# Managing access controls with access sources and tokens in Route 53 Global Resolver
<a name="gr-managing-access-controls"></a>

Route 53 Global Resolver provides two primary methods for controlling client device access: access sources for IP-based authentication and access tokens for token-based authentication. This chapter covers both approaches, helping you choose the right authentication method for your environment and implement comprehensive access controls.

**Topics**
+ [Access control methods](gr-understanding-access-control-methods.md)
+ [Configuring access sources](gr-configuring-access-sources.md)
+ [Managing access tokens](gr-managing-access-tokens.md)
+ [Best practices](gr-access-control-best-practices.md)

# Understanding access control methods in Route 53 Global Resolver
<a name="gr-understanding-access-control-methods"></a>

Route 53 Global Resolver offers two distinct authentication methods to control client access to your DNS infrastructure. Each method serves different use cases and environments.

IP-based access sources  
You configure access source rules that allow or deny DNS queries based on client IP addresses. This method works well for environments with predictable IP ranges, such as branch offices or VPN connections. Access sources support all DNS protocols (Do53, DoT, and DoH) and provide straightforward configuration for network administrators.

Token-based authentication  
Access tokens provide secure authentication for DoH and DoT protocols using encrypted, time-limited credentials. This method suits mobile clients and environments where IP addresses change frequently. You can renew tokens before expiration and they offer enhanced security through encryption.

Consider these factors when selecting your authentication approach:

## Choosing the right authentication method
<a name="gr-choosing-authentication"></a>


| Factor | Access sources | Access tokens | 
| --- | --- | --- | 
| Best for | Fixed IP ranges, office networks, VPN users | Mobile devices, dynamic IPs, remote workers | 
| Security level | Network-based, relies on IP trust | Encrypted credentials, time-limited | 
| Management complexity | Simple IP range management | Token lifecycle and distribution | 
| Protocol support | Do53, DoT, DoH | DoT, DoH only | 

You can use both methods simultaneously to create layered security. For example, use access sources for office networks and tokens for remote workers.

# Configuring access sources and access source rules
<a name="gr-configuring-access-sources"></a>

Access sources control client access based on IP addresses. You create access source rules that specify which IP ranges can query your DNS infrastructure and which protocols they can use.

## Creating access source rules
<a name="gr-creating-access-source-rules"></a>

Follow these steps to create an access source rule that allows specific IP ranges to query your DNS infrastructure.

1. Open the Route 53 Global Resolver console and navigate to your DNS view.

1. In the **Access source** section, choose **Create access source rule**.

1. For **Rule name**, enter a descriptive name that identifies the purpose of this rule, such as `office-network` or `vpn-users`.

1. For **IP address type**, choose **IPV4** or **IPV6**.

1. For **CIDR block**, specify the IP addresses that should have access. You can use CIDR notation for IP ranges: `203.0.113.0/24` or `2001:db8::/112`, or individual IP addresses: `203.0.113.5/32` or `2001:db8::1/128`.

1. For **Protocol**, select the DNS protocols this rule applies to:
   + **Do53** - Standard DNS over UDP/TCP (port 53)
   + **DoT** - DNS over TLS (port 853)
   + **DoH** - DNS over HTTPS (port 443)

1. Choose **Create access source rule**.

Client devices from the specified IP ranges can now query your DNS infrastructure using the selected protocols.

## Understanding rule evaluation and priority
<a name="gr-understanding-rule-evaluation"></a>

Route 53 Global Resolver evaluates access source rules when identifying the correct view to use.
+ Rules are processed from most specific to least specific IP ranges, where the most-specific matching rule takes precedence.
+ If no rules match, the request is denied by default.

Test your access source configuration by querying from different IP addresses to ensure the rules work as expected.

# Managing access tokens for encrypted authentication
<a name="gr-managing-access-tokens"></a>

Access tokens provide encrypted authentication for DoH and DoT protocols. Unlike IP-based access sources, tokens work regardless of client location and offer enhanced security through encryption and expiration controls.

## Creating access tokens
<a name="gr-creating-access-tokens"></a>

Follow these steps to create access tokens to authenticate client devices that use DoH or DoT protocols.

1. Open the Route 53 Global Resolver console and navigate to your DNS view.

1. In the **Access source** section, choose **Create access token**.

1. For **Name**, enter a descriptive name that identifies the token's purpose, such as `mobile-devices` or `remote-workers-q4`.

1. For **Expiration**, set when the token should expire. We recommend 90 days or less for security. Consider your token distribution and renewal capabilities when setting the expiration period.

1. Choose **Create access token**.

1. Distribute the token securely to your client devices using your organization's secure communication channels.

## Configuring client devices with access tokens
<a name="gr-configuring-client-devices"></a>

Configure client devices to use access tokens for authentication with your Route 53 Global Resolver infrastructure.

