A customer is currently in the process of approving R53 Resolver for use in their organization. Their current design is to resolve all *amazonaws.com sub-domains on AWS using a R53 Resolver system rule shared with spoke VPCs. Everything else is forwarded to on-premises resolvers via a dot rule.
They have a concern around data exfiltration using encoded DNS queries to "malicious" AWS sub-domains. I am confident this is not a concern for the following reasons but need some confirmation that I can make this statement to the customer:
- *amazonaws.com sub-domains are never delegated to a non-AWS entity/3rd party.
- *amazonaws.com sub-domains are only authoritatively resolved on Amazon owned Name Servers.
Are both of these statements correct?
Thank you.