amazonaws.com sub-domain delegation and resolution
0
A customer is currently in the process of approving R53 Resolver for use in their organization. Their current design is to resolve all *amazonaws.com sub-domains on AWS using a R53 Resolver system rule shared with spoke VPCs. Everything else is forwarded to on-premises resolvers via a dot rule.
They have a concern around data exfiltration using encoded DNS queries to "malicious" AWS sub-domains. I am confident this is not a concern for the following reasons but need some confirmation that I can make this statement to the customer:
- *amazonaws.com sub-domains are never delegated to a non-AWS entity/3rd party.
- *amazonaws.com sub-domains are only authoritatively resolved on Amazon owned Name Servers.
Are both of these statements correct?
Thank you.
gefragt vor 4 Jahren372 Aufrufe
1 Antwort
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
0
Former Route 53 DNS here.
Your assumptions are correct. Those are not allowed by policy but sometimes a dangling CNAME or delegation can happen albeit rarely.
beantwortet vor 4 Jahren
Relevanter Inhalt
AWS OFFICIALAktualisiert vor 2 Jahren- AWS OFFICIALAktualisiert vor 2 Jahren