**DoH configuration**  
To configure DoH with access tokens, you need your global resolver's DNS name or IP addresses:  

1. Use the GetGlobalResolver API to retrieve connectivity details for your resolver.

1. Note the `ipv4Addresses` (for example, 3.3.3.3, 3.3.3.4) and `dnsName` (for example, a1bc234567890a.route53globalresolver.global.on.aws).

1. Include the token as a URL parameter in the DoH endpoint using the DNS name:

   ```
   https://a1bc234567890a.route53globalresolver.global.on.aws/dns-query?token=<token-value>
   ```
Replace `<token-value>` with the actual token that you generated.

**DoT configuration**  
For DoT queries with access tokens, include the token in an EDNS0 option with the following specifications:  
+ **Option Code:** `0xffa0`
+ **Option Data:** The access token in string format
The specific implementation depends on your DoT client software and how it handles EDNS0 options.

## Token lifecycle management
<a name="gr-token-lifecycle-management"></a>

Manage token expiration and renewal to maintain secure access for your client devices.
+ **Monitor expiration dates** - Track token expiration dates and plan renewals in advance.
+ **Renew before expiration** - Create new tokens before old ones expire to avoid service interruption.
+ **Rotate tokens regularly** - Replace tokens periodically even before expiration for enhanced security.
+ **Revoke compromised tokens** - Delete tokens immediately if you suspect they have been compromised.

Consider implementing automated token renewal processes for large deployments to reduce administrative overhead.

# Platform configuration examples
<a name="gr-platform-configuration-examples"></a>

Use these platform-specific examples to configure client devices with your Route 53 Global Resolver access tokens and connection details.

## Windows configuration
<a name="gr-windows-configuration"></a>

Follow these steps to configure Windows clients to use DoH with access tokens using the netsh command.

1. Open Command Prompt as an administrator.

1. Enable the global DoH setting:

   ```
   netsh dns add global doh=yes
   ```

1. Register DoH servers with access tokens. Replace the example values with your actual resolver details:

   ```
   netsh dns add encryption server=3.3.3.3 dohtemplate=https://a1bc234567890a.route53globalresolver.global.on.aws/dns-query?token=<your-token> autoupgrade=yes
   netsh dns add encryption server=3.3.3.4 dohtemplate=https://a1bc234567890a.route53globalresolver.global.on.aws/dns-query?token=<your-token> autoupgrade=yes
   ```

1. Flush the DNS cache:

   ```
   ipconfig /flushdns
   ```

1. Verify the configuration:

   ```
   netsh dns show global
   ```

## macOS configuration
<a name="gr-macOS-configuration"></a>

Follow these steps to configure macOS clients using a mobile configuration profile for DoH with access tokens.

Create a mobile configuration profile with the following structure:

```
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>DNSSettings</key>
      <dict>
        <key>DNSProtocol</key>
        <string>HTTPS</string>
        <key>ServerAddresses</key>
        <array>
          <string>3.3.3.3</string>
          <string>3.3.3.4</string>
        </array>
        <key>ServerURL</key>
        <string>https://a1bc234567890a.route53globalresolver.global.on.aws/dns-query?token=<your-token></string>
      </dict>
      <key>PayloadType</key>
      <string>com.apple.dnsSettings.managed</string>
    </dict>
  </array>
</dict>
</plist>
```

Install the profile through System Settings > Device Management.

# Access control best practices and security considerations
<a name="gr-access-control-best-practices"></a>

Follow these best practices to maintain secure and effective access controls for your Route 53 Global Resolver infrastructure.

## Security best practices
<a name="gr-security-best-practices"></a>

Implement these security measures to protect your DNS infrastructure:
+ **Use layered authentication** - Combine access sources for trusted networks with tokens for mobile users. This approach provides defense in depth and accommodates different client scenarios.
+ **Implement least privilege access** - Grant access only to the IP ranges and protocols that clients actually need. Avoid overly broad access source rules that could expose your infrastructure to unauthorized use.
+ **Rotate tokens regularly** - Replace access tokens on a regular schedule, even before they expire. This practice limits the impact of compromised tokens and maintains security hygiene.
+ **Monitor access patterns** - Review DNS query logs to identify unusual access patterns or potential security issues. Set up alerts for queries from unexpected IP ranges or using expired tokens.

## Operational best practices
<a name="gr-operational-best-practices"></a>

Follow these operational practices to maintain reliable access controls:
+ **Document your access control strategy** - Maintain clear documentation of which access sources and tokens serve which client groups.
+ **Test access controls regularly** - Verify that your access source rules and tokens work correctly from different client locations and scenarios.
+ **Plan for token renewal** - Establish processes for distributing new tokens before old ones expire to avoid service disruptions.
+ **Review access controls periodically** - Remove unused access source rules and expired tokens to maintain a clean configuration.