AWS User Group Perth discussion on DNSSEC, DNS Firewall, Route53 Resolvers and more.

1. AWS USER GROUP –
PERTH
DNS IN AWS
James Bromberger
( @JamesBromberger)
April 2021

2. JAMES BROMBERGER
Current: Global Head of Cloud for Modis (https://cloud.modis.com/)
Previous: AWS Security Solution Architect Australia & New Zealand
Previous: Vibrant Media (online advertising)
Previous: Fotango (invented Serverless – see Wikipedia)
Modis: 1,500 in Australia, 8,000 w/w in 17 countries.
Established late 1980’s as Ajilon
Parent company: Adecco Group (world’s largest HR recruiter)
• Professional Consulting & Managed Services
• Staffing & Placement/Recuiting
• Training

3. JAMES BROMBERGER
Current: Debian Gnu/Linux Developer (20 years):
cloudfront.debian.net
Previous: Debian AMI Maintainer
Previous: Linux.conf.au chair Perth 2003, assisting Perth 2014
9x AWS Certified
AWS Certification Subject Matter Expert (SA Pro, DevOps Pro,
Networking, Security)
AWS APN Partner Ambassador (ex Cloud Warrior)

4. TODAY WE SHALL BE
LOOKING AT
Route53 Outbound Resolvers and Resolver Rules
Guard Duty (DNS findings)
VPC Endpoints
EXPLOT: DNS Data Exfiltration
DNS Firewall
DNSSEC

5. SECURITY:
UNMONITORED

6. SECURITY: MONITOR

7. THE OLD ADAGE: DNS

8. DNS REQUIREMENTS
1. Reliable
2. Able to resolve VPC Endpoints (within each VPC)
3. Able to resolve on-premise (split horizon) Zones
4. Able to have Guard Duty alert on DNS activity

9. DNS BEST PRACTICE
Do not let your instances use alternate DNS servers (security group
egress, NAT, etc)
Log DNS queries, set up some analysis and review
Watch for DNS outages/SPOFs

10. Private subnet
Private subnet
Public subnet
Public subnet
LARGE ENTERPRISE
(2019)
VPC
AWS Cloud
Availability Zone 1 Availability Zone 2
NAT gateway NAT gateway
Instance Endpoints
Private subnet
Private subnet
Public subnet
Public subnet
VPC
AWS Cloud
Availability Zone 1 Availability Zone 2
NAT gateway NAT gateway
Instance Instance
Endpoints
Peering
connection
10.0.0.0/16 10.1.0.0/16

11. Private subnet
Private subnet
Public subnet
Public subnet
LARGE ENTERPRISE
(2019)
VPC
AWS Cloud
Availability Zone 1 Availability Zone 2
NAT gateway NAT gateway
Instance Endpoints
Private subnet
Private subnet
Public subnet
Public subnet
VPC
AWS Cloud
Availability Zone 1 Availability Zone 2
NAT gateway NAT gateway
Instance
Bind DNS
10.1.3.5
Instance
Bind DNS
10.1.4.5
Endpoints
Peering
connection
DHCP Options:
DNS Resolver = 10.1.3.5, 10.1.4.5

12. Private subnet
Private subnet
Public subnet
Public subnet
DNS TRAFFIC CROSS-VPC
(BIND)
VPC
AWS Cloud
Availability Zone 1 Availability Zone 2
NAT gateway NAT gateway
Instance Endpoints
Private subnet
Private subnet
Public subnet
Public subnet
VPC
AWS Cloud
Availability Zone 1 Availability Zone 2
NAT gateway NAT gateway
Instance
Bind DNS
Instance
Bind DNS
Endpoints
Peering
connection
Root resolve
On Premises
DNS server
Split Horizon
resolve
1. No VPC
Endpoint
resolution
2. No Guard
Duty visibility
3. UDP & TCP
53 traffic
through
environment
4. DNS
Instance
downtime =
intermittent
outages

13. Private subnet
Private subnet
Public subnet
Public subnet
BIND USING VPC
RESOLVER
VPC
AWS Cloud
Availability Zone 1 Availability Zone 2
NAT gateway NAT gateway
Instance Endpoints
Private subnet
Private subnet
Public subnet
Public subnet
VPC
AWS Cloud
Availability Zone 1 Availability Zone 2
NAT gateway NAT gateway
Instance
Bind DNS
Instance
Bind DNS
Endpoints
Peering
connection
Root resolve
On Premises
DNS server
Split Horizon
resolve
1. Endpoint
resolution in
DNS VPC (in
wrong acct)
2. Guard Duty
visibility (in
wrong acct)
3. UDP & TCP
53 traffic
through
environment
4. DNS
Instance
downtime =
intermittent
outages
VPC DNS Resolver .2
or 169.254.169.53

