How do I get CloudFront to comply with my organization’s requirement to use DNSSEC?

3 minute read

I have an Amazon CloudFront distribution, and I need to comply with my organization’s regulatory mandate to use Domain Name System Security Extensions (DNSSEC).

Short description

By default, CloudFront domains don't allow DNSSEC. To activate DNSSEC for your domain, you must first create a DNSKEY record. However, because AWS manages the DNS records for CloudFront domains, you can't configure a DNSKEY record. This means that you can't directly activate DNSSEC for a CloudFront domain. Instead, you must activate it through an alternate domain.

If your organization requires the use of DNSSEC, then you can implement the following workaround to turn it on:

Prevent access to the distribution from the CloudFront domain.
Activate DNSSEC on an alternate domain name or CNAME that's attached to the CloudFront distribution.

Resolution

Prevent access from CloudFront

First, prevent any requests that have the cloudfront.net domain in the Host header. To do this, use any of the following methods:

Use AWS WAF

Use an AWS WAF rule that blocks either of the following request types:

A Host header that ends with cloudfront.net
All requests that have the domain of the distribution (such as d123abc.cloudfront.net) inside the header. For more information, see Single header in the AWS documentation for web request component options.

Use a function

Use a CloudFront function to block any requests that have a value in the Host header that ends with cloudfront.net. You can use a standard CloudFront function or Lambda@Edge function. For most use cases, it's a best practice to use a CloudFront function because of lower cost and faster performance.

The following example CloudFront function blocks requests that have the CloudFront domain in the host header:

function handler(event) {
  var request = event.request;

    // Extract the host header value
    var host = request.headers.host.value;

    // Check if the host header value ends with "cloudfront.net"
    if (host.endsWith('cloudfront.net')) {
      // Return a response to block the request
      return {
        statusCode: 403,
        statusDescription: 'Forbidden',
        headers: {
          'content-type': {
            value: 'text/plain'
          }
        },
        body: 'Access to this resource is forbidden.'
      };
    }

    // Allow the request to proceed
    return request;
  }

Activate DNSSEC on an alternate domain name

After you block access from the CloudFront domain, you can activate DNSSEC on an alternate domain name or CNAME. To do this, follow the steps in Activating DNSSEC signing and establishing a chain of trust.

Test your domain

To confirm that DNSSEC is working properly with your domain, use the DNSSEC analyzer from Verisign Labs.

Topics

Networking & Content Delivery

Relevant content

DNSSEC Setup with KSK
Accepted Answer
Mohamad El Bohsaly
asked a month ago
DNSSEC removal for a transferred domain
Accepted Answer
nava
asked 3 years ago
Disable DNSSEC for a transferred domain
ScruffyDan
asked 5 years ago
DNSSEC Removal for transferred domain
Accepted Answer
rePost-User-4006141
asked a year ago
Cannot disable DNSSEC for domain
nomadjimbob
asked 3 years ago
How do I turn on DNSSEC on my domain with Route 53 and register a DS record?
AWS OFFICIALUpdated a year ago
How do I use CloudFront to serve HTTPS requests for my Amazon S3 bucket?
AWS OFFICIALUpdated 9 months ago
How do I configure DNSSEC for my subdomain registered with Route 53 or another registrar?
AWS OFFICIALUpdated a year ago
How can I identify and troubleshoot DNSSEC configuration issues in Route 53?
AWS OFFICIALUpdated a year ago
Building the Ideal Kubernetes Development Environment for Your Organization’s Developers
EXPERT
Mina Gobrial - OptimeCloud
published a month ago