amazonaws.com sub-domain delegation and resolution
0
A customer is currently in the process of approving R53 Resolver for use in their organization. Their current design is to resolve all *amazonaws.com sub-domains on AWS using a R53 Resolver system rule shared with spoke VPCs. Everything else is forwarded to on-premises resolvers via a dot rule.
They have a concern around data exfiltration using encoded DNS queries to "malicious" AWS sub-domains. I am confident this is not a concern for the following reasons but need some confirmation that I can make this statement to the customer:
- *amazonaws.com sub-domains are never delegated to a non-AWS entity/3rd party.
- *amazonaws.com sub-domains are only authoritatively resolved on Amazon owned Name Servers.
Are both of these statements correct?
Thank you.
已提问 4 年前372 查看次数
1 回答
- 最新
- 投票最多
- 评论最多
0
Former Route 53 DNS here.
Your assumptions are correct. Those are not allowed by policy but sometimes a dangling CNAME or delegation can happen albeit rarely.
已回答 4 年前
