By using AWS re:Post, you agree to the Terms of Use

Route 53 DNS Firewall - Wildcard / CNAME issue


We're using DNS firewall and using an allowed list acceptable outbound domains. In some cases where there are multiple subdomains like so we use a wildcard * is a CNAME record which returns and the subsequent lookup of that fails unless we add that to our allowed list as well. Makes sense. There have a few domains where the target of the CNAME has changed and we can only update after the DNS lookup has failed and we are alerted. I'm just wondering if there is any way to be proactive with this, by somehow allowing the * to cover any CNAME it may encounter.

1 Answer

Given that you have no control over the target DNS and you want to have a very strict allow-list of things that you can connect to you're going to need to set something up that verifies the validity of your allow-list against the firewall.

For example: Have a list (probably external to DNS Firewall) that has all of the site/DNS records that are allowed. Look each one up. If it is a CNAME, find the record that is returned and add that to the list and therefore to the firewall as well.

You could do this manually, but far better to automate it.

Note that this isn't going to be perfect. Even if you run it at one minute intervals you may have some clients blocked as changes occur. And it's entirely possible that the web pages that users are reaching are going to have other sites that they link to so there is a larger problem here. Restrictive allow-lists are always going to be a lot more work to maintain than is originally thought.

profile picture
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions