By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Disabling DNS Recursion within a private zone

0

A customer is asking how to disable recursive DNS in R53 in re private zones. Any ideas on this?

We would like to use Route53 Private DNS Zone and access that zone from a VPC. All well and good there.

When we use the subnet .2 ip address to resolve internal zones all well and good, however when we resolve an internet address like google.com it also resolves. The problem with this is that DNS can be used as an exfiltration method for sensitive secrets.

How do we turn DNS recursion off for route53 Private DNS zones?

Topics
Networking & Content Delivery
Tags
Networking & Content DeliveryAmazon Route 53
Language
English
AWS-User-0972604
asked 8 years ago1.4K views
2 Answers
1
Accepted Answer

Just to clarify Route53 is an authoritative DNS service and not recursive. It is a subtle detail, but important. i.e. if you go to Route53 directly (query name servers with NS records) and try to resolve DNS name other than R53 hosted DNS zone it will refuse. In addition private hosted zone with R53, can be associated with VPC and in that case resources with in VPC may be able to resolve DNS name for private hosted zone via VPC CIDR (2nd IP address) or (169.254.169.253 on EC2 host in that VPC).

It the latter that provides DNS recursion and able to resolve R53 private hosted DNS zone or any DNS names such as www.amazon.com. I don't think there is a lot of control on this part, other than simply switch off/on (VPC DNS options enableDnsHostnames, enableDnsSupport set to true/false).

One option could be to setup bunch of DNS forwarders on EC2 instances and use those for forwarding/route DNS queries. Change DHCP option set for VPC and by default it points to EC2 DNS forwarders rather than (VPC CIDR; 2nd IP address). Forward DNS queries such as R53 hosted zone, queries for Amazon DNS domains such as .amazonaws.com (this is used for RDS, ELB etc) to VPC CIDR (2nd IP address) and rest to their own recursive DNS servers(or deny), if possible.

This doesn't prevent for someone with in VPC to go directly to VPC CIDR (2nd IP address) or (169.254.169.253 on EC2) and try recursive queries, as long as enableDnsHostnames,enableDnsSupport:true for VPC. So it is obfuscation at best.

AWS
mehrajk
answered 8 years ago
profile picture
EXPERT
Adeleke Adebowale Julius
reviewed 6 months ago
profile picture
EXPERT
Oleksii Bebych
reviewed 10 months ago
  • gvoldbloke
    17 days ago

    This response may need some clarification. The response seems to suggest a private hosted zone can exist without having a VPC associated. As per AWS developer guide: When you create a private hosted zone, you must associate a VPC with the hosted zone, and the VPC that you specify must have been created by using the same account that you're using to create the hosted zone. So at least one VPC will always be associated with a private hosted zone. Going directly to R53 endpoints (assuming that is what meant by direct) R53 still resolves names such as amazon.com that are not part of the private zone(s).

1

You could create a "." private hosted zone. You would then need to explicitly create the zones or resolved rules. Route53 resolver uses a best-match-wins approach. The most specific domain name match will be returned.

AWS
randy_weinstein
answered 7 months ago
profile picture
EXPERT
Adeleke Adebowale Julius
reviewed 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content