By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Workspaces + Simple AD not protected by AWS DNS Firewall

0

I'm working on preventing DNS exfiltration in an environment that makes use of AWS Workspaces + Simple AD. The WorkSpaces don't need to resolve anything via private hosted zones. They do connect to services hosted on an EKS cluster in the same VPC, however they have public domain names.

The Simple AD documentation reads to me that Simple AD would use our VPC's configured DNS Resolver:

Simple AD forwards DNS requests to the IP address of the Amazon-provided DNS servers for your VPC.

I have AWS Network Firewall and AWS Domain Firewall configured - the EKS clusters DNS queries are correctly being filtered. However the AWS WorkSpaces can initiate a DNS request and the request bypasses the AWS DNS Firewall entirely (a DNS server outside the environment receives the request).

Some assumptions of mine:

AWS Workspaces instances use Simple AD for configuration, and by default they use the Active Directory Domain Controller as their default DNS server. The Active Directory Controller isn't a machine we directly control, it is part of the managed simple active directory service from AWS.

What I think is happening is the Simple AD directory controller doesn't use our VPC configured resolver - and is recursively resolving the DNS query from the WorkSpace member instance. I'm assuming it isn't feasible to change the workspace instances to not use the domain controller's DNS server as they won't be able to join the domain? Is there any way of configuring the directory controller's behavior in this respect?

I tried creating an outbound DNS Resolver and associating it with the VPC via a DHCP option set, but that didn't impose our restrictions on the DNS queries coming from the Workspace instance.

The other thing I'm considering as a potential solution is upgrading from Simple AD to Microsoft AD. I understand this would provision two domain controllers within our VPC - which may be protected behind our network and dns firewall? I don't see why this would be different for Simple AD though? In any case, this AWS security blog certainly reads like MS AD can be make to work with the AWS DNS firewall - https://aws.amazon.com/blogs/security/protect-your-remote-workforce-by-using-a-managed-dns-firewall-and-network-firewall/

Appreciate any pointers!

  • Jeffrey_D
    a year ago

    What do you mean by associating the DNS Resolver via DHCP option set? Also does the VPC that was used with the workspace have DNS Firewall configured?

  • Brian
    a year ago

    One thing I tried was setting my VPC's DHCP option set. to try get the AD controllers to use the AmazonProvidedDNS via my VPC.

    Yes I have both the AWS Network Firewall and AWS DNS Firewall configured, both working well for other workloads in the VPC (primarily an EKS cluster).

Topics
End User ComputingNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon WorkSpacesAmazon VPCAWS Network FirewallDomain Name System (DNS)Route 53 Resolver
Language
English
Brian
asked a year ago406 views
1 Answer
0

Microsoft Managed AD provides DNS directly from the managed Domain Controllers. Simple AD is not actually Windows AD, and must forward DNS queries. Regardless, Simple AD is not recommended for production use-cases of Amazon WorkSpaces. AWS Network Firewall is proven to work with Amazon WorkSpaces with Windows AD for filtering traffic.

AWS
EXPERT
StevieStets
answered a year ago
  • Brian
    a year ago

    I've created a test directory using the managed Microsoft AD and started a Windows WorkSpaces instance to test this theory and I'm afraid it behaves the same. The test is to have an external DNS server watch for any requests e.g. https://messwithdns.net/ I can confirm that DNS requests going through the VPC's DNS resolver (e.g 10.0.0.2) are correctly filtered by the DNS firewall, but DNS requests from the WorkSpace instance do make it to the external server - somehow circumventing the firewall.

    It seems to me like the AD controller's DNS resolver (using MS AD) might be forwarding DNS requests via its management interface eth0, rather than eth1 for DNS resolution?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content