AWS Route53 documentation change
Summary
Restructured DNS Firewall Advanced documentation to focus on two main rule types (Advanced Protections and threat/content categories) and removed detailed threat explanations and false positive mitigation steps
Security assessment
The changes reorganize and simplify documentation about DNS Firewall security features without addressing specific vulnerabilities. While it removes some threat examples (DGA, tunneling) and false positive handling guidance, it maintains security feature descriptions. No evidence of vulnerability remediation.
Diff
diff --git a/Route53/latest/DeveloperGuide/firewall-advanced.md b/Route53/latest/DeveloperGuide/firewall-advanced.md index 87c6d66f7..9f5d038d8 100644 --- a//Route53/latest/DeveloperGuide/firewall-advanced.md +++ b//Route53/latest/DeveloperGuide/firewall-advanced.md @@ -7 +7 @@ -# Resolver DNS Firewall Advanced +# DNS Firewall Advanced Rules @@ -9 +9 @@ -DNS Firewall Advanced detects suspicious DNS queries based on known threat signatures in DNS queries. You can specify a threat type in a rule that you use in a DNS Firewall rule, inside a rule group. When you associate a rule group with a VPC, DNS Firewall compares your DNS queries against the domains that are flagged in the rules. If it finds a match, it handles the DNS query according to the matching rule's action. +DNS Firewall Advanced Rule tier provides you with protections to help you detect and monitor for more advanced DNS threats (for example, Domain Generation Algorithms (DGA) or DNS Tunneling) or with more granular protections based on threat and web-content (for example, gambling, social networking). @@ -11 +11 @@ DNS Firewall Advanced detects suspicious DNS queries based on known threat signa -DNS Firewall Advanced works by identifying suspicious DNS threat signatures by inspecting a range of key identifiers in the DNS payload including the timestamp of requests, frequency of request and responses, the DNS query strings, and the length, type or size of both outbound and inbound DNS queries. Based on the type of threat signature, you can configure policies to block, or simply log and alert on the query. By using an expanded set of threat identifiers, you can protect against DNS threats from domain sources that may yet be unclassified by threat intelligence feeds maintained by the broader security community. +There are two main types of advanced rules: @@ -13 +13 @@ DNS Firewall Advanced works by identifying suspicious DNS threat signatures by i -Currently, DNS Firewall Advanced offers protections from: + * Advanced Protections that help detect suspicious DNS queries based on known threat signatures (for example, DGA) in DNS queries. @@ -15 +15 @@ Currently, DNS Firewall Advanced offers protections from: - * Domain Generation Algorithms (DGAs) + * Advanced DNS threat and content categories that provide more granular control to block DNS queries based on the type of DNS threats (for example, spam, phishing) or web content (for example, adult content, social networking, gambling sites). @@ -17 +16,0 @@ Currently, DNS Firewall Advanced offers protections from: -DGAs are used by attackers to generate a large number of domains to launch malware attacks. @@ -19 +17,0 @@ DGAs are used by attackers to generate a large number of domains to launch malwa - * DNS tunneling @@ -21,25 +18,0 @@ DGAs are used by attackers to generate a large number of domains to launch malwa -DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client. - - * Dictionary DGA - -Dictionary DGAs are used by attackers to generate domains using dictionary words to evade detection in malware command-and-control communications. - - - - -To learn how to create rules, see [Creating a rule group and rules](./resolver-dns-firewall-rule-group-adding.html) and [Rule settings in DNS Firewall](./resolver-dns-firewall-rule-settings.html). - -###### Mitigating false positive scenarios - -If you are encountering false-positive scenarios in rules that use DNS Firewall Advanced protections to block queries, perform the following steps: - - 1. In the VPC Resolver logs, identify the rule group and DNS Firewall Advanced protections that are causing the false positive. You do this by finding the log for the query that DNS Firewall is blocking, but that you want to allow through. The log record lists the rule group, rule action, and the DNS Firewall Advanced protection. For information about the logs, see [Values that appear in VPC Resolver query logs](./resolver-query-logs-format.html). - - 2. Create a new rule in the rule group that explicitly allows the blocked query through. When you create the rule, you can define your own domain list with just the domain specification that you want to allow. Follow the guidance for rule group and rule management at [Creating a rule group and rules](./resolver-dns-firewall-rule-group-adding.html). - - 3. Prioritize the new rule inside the rule group so that it runs before the rule that's using the managed list. To do this, give the new rule a lower numeric priority setting. - - - - -When you have updated your rule group, the new rule will explicitly allow the domain name that you want to allow before the blocking rule runs. @@ -55 +28 @@ Managing your own domain lists -Configuring query logging for DNS Firewall +Advanced DNS Protections