# Securing DNS for clients with Route 53 Global Resolver
The following sections describe how to create rules to secure DNS queries made by your clients.
**Topics**
+ [Configure and manage DNS Firewall rules](gr-configure-manage-firewall-rules.md)
+ [Managed Domain Lists](gr-managed-domain-lists.md)
+ [Build domain lists](gr-build-domain-lists.md)
+ [DNS Firewall Advanced protections](gr-dns-firewall-advanced-protections.md)
+ [Manage security policies](gr-manage-dns-security-policies.md)
# Configure and manage DNS Firewall rules
## Creating and viewing firewall rules
Firewall rules define how Route 53 Global Resolver handles DNS queries based on domain lists, managed domain lists, content categories, or advanced threat protection. Each rule specifies a priority, target domains, and an action to take.
**Best practices for rule priority:**
+ Use priority 100-999 for high-priority allow rules (trusted domains)
+ Use priority 1000-4999 for block rules (known threats)
+ Use priority 5000-9999 for alert rules (monitoring and analysis)
+ Leave gaps between priorities to allow for future rule insertion
**To create a DNS Firewall rule**
1. In the Route 53 Global Resolver console, navigate to your DNS view.
1. Choose the **Firewall rules** tab.
1. Choose **Create firewall rule**.
1. In the **Rule details** section:
1. For **Rule name**, enter a descriptive name for the rule (up to 128 characters).
1. (Optional) For **Rule description**, enter a description for the rule (up to 255 characters).
1. In the **Rule configuration** section, choose the **Rule configuration type**:
+ **Customer managed domain lists** - Use a domain list that you create and manage
+ **AWS managed domain lists** - Use domain lists provided by Amazon that you can utilize
+ **DNS Firewall Advanced protections** - Choose from a range of managed protections and specify a confidence threshold
1. For **Rule action**, choose the action to take when the rule matches:
+ **Allow** - The DNS query is resolved
+ **Alert** - Allows the DNS query but creates an alert
+ **Block** - The DNS query is blocked
1. Choose **Create firewall rule**.
Use the following procedure to view the rules assigned to them. You can also update the rule and rule settings.
**To view and update a rule**
1. In the Route 53 Global Resolver console, navigate to your DNS View.
1. Choose the **DNS Firewall rules** tab.
1. Choose the rule you want to view or edit, and choose **Edit**.
1. In the **Rule** page, you can view and edit settings.
For information about the values for rules, see [Rule settings in DNS Firewall](#gr-rule-settings-dns-firewall).
**To delete a rule**
1. In the Route 53 Global Resolver console, navigate to your DNS View.
1. Choose the **DNS Firewall rules** tab.
1. Choose the rule you want to delete, and choose **Delete**, and confirm the deletion.
## Rule settings in DNS Firewall
When you create or edit a DNS Firewall rule in your DNS View, you specify the following values:
Name
A unique identifier for the rule in the DNS View.
(Optional) Description
A short description that provides more information about the rule.
Domain list
The list of domains that the rule inspects for. You can create and manage your own domain list or you can subscribe to a domain list that AWS manages for you.
A rule can contain ether a domain list or a DNS Firewall Advanced protection, but not both.
Query type (domain lists only)
The list of DNS query types that the rule inspects for. The following are the valid values:
+ A: Returns an IPv4 address.
+ AAAA: Returns an Ipv6 address.
+ CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
+ CNAME: Returns another domain name.
+ DS: Record that identifies the DNSSEC signing key of a delegated zone.
+ MX: Specifies mail servers.
+ NAPTR: Regular-expression-based rewriting of domain names.
+ NS: Authoritative name servers.
+ PTR: Maps an IP address to a domain name.
+ SOA: Start of authority record for the zone.
+ SPF: Lists the servers authorized to send emails from a domain.
+ SRV: Application specific values that identify servers.
+ TXT: Verifies email senders and application-specific values.
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPE`NUMBER`, where the `NUMBER` can be 1-65334, for example, TYPE28. For more information, see [List of DNS record types](https://en.wikipedia.org/wiki/List_of_DNS_record_types).
You can create one query type per rule.
DNS Firewall Advanced protection
Detects suspicious DNS queries based on known threat signatures in DNS queries. You can choose protection from:
+ Domain Generation Algorithms (DGAs)
DGAs are used by attackers to generate a large number of domains to launch malware attacks.
+ DNS tunneling
DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
In a DNS Firewall Advanced rule you can choose to either block, or alert on a query that matches the threat.
For more information, see DNS Firewall Advanced protections.
