Is Source Port Randomization Enabled on AWS Route53?

0

Use Route53 to resolve the name of the Internet from EC2 etc. inside the VPC.
I think that source port randomization is effective as a countermeasure against DNS cache poisoning.
So I would like to know if it is enabled in Rotue53.

asked 3 years ago470 views
2 Answers
0
Accepted Answer

Source port randomization is a feature which clients use when querying DNS resolvers and which DNS resolvers use when querying DNS authorities. It is indeed a standard mitigation for cache poisoning. The Route 53 Resolver in your VPC, in common with pretty much all modern resolvers, does use source port randomization when querying authorities.

If you are very concerned about cache poisoning, you might also be interested in enabling DNSSEC validation in your VPC, which allows cryptographic validation of responses, if the domain you're querying is DNSSEC signed. See the Route 53 Resolver documentation:

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dnssec-validation.html

I would suggest being a little careful enabling DNSSEC validation. Occasionally third party public domains may have broken signatures. If that is the case, enabling DNSSEC validation will (by design) cause DNS resolution to fail for those domains.

AWS
EXPERT
gavinmc
answered 3 years ago
0

Thanks for your help.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions