By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

amazonaws.com sub-domain delegation and resolution

0

A customer is currently in the process of approving R53 Resolver for use in their organization. Their current design is to resolve all *amazonaws.com sub-domains on AWS using a R53 Resolver system rule shared with spoke VPCs. Everything else is forwarded to on-premises resolvers via a dot rule.

They have a concern around data exfiltration using encoded DNS queries to "malicious" AWS sub-domains. I am confident this is not a concern for the following reasons but need some confirmation that I can make this statement to the customer:

  1. *amazonaws.com sub-domains are never delegated to a non-AWS entity/3rd party.
  2. *amazonaws.com sub-domains are only authoritatively resolved on Amazon owned Name Servers.

Are both of these statements correct?

Thank you.

Topics
Networking & Content Delivery
Tags
Amazon Route 53
Language
English
AWS
AWS-User-2998337
asked 4 years ago363 views
1 Answer
0
Accepted Answer

Former Route 53 DNS here.

Your assumptions are correct. Those are not allowed by policy but sometimes a dangling CNAME or delegation can happen albeit rarely.

AWS-User-9324969
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content