AWS Route53 documentation change
Summary
Updated DNS Firewall Advanced documentation with expanded threat detection details, added specific threat types (DGA, DNS tunneling, Dictionary DGA), and included new section on mitigating false positives
Security assessment
The changes enhance documentation of security features (threat detection mechanisms) but don't address any specific vulnerability. They provide operational guidance for security configuration without evidence of patching a security flaw.
Diff
diff --git a/Route53/latest/DeveloperGuide/firewall-advanced.md b/Route53/latest/DeveloperGuide/firewall-advanced.md index 9f5d038d8..87c6d66f7 100644 --- a//Route53/latest/DeveloperGuide/firewall-advanced.md +++ b//Route53/latest/DeveloperGuide/firewall-advanced.md @@ -7 +7 @@ -# DNS Firewall Advanced Rules +# Resolver DNS Firewall Advanced @@ -9 +9 @@ -DNS Firewall Advanced Rule tier provides you with protections to help you detect and monitor for more advanced DNS threats (for example, Domain Generation Algorithms (DGA) or DNS Tunneling) or with more granular protections based on threat and web-content (for example, gambling, social networking). +DNS Firewall Advanced detects suspicious DNS queries based on known threat signatures in DNS queries. You can specify a threat type in a rule that you use in a DNS Firewall rule, inside a rule group. When you associate a rule group with a VPC, DNS Firewall compares your DNS queries against the domains that are flagged in the rules. If it finds a match, it handles the DNS query according to the matching rule's action. @@ -11 +11 @@ DNS Firewall Advanced Rule tier provides you with protections to help you detect -There are two main types of advanced rules: +DNS Firewall Advanced works by identifying suspicious DNS threat signatures by inspecting a range of key identifiers in the DNS payload including the timestamp of requests, frequency of request and responses, the DNS query strings, and the length, type or size of both outbound and inbound DNS queries. Based on the type of threat signature, you can configure policies to block, or simply log and alert on the query. By using an expanded set of threat identifiers, you can protect against DNS threats from domain sources that may yet be unclassified by threat intelligence feeds maintained by the broader security community. @@ -13 +13 @@ There are two main types of advanced rules: - * Advanced Protections that help detect suspicious DNS queries based on known threat signatures (for example, DGA) in DNS queries. +Currently, DNS Firewall Advanced offers protections from: @@ -15 +15 @@ There are two main types of advanced rules: - * Advanced DNS threat and content categories that provide more granular control to block DNS queries based on the type of DNS threats (for example, spam, phishing) or web content (for example, adult content, social networking, gambling sites). + * Domain Generation Algorithms (DGAs) @@ -16,0 +17 @@ There are two main types of advanced rules: +DGAs are used by attackers to generate a large number of domains to launch malware attacks. @@ -17,0 +19 @@ There are two main types of advanced rules: + * DNS tunneling @@ -18,0 +21,25 @@ There are two main types of advanced rules: +DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client. + + * Dictionary DGA + +Dictionary DGAs are used by attackers to generate domains using dictionary words to evade detection in malware command-and-control communications. + + + + +To learn how to create rules, see [Creating a rule group and rules](./resolver-dns-firewall-rule-group-adding.html) and [Rule settings in DNS Firewall](./resolver-dns-firewall-rule-settings.html). + +###### Mitigating false positive scenarios + +If you are encountering false-positive scenarios in rules that use DNS Firewall Advanced protections to block queries, perform the following steps: + + 1. In the VPC Resolver logs, identify the rule group and DNS Firewall Advanced protections that are causing the false positive. You do this by finding the log for the query that DNS Firewall is blocking, but that you want to allow through. The log record lists the rule group, rule action, and the DNS Firewall Advanced protection. For information about the logs, see [Values that appear in VPC Resolver query logs](./resolver-query-logs-format.html). + + 2. Create a new rule in the rule group that explicitly allows the blocked query through. When you create the rule, you can define your own domain list with just the domain specification that you want to allow. Follow the guidance for rule group and rule management at [Creating a rule group and rules](./resolver-dns-firewall-rule-group-adding.html). + + 3. Prioritize the new rule inside the rule group so that it runs before the rule that's using the managed list. To do this, give the new rule a lower numeric priority setting. + + + + +When you have updated your rule group, the new rule will explicitly allow the domain name that you want to allow before the blocking rule runs. @@ -28 +55 @@ Managing your own domain lists -Advanced DNS Protections +Configuring query logging for DNS Firewall