Why Protecting DNS server through AWS DNS Firewall May Not Be a Good Idea in Practise

Generated by Gemini

I am having an outbound DNS resolver to perform conditional DNS forwarding to an internal DNS server. To protect the DNS server, one idea is to implement the DNS firewall to allow only some specific domain to go through while block all the disallowed domains.

However we have quickly identified that it is not a good approach in practise.

Implementation of DNS firewall

First let’s define an allowed domain list

resource "aws_route53_resolver_firewall_domain_list" "allowed-domains" {
  name    = "allowed-domains"
  domains = [
    ... 
    "ghcr.io",
    "www.redhat.com",
    ...
  ]
}

A catch all domain which is all the domains,

resource "aws_route53_resolver_firewall_domain_list" "all-domains" {
  name    = "all-domains"
  domains = [ "*" ]
}

Create a firewall rule group,

resource "aws_route53_resolver_firewall_rule_group" "dns-firewall-group" {
  name = "dns-firewall-group"
}

Define a rule to allow the DNS query from the allow domain list, giving a low priority number so that it could be evaluated first, and exit from the evaluation process to allow the DNS query proceed.