AWS directoryservice medium security documentation change
Summary
Clarified DNS conflict warning for Route 53 Private Hosted Zones and added recommendation to disable root hints to prevent NXDOMAIN caching issues
Security assessment
Addresses DNS cache poisoning vulnerability by recommending configuration changes to prevent resolution failures that could be exploited in MITM attacks
Diff
diff --git a/directoryservice/latest/admin-guide/ms_ad_getting_started.md b/directoryservice/latest/admin-guide/ms_ad_getting_started.md index 7475e220d..a2f89f2bc 100644 --- a//directoryservice/latest/admin-guide/ms_ad_getting_started.md +++ b//directoryservice/latest/admin-guide/ms_ad_getting_started.md @@ -121 +121 @@ The fully qualified name for the directory, such as `corp.example.com`. -If you plan on using Amazon Route 53 for DNS, the domain name of your AWS Managed Microsoft AD must be different than your Route 53 domain name. DNS resolution issues can occur if Route 53 and AWS Managed Microsoft AD share the same domain name. +If you plan on using Amazon Route 53 Private Hosted Zone for DNS, the domain name of your AWS Managed Microsoft AD must be different than your Route 53 domain name. DNS resolution issues can occur if Route 53 and AWS Managed Microsoft AD share the same domain name. Also, consider changing the **Use root hints if no forwarders are available** setting from true to false. When set to true and forwarders are unreachable, AWS Managed Microsoft AD falls back to internet root hints, which return NXDOMAIN for Private Hosted Zone names. This negative response is cached, prolonging resolution failures even after connectivity is restored.