A rule can contain ether a DNS Firewall Advanced protection or a domain list, but not both.
Confidence threshold (DNS Firewall Advanced only)
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean:
+ High – Detects only the most well corroborated threats with a low rate of false positives.
+ Medium – Provides a balance between detecting threats and false positives.
+ Low – Provides the highest detection rate for threats, but also increases false positives.
For more information, see Rule settings in DNS Firewall.
Action
How you want DNS Firewall to handle a DNS query whose domain name matches the specifications in the rule's domain list. For more information, see [Rule actions in DNS Firewall](#gr-rule-actions-dns-firewall).
Priority
Unique positive integer setting for the rule within the DNS View that determines processing order. DNS Firewall inspects DNS queries against the rules in a DNS View starting with the lowest numeric priority setting and going up. You can change a rule's priority at any time, for example to change the order of processing or make space for other rules.
## Rule actions in DNS Firewall
When DNS Firewall finds a match between a DNS query and a domain specification in a rule, it applies the action that's specified in the rule to the query.
You are required to specify one of the following options in each rule that you create:
+ **Allow** – Stop inspecting the query and permit it to go through. Not available for DNS Firewall Advanced.
+ **Alert** – Stop inspecting the query, permit it to go through, and log an alert for the query in the Route 53 Resolver logs.
+ **Block** – Discontinue inspection of the query, block it from going to its intended destination, and log the block action for the query in the Route 53 Resolver logs.
Reply with the configured block response, from the following:
+ **NODATA** – Respond indicating that the query was successful, but no response is available for it.
+ **NXDOMAIN**– Respond indicating that the query's domain name doesn't exist.
+ **OVERRIDE**– Provide a custom override in the response. This option requires the following additional settings:
+ **Record value** – The custom DNS record to send back in response to the query.
+ **Record type**– The DNS record's type. This determines the format of the record value. This must be `CNAME`.
+ **Time to live in seconds**– The recommended amount of time for the DNS resolver or web browser to cache the override record and use it in response to this query, if it is received again. By default, this is zero, and the record isn't cached.
# Managed Domain Lists for Route 53 Global Resolver
Managed Domain Lists contain domain names that are associated with malicious activity or other potential threats. AWS maintains these lists to enable Route 53 Global Resolver customers to check internet-bound DNS queries against them when using DNS Firewall.
Keeping up to date on the constantly changing threat landscape can be time consuming and expensive. Managed Domain Lists can save you time when you implement and use DNS Firewall on Global Resolver. AWS automatically updates the lists when new vulnerabilities and threats emerge.
Managed domain lists are categorized into Threat and Content categories, designed to help protect you from common web threats and also block query resolution to domain not safe-for-work.
As a best practice, before using a Managed Domain List in production, test it in a non-production environment, with the rule action set to `Alert`. Evaluate the rule using Amazon CloudWatch metrics combined with DNS Firewall sampled requests or Global Resolver logs. When you're satisfied that the rule does what you want, change the action setting as needed.
## Available AWS Managed Domain Lists
This section describes the Managed Domain Lists that are currently available for Global Resolver. AWS provides the following Managed Domain Lists, for all users of Global Resolver, classified by **Threat** or **Content** Type.
**Threat Categories**
| |
| --- |
| Malware |
| Botnet/Command and Control |
| Aggregate Threat List |
| Amazon GuardDuty Threat List |
| Phishing |
| Spam |
**Content Categories**
| |
| --- |
| Violence and Hate Speech |
| For Kids |
| Online Ads |
| Science |
| Family and Parenting |
| Pets |
| Career and Job Search |
| Religion |
| Lifestyle |
| Home and Garden |
| Criminal and Illegal Activities |
| Sports and Recreation |
| Vehicles |
| Financial Services |
| Real Estate |
| Hobbies and Interests |
| Travel |
| Food and Dining |
| Government and Legal |
| Education |
| Fashion |
| Health |
| Shopping |
| Adult and Mature Content |
| Technology and Internet |
| Business and Economy |
| News |
| Search Engines and Portals |
| Arts and Culture |
| Entertainment |
| Military |
| Social Networking |
| Proxy Avoidance |
| Redirect |
| Email |
| Translation |
| Child Abuse |
| Abortion |
| Gambling |
| Hacking |
| Marijuana |
| Cryptocurrency |
| Dating |
| Artificial Intelligence and Machine Learning |
| Parked Domains |
| Private IP Address |
Managed Domain Lists cannot be downloaded or browsed. To protect intellectual property, you can't view or edit the individual domain specifications within the Managed Domain Lists. This restriction also helps to prevent malicious users from designing threats that specifically circumvent published lists.