14. Private subnet
Private subnet
Public subnet
Public subnet
SOLUTION: R53
OUTBOUND ENDPOINTS
VPC
AWS Cloud
Availability Zone 1 Availability Zone 2
NAT gateway NAT gateway
Instance Endpoints
Private subnet
Private subnet
Public subnet
Public subnet
VPC
AWS Cloud
Availability Zone 1 Availability Zone 2
NAT gateway NAT gateway
Peering
connection
Root resolve
On Premises
DNS server
Split Horizon
resolve
1. Endpoint
resolution
2. Guard Duty
visibility
3. No UDP &
TCP 53
traffic
through
environment
4. No DNS
Instance
downtime =
no
intermittent
outages
VPC DNS Resolver .2
or 169.254.169.53
R53 Outbound
Resolver
VPC DNS Resolver .2
or 169.254.169.53
1. Remove peering
2. Restrict Security
Group Egress (no
UDP)

15. DNS EXFIL
DNS is often working in all environments
DNS is often not monitored
DNS often doesn’t block known Bad Domains
DNS Exfil: slow! 255 bytes at a time, unreliable (directly; see QUIC).
But a compromised machine can use this to COPY and to TUNNEL!

16. GUARD DUTY
DNS exfil may be spotted by Guard Duty, but won’t be blocked.
Wouldn’t it be better if it actively blocked it.

17. BOTNET C&C
Command And Control
Botnets sometimes don’t trust local DNS services not to rat them
out!
So they will do DNS queries against their own DNS servers.
UDP 53 -> Internet.

18. GUARD DUTY
External DNS resolves may be spotted by Guard Duty, but won’t be
blocked.
Wouldn’t it be better if it actively blocked it.

19. Private subnet
Private subnet
Public subnet
Public subnet
CISCO UMBRELLA
VPC
AWS Cloud
Availability Zone 1 Availability Zone 2
NAT gateway NAT gateway
Instance Endpoints
Private subnet
Private subnet
Public subnet
Public subnet
VPC
AWS Cloud
Availability Zone 1 Availability Zone 2
NAT gateway NAT gateway
Forward to Cisco IPs
1. Cisco
provides two
IPv4
addresses to
send queries
to
2. They identify
their
customers
by DNS
query Source
address
VPC DNS Resolver .2
or 169.254.169.53
R53 Outbound
Resolver
VPC DNS Resolver .2
or 169.254.169.53

20. DNS LEVEL
PROTECTION
Instance: DNS lookup for foo.com please
Umbrella: response is…
(a) The real IP, 3.4.5.6 (ok)
(b) NXDOMAIN (blocked)
(c) The IP of my Cisco HTTPS Proxy server (questionable; will
scan content)
Customer choses the response based upon lists:
Malware: block
Known good: resolve
Not sure: proxy intercept
(NB: Clients should have Cisco Umbrella Root CA installed)

21. DNS FIREWALL
1. Define a Rule Group
2. Add one or more rules
3. Each rule has a List of Domains
4. Customer can define their own list, or….
5. Managed list of bad domains!
6. Each rule is either PERMIT, ALERT, BLOCK
7. Block can return NODATA, NXDOMAIN, or override
with new data (honeypot?)
Can also block by default: permit specific exceptions.
Costs: around US$0.60/million queries

22. DNS FIREWALL: MANAGED
DOMAIN LISTS

23. DNSSEC IN 30
SECONDS
Two parts to it:
• Does your upstream DNS resolve validate DNSSEC responses?
• Does your hosted Route53 zones issue DNSSEC responses?

24. DNSSEC: VPC
VALIDATION

25. DNSSEC: YOUR HOSTED
ZONES
Key Signing Key (KSK) backed by KMS!
Keys automatically rotate.
Signing key pushed to parent Domain,
except for:
• Com.au
• Net.au
• Edu.au
• Gov.au
!!!!!!!

26. DNSSEC: YOUR HOSTED
ZONES

27. HARDENIZE.COM
Similar to other security validation tools.
But also gives you verification of your DNSSEC.
Getting all these squares green should cost $0.

28. FROM YOUR PROD
INSTANCE…
Can you resolve:
• “google.com”?
• “google.com” using 8.8.8.8 as the resolver?
Do you have:
• a LOG that you looked up google.com?
• … and analytics/alerts on that log?
• anything that can REPORT on what was looked up
• something that can BLOCK the DNS lookup

29. BLOCK IT
For each Security Group, look at the EGRESS rules.
If your DHCP DNS points to “.2”, or link-local, then probably remove
all UDP traffic!

30. WHATS THIS?
AS/NZS 3112 (a.k.a. Type I)
Since 2000, the nominal voltage in
most areas of Australia has been
230 V, except for Western Australia
and Queensland which both remain
at 240 V, though Queensland is
transitioning to 230 V. The voltage
in New Zealand is also 230 V.

31. WE ARE HIRING AWS TALENT
Largest AWS Partner in Western Australia: More than 100
engineers in WA (https://aws.modis.com/)
Worldwide AWS Practice: US, UK, Italy, Bulgaria, Japan, Australia
>30 AWS related roles open
Serverless Developers (.Net, NodeJS), Integration Developers,
Architects, SysOps, DevOps, Project Managers, Networking,
Databases, Data Engineer & Analytics