- Newest
- Most votes
- Most comments
Microsoft Managed AD provides DNS directly from the managed Domain Controllers. Simple AD is not actually Windows AD, and must forward DNS queries. Regardless, Simple AD is not recommended for production use-cases of Amazon WorkSpaces. AWS Network Firewall is proven to work with Amazon WorkSpaces with Windows AD for filtering traffic.
I've created a test directory using the managed Microsoft AD and started a Windows WorkSpaces instance to test this theory and I'm afraid it behaves the same. The test is to have an external DNS server watch for any requests e.g. https://messwithdns.net/ I can confirm that DNS requests going through the VPC's DNS resolver (e.g 10.0.0.2) are correctly filtered by the DNS firewall, but DNS requests from the WorkSpace instance do make it to the external server - somehow circumventing the firewall.
It seems to me like the AD controller's DNS resolver (using MS AD) might be forwarding DNS requests via its management interface eth0, rather than eth1 for DNS resolution?
Relevant content
- Accepted Answerasked a year ago
- Accepted Answerasked 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
What do you mean by associating the DNS Resolver via DHCP option set? Also does the VPC that was used with the workspace have DNS Firewall configured?
One thing I tried was setting my VPC's DHCP option set. to try get the AD controllers to use the AmazonProvidedDNS via my VPC.
Yes I have both the AWS Network Firewall and AWS DNS Firewall configured, both working well for other workloads in the VPC (primarily an EKS cluster).