I need to know if it’s possible (and if possible, how) to prevent Route53 from exposing our VPC RFC1918 address space to the Internet. As you can see, these addresses are leaked out onto the Internet where they do no good except to expose the endpoints of various AWS services:
From inside Corp:
ps@site:tmp$ dig test-do-not-use.cmqvubhjfrhv.us-east-1.rds.amazonaws.com
; <<>> DiG 9.11.5-P1-1ubuntu2.5-Ubuntu <<>> test-do-not-use.cmqvubhjfrhv.us-east-1.rds.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1636
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;test-do-not-use.cmqvubhjfrhv.us-east-1.rds.amazonaws.com. IN A
;; ANSWER SECTION:
test-do-not-use.cmqvubhjfrhv.us-east-1.rds.amazonaws.com. 4 IN A 172.31.58.126
;; Query time: 380 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Sep 24 07:10:57 CDT 2019
;; MSG SIZE rcvd: 106
From my home Linux system:
ps@plex:~$ dig test-do-not-use.cmqvubhjfrhv.us-east-1.rds.amazonaws.com
; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> test-do-not-use.cmqvubhjfrhv.us-east-1.rds.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9577
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test-do-not-use.cmqvubhjfrhv.us-east-1.rds.amazonaws.com. IN A
;; ANSWER SECTION:
test-do-not-use.cmqvubhjfrhv.us-east-1.rds.amazonaws.com. 3600 IN A 172.31.58.126
;; Query time: 210 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 24 07:11:04 CDT 2019
;; MSG SIZE rcvd: 106
Ideally this external query should return NOTHING.
I’ve been unsuccessful in my document digging in the AWS doc repository.