10.1.3.5 Instance Bind DNS 10.1.4.5 Endpoints Peering connection DHCP Options: DNS Resolver = 10.1.3.5, 10.1.4.5
  12. 12. Private subnet Private subnet Public subnet Public subnet DNS TRAFFIC CROSS-VPC (BIND) VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Bind DNS Instance Bind DNS Endpoints Peering connection Root resolve On Premises DNS server Split Horizon resolve 1. No VPC Endpoint resolution 2. No Guard Duty visibility 3. UDP & TCP 53 traffic through environment 4. DNS Instance downtime = intermittent outages
  13. 13. Private subnet Private subnet Public subnet Public subnet BIND USING VPC RESOLVER VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Bind DNS Instance Bind DNS Endpoints Peering connection Root resolve On Premises DNS server Split Horizon resolve 1. Endpoint resolution in DNS VPC (in wrong acct) 2. Guard Duty visibility (in wrong acct) 3. UDP & TCP 53 traffic through environment 4. DNS Instance downtime = intermittent outages VPC DNS Resolver .2 or 169.254.169.53
  14. 14. Private subnet Private subnet Public subnet Public subnet SOLUTION: R53 OUTBOUND ENDPOINTS VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Peering connection Root resolve On Premises DNS server Split Horizon resolve 1. Endpoint resolution 2. Guard Duty visibility 3. No UDP & TCP 53 traffic through environment 4. No DNS Instance downtime = no intermittent outages VPC DNS Resolver .2 or 169.254.169.53 R53 Outbound Resolver VPC DNS Resolver .2 or 169.254.169.53 1. Remove peering 2. Restrict Security Group Egress (no UDP)
  15. 15. DNS EXFIL DNS is often working in all environments DNS is often not monitored DNS often doesn’t block known Bad Domains DNS Exfil: slow! 255 bytes at a time, unreliable (directly; see QUIC). But a compromised machine can use this to COPY and to TUNNEL!
  16. 16. GUARD DUTY DNS exfil may be spotted by Guard Duty, but won’t be blocked. Wouldn’t it be better if it actively blocked it.
  17. 17. BOTNET C&C Command And Control Botnets sometimes don’t trust local DNS services not to rat them out! So they will do DNS queries against their own DNS servers. UDP 53 -> Internet.
  18. 18. GUARD DUTY External DNS resolves may be spotted by Guard Duty, but won’t be blocked. Wouldn’t it be better if it actively blocked it.
  19. 19. Private subnet Private subnet Public subnet Public subnet CISCO UMBRELLA VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Forward to Cisco IPs 1. Cisco provides two IPv4 addresses to send queries to 2. They identify their customers by DNS query Source address VPC DNS Resolver .2 or 169.254.169.53 R53 Outbound Resolver VPC DNS Resolver .2 or 169.254.169.53
  20. 20. DNS LEVEL PROTECTION Instance: DNS lookup for foo.com please Umbrella: response is… (a) The real IP, 3.4.5.6 (ok) (b) NXDOMAIN (blocked) (c) The IP of my Cisco HTTPS Proxy server (questionable; will scan content) Customer choses the response based upon lists: Malware: block Known good: resolve Not sure: proxy intercept (NB: Clients should have Cisco Umbrella Root CA installed)
  21. 21. DNS FIREWALL 1. Define a Rule Group 2. Add one or more rules 3. Each rule has a List of Domains 4. Customer can define their own list, or…. 5. Managed list of bad domains! 6. Each rule is either PERMIT, ALERT, BLOCK 7. Block can return NODATA, NXDOMAIN, or override with new data (honeypot?) Can also block by default: permit specific exceptions. Costs: around US$0.60/million queries
  22. 22. DNS FIREWALL: MANAGED DOMAIN LISTS
  23. 23. DNSSEC IN 30 SECONDS Two parts to it: • Does your upstream DNS resolve validate DNSSEC responses? • Does your hosted Route53 zones issue DNSSEC responses?
  24. 24. DNSSEC: VPC VALIDATION
  25. 25. DNSSEC: YOUR HOSTED ZONES Key Signing Key (KSK) backed by KMS! Keys automatically rotate. Signing key pushed to parent Domain, except for: • Com.au • Net.au • Edu.au • Gov.au !!!!!!!
  26. 26. DNSSEC: YOUR HOSTED ZONES
  27. 27. HARDENIZE.COM Similar to other security validation tools. But also gives you verification of your DNSSEC. Getting all these squares green should cost $0.
  28. 28. FROM YOUR PROD INSTANCE… Can you resolve: • “google.com”? • “google.com” using 8.8.8.8 as the resolver? Do you have: • a LOG that you looked up google.com? • … and analytics/alerts on that log? • anything that can REPORT on what was looked up • something that can BLOCK the DNS lookup
  29. 29. BLOCK IT For each Security Group, look at the EGRESS rules. If your DHCP DNS points to “.2”, or link-local, then probably remove all UDP traffic!
  30. 30. WHATS THIS? AS/NZS 3112 (a.k.a. Type I) Since 2000, the nominal voltage in most areas of Australia has been 230 V, except for Western Australia and Queensland which both remain at 240 V, though Queensland is transitioning to 230 V. The voltage in New Zealand is also 230 V.
  31. 31. WE ARE HIRING AWS TALENT Largest AWS Partner in Western Australia: More than 100 engineers in WA (https://aws.modis.com/) Worldwide AWS Practice: US, UK, Italy, Bulgaria, Japan, Australia >30 AWS related roles open Serverless Developers (.Net, NodeJS), Integration Developers, Architects, SysOps, DevOps, Project Managers, Networking, Databases, Data Engineer & Analytics

×