AWS re:Inforce 2024
Strengthening Security with DNS Firewall Nis222

Title: AWS re:Inforce 2024 - Strengthening security with DNS Firewall (NIS222)

Insights:

  • DNS Security Importance: DNS is a critical component of internet security, often overlooked despite being a major vector for malware, with 85% of malware abuses involving DNS.
  • Challenges in DNS Filtering: Filtering DNS traffic can be complex and resource-intensive, requiring significant infrastructure and maintenance, especially if managed in-house or through multiple vendors.
  • Amazon Route 53 Resolver DNS Firewall: AWS offers a managed service called DNS Firewall, which simplifies DNS traffic management and security across VPCs, providing high availability and centralized control.
  • Key Features of DNS Firewall:
    • DNS Filtering: Allows for domain name-based filtering with allow lists, deny lists, and custom actions (e.g., no data, NX domain, override response).
    • Managed Rules: Includes AWS-managed DNS lists for malware, botnet command and control, and other threats, updated regularly.
    • Central Management: Firewall Manager enables cross-account management and consistent policy enforcement across an organization.
    • Visibility and Reporting: Provides detailed logging and metrics through CloudWatch, S3, and Kinesis, allowing for actionable insights and alerting.
  • Integration with Other AWS Services: DNS Firewall integrates with AWS RAM for resource sharing and with GuardDuty for enhanced threat intelligence.
  • Ease of Deployment: DNS Firewall can be enabled without architectural changes, making it a low-cost and efficient solution for DNS security.
  • Recommendations for Implementation:
    • Start with managed domain lists in a single VPC and use allow or alert modes to understand the impact before switching to block mode.
    • Enable DNS query logs and VPC flow logs to understand outbound connections and application requirements.
    • Collaborate with application developers to create specific domain lists for outbound access.
    • Use Firewall Manager for centralized management and integration with network firewall for comprehensive threat detection.

Quotes:

  • "DNS is as much of a security concern as web and email traffic, and yet a lot of people just don't pay the right kind of attention to securing DNS."
  • "If you're not actually doing it, then you haven't perhaps got the capabilities to do this at all."
  • "Amazon Route 53 Resolver DNS Firewall...is a managed service that AWS provides. It's highly available, and it allows you to either allow or deny DNS traffic across all of your VPCs centrally using Firewall Manager."
  • "You can manage it all from a single place. You don't have to have access to each of the individual accounts to actually go into that and set up the individual DNS firewall in each of your accounts."
  • "DNS firewall is a much more efficient and a really low cost architecturally really simple way of actually deploying this kind of protection."
  • "Start slow and build it up. So crawl, then walk, then run. If you really want to upset everybody in your organization, block it from the outset, but we would not be recommending that."
  • "Enabling things like DNS query logs and VPC flow logs are really important as well. If you don't understand what the application requirements are, then enabling DNS firewall is going to give you some trouble in the future."
Strengthen Open Source Software Supply Chain Security Log4shell to Xz Aps303Supply Chain Security Aws Signer for Build Attribution Aps323