# Build lists of domains to block or allow
You can create your own domain lists to specify domain categories that you either don't find in the managed domain list offerings or that you prefer to handle on your own.
In addition to the procedures described in this section, in the console, you can create a domain list in the context of DNS Firewall rule management, when you create or update a rule.
Each domain specification in your domain list must satisfy the following requirements:
+ It can optionally start with `*` (asterisk).
+ With the exception of the optional starting asterisk and a period, as a delimiter between labels, it must only contain the following characters: `A-Z`, `a-z`, `0-9`, `-` (hyphen).
+ It must be from 1-255 characters in length.
**To create a domain list**
1. In the Route 53 Global Resolver console, navigate to your Global Resolver.
1. Choose the **Domain lists** tab.
1. Choose **Create domain list**.
1. Provide a name and optional description for your domain list, along with any tags, and select **Create domain list**.
1. Once created and operational, you can begin adding domains to your domain list by selecting **Add domains**.
1. If you choose to **Upload a list of domains from an Amazon S3 bucket**, enter the URI of the Amazon S3 bucket where you created a domain list. This domain list should have one domain name per line.
1. Otherwise, enter your domain specifications in the text box, one per line.
1. Choose **Add domains**.
**To delete a domain list**
1. In the Route 53 Global Resolver console, navigate to your Global Resolver.
1. Choose the **Domain lists** tab.
1. Select the domain list that you want to delete, then choose **Delete**, and confirm the deletion.
# DNS Firewall Advanced protections
DNS Firewall Advanced detects suspicious DNS queries based on known threat signatures in DNS queries. You can specify a threat type in a rule that you use in a DNS Firewall rule, associated with a DNS View.
DNS Firewall Advanced works by identifying suspicious DNS threat signatures by inspecting a range of key identifiers in the DNS payload including the timestamp of requests, frequency of request and responses, the DNS query strings, and the length, type or size of both outbound and inbound DNS queries. Based on the type of threat signature, you can configure policies to block, or simply log and alert on the query. By using an expanded set of threat identifiers, you can protect against DNS threats from domain sources that may yet be unclassified by threat intelligence feeds maintained by the broader security community.
Currently, DNS Firewall Advanced offers protections from:
+ Domain Generation Algorithms (DGAs)
DGAs are used by attackers to generate a large number of domains to launch malware attacks.
+ Dictionary DGA
Detect DGA attacks that use domain names associated with dictionary words in large numbers to perform malicious command and control DNS communications.
+ DNS tunneling
DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
To learn how to create rules, see [Configure and manage DNS Firewall rules](gr-configure-manage-firewall-rules.md).
## Mitigating false positive scenarios
If you are encountering false-positive scenarios in rules that use DNS Firewall Advanced protections to block queries, perform the following steps:
1. In the Global Resolver logs, identify the rule and DNS Firewall Advanced protections that are causing the false positive. You do this by finding the log for the query that DNS Firewall is blocking, but that you want to allow through. The log record lists the DNS View, the rule, rule action, and the DNS Firewall Advanced protection.
1. Create a new rule in the DNS View that explicitly allows the blocked query through. When you create the rule, you can define your own domain list with just the domain specification that you want to allow. Follow the guidance for rule management at [Configure and manage DNS Firewall rules](gr-configure-manage-firewall-rules.md).
1. Prioritize the new rule inside the rule so that it runs before the rule that's using the managed list. To do this, give the new rule a lower numeric priority setting.
When you have updated your rules, the new rule will explicitly allow the domain name that you want to allow before the blocking rule runs.
# Manage DNS security policies in Route 53 Global Resolver
## Managing global resolvers
After creating a global resolver, you can view its details, edit its configuration, and manage associated resources from the Global Resolvers page.
### Viewing resolver details
The Global Resolvers page displays a list of all your resolvers with key information including resolver name, deployed regions, associated DNS views, observability region, and operational status.
### Editing global resolvers
You can modify the resolver name and description after creation. You cannot modify the regions where a global resolver is deployed after creation.
## Managing firewall rules
After creating firewall rules, you can modify their priority, update their configuration, or delete them as needed.
### Rule priority and evaluation order
Firewall rules are evaluated in priority order, with lower numbers processed first. When a query matches multiple rules, only the first matching rule's action is applied.
### Updating firewall rules
You can update most aspects of a firewall rule after creation, including its priority, action, and target domains.