sub-domain delegation and resolution


A customer is currently in the process of approving R53 Resolver for use in their organization. Their current design is to resolve all * sub-domains on AWS using a R53 Resolver system rule shared with spoke VPCs. Everything else is forwarded to on-premises resolvers via a dot rule.

They have a concern around data exfiltration using encoded DNS queries to "malicious" AWS sub-domains. I am confident this is not a concern for the following reasons but need some confirmation that I can make this statement to the customer:

  1. * sub-domains are never delegated to a non-AWS entity/3rd party.
  2. * sub-domains are only authoritatively resolved on Amazon owned Name Servers.

Are both of these statements correct?

Thank you.

asked 5 years ago403 views
1 Answer
Accepted Answer

Former Route 53 DNS here.

Your assumptions are correct. Those are not allowed by policy but sometimes a dangling CNAME or delegation can happen albeit rarely.

answered 5 years ago
profile picture
reviewed 3 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions