# DNS Firewall rule groups and rules
<a name="resolver-dns-firewall-rule-groups"></a>

This section describes the settings that you can configure for your DNS Firewall rule groups and rules, to define the DNS Firewall behavior for your VPCs. It also describes how to manage the settings for your rule groups and rules. 

When you have your rule groups configured the way you want them, you use them directly and you can share and manage them between accounts and across your organization in AWS Organizations.
+ You can associate a rule group with multiple VPCs, to provide consistent behavior across your organization. For information, see [Managing associations between your VPC and Resolver DNS Firewall rule group](resolver-dns-firewall-vpc-associating-rule-group.md).
+ You can share rule groups between accounts, for consistent DNS query management across your organization. For information, see [Sharing Resolver DNS Firewall rule groups between AWS accounts](resolver-dns-firewall-rule-group-sharing.md).
+ You can use rule groups across your organization in AWS Organizations by managing them in AWS Firewall Manager policies. For information about Firewall Manager, see [AWS Firewall Manager](https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html) in the *AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide*.

# Rule group settings in DNS Firewall
<a name="resolver-dns-firewall-rule-group-settings"></a>

When you create or edit a DNS Firewall rule group, you specify the following values:

**Name**  
A unique name that lets you easily find a rule group on the dashboard.

**(Optional) Description**  
A short description that provides more context for the rule group. 

**Region**  
The AWS Region that you choose when you create the rule group. A rule group that you create in one Region is available only in that Region. To use the same rule group in more than one Region, you must create it in each Region.

**Rules**  
The rule group filtering behavior is contained in its rules. For information, see the following section.

**Tags**  
Specify one or more keys and the corresponding values. For example, you might specify **Cost center** for **Key** and specify **456** for **Value**.  
These are the tags that AWS Billing and Cost Management provides for organizing your AWS bill. For more information about using tags for cost allocation, see [Using cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the *AWS Billing User Guide* .

# Rule settings in DNS Firewall
<a name="resolver-dns-firewall-rule-settings"></a>

When you create or edit a rule in a DNS Firewall rule group, you specify the following values:

**Name**  
A unique identifier for the rule in the rule group.

**(Optional) Description**  
A short description that provides more information about the rule. 

**Domain list**  
The list of domains that the rule inspects for. You can create and manage your own domain list or you can subscribe to a domain list that AWS manages for you. For more information, see [Resolver DNS Firewall domain lists](resolver-dns-firewall-domain-lists.md).   
A rule can contain ether a domain list or a DNS Firewall Advanced protection, but not both.

**Domain redirection setting (domain lists only)**  
You can choose for the DNS Firewall rule to inspect only the first domain or all (default) the domains in the DNS redirection chain, such as CNAME, DNAME, etc. If you choose to inspect all the domains, you must add the subsequent domains in the DNS redirection chain to the domain list and set to the action you want the rule to take, either ALLOW, BLOCK, or ALERT. For more information, see [Resolver DNS Firewall components and settings](resolver-dns-firewall-overview.md#resolver-dns-firewall-components).   
The trust behavior of the domain redirection setting only applies within a single DNS query transaction. If a DNS client on your host separately queries a domain that appears in a DNS redirection chain (for example, querying the redirection target directly), DNS Firewall evaluates it as an independent query with no trust context from the original query. To allow such queries, add the redirection target domains to your domain list.

**Query type (domain lists only)**  
The list of DNS query types that the rule inspects for. The following are the valid values:  
+  A: Returns an IPv4 address.
+ AAAA: Returns an Ipv6 address.
+ CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
+ CNAME: Returns another domain name.
+ DS: Record that identifies the DNSSEC signing key of a delegated zone.
+ MX: Specifies mail servers.
+ NAPTR: Regular-expression-based rewriting of domain names.
+ NS: Authoritative name servers.
+ PTR: Maps an IP address to a domain name.
+ SOA: Start of authority record for the zone.
+ SPF: Lists the servers authorized to send emails from a domain.
+ SRV: Application specific values that identify servers.
+ TXT: Verifies email senders and application-specific values.
+ A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPE* NUMBER*, where the *NUMBER* can be 1-65334, for example, TYPE28. For more information, see [List of DNS record types](https://en.wikipedia.org/wiki/List_of_DNS_record_types).

  You can create one query type per rule.
**Note**  
If you set up a firewall BLOCK rule with action NXDOMAIN on query type equals AAAA, this action will not be applied to synthetic IPv6 addresses generated when DNS64 is enabled. 

**DNS Firewall Advanced protection**  
Detects suspicious DNS queries based on known threat signatures in DNS queries. You can choose protection from:  
+ Domain Generation Algorithms (DGAs)

  DGAs are used by attackers to generate a large number of domains to launch malware attacks.
+ DNS tunneling

  DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
+ Dictionary DGA

  Dictionary DGAs are used by attackers to generate domains using dictionary words to evade detection in malware command-and-control communications.
In a DNS Firewall Advanced rule you can choose to either block, or alert on a query that matches the threat.   
For more information, see For more information, see [Resolver DNS Firewall Advanced](firewall-advanced.md).   
A rule can contain ether a DNS Firewall Advanced protection or a domain list, but not both.

**Confidence threshold (DNS Firewall Advanced only)**  
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean:  
+ High – Detects only the most well corroborated threats with a low rate of false positives.
+ Medium – Provides a balance between detecting threats and false positives.
+ Low – Provides the highest detection rate for threats, but also increases false positives.
For more information, see [Rule settings in DNS Firewall](#resolver-dns-firewall-rule-settings). 

**Action**  
How you want DNS Firewall to handle a DNS query whose domain name matches the specifications in the rule's domain list. For more information, see [Rule actions in DNS Firewall](resolver-dns-firewall-rule-actions.md). 

**Priority**  
Unique positive integer setting for the rule within the rule group that determines processing order. DNS Firewall inspects DNS queries against the rules in a rule group starting with the lowest numeric priority setting and going up. You can change a rule's priority at any time, for example to change the order of processing or make space for other rules. 

# Rule actions in DNS Firewall
<a name="resolver-dns-firewall-rule-actions"></a>

When DNS Firewall finds a match between a DNS query and a domain specification in a rule, it applies the action that's specified in the rule to the query. 

You are required to specify one of the following options in each rule that you create: 
+ ** Allow ** – Stop inspecting the query and permit it to go through. Not available for DNS Firewall Advanced.
+ ** Alert ** – Stop inspecting the query, permit it to go through, and log an alert for the query in the Route 53 VPC Resolver logs. 
+ ** Block ** – Discontinue inspection of the query, block it from going to its intended destination, and log the block action for the query in the Route 53 VPC Resolver logs. 

  Reply with the configured block response, from the following: 
  + ** NODATA ** – Respond indicating that the query was successful, but no response is available for it.
  + ** NXDOMAIN **– Respond indicating that the query's domain name doesn't exist.
  + ** OVERRIDE **– Provide a custom override in the response. This option requires the following additional settings: 
    + ** Record value ** – The custom DNS record to send back in response to the query. 
    + ** Record type **– The DNS record's type. This determines the format of the record value. This must be `CNAME`.
    + ** Time to live in seconds **– The recommended amount of time for the DNS resolver or web browser to cache the override record and use it in response to this query, if it is received again. By default, this is zero, and the record isn't cached.

For more information about the query logs configuration and the contents, see [Resolver query logging](resolver-query-logs.md) and [Values that appear in VPC Resolver query logs](resolver-query-logs-format.md). 

**Use Alert to test blocking rules**  
When you first create a blocking rule, you can test it by configuring it with the action set to Alert. You can then look at the number of queries that the rule alerts on to see how many would be blocked if you set the action to Block. 

# Managing rule groups and rules in DNS Firewall
<a name="resolver-dns-firewall-rule-group-managing"></a>

To manage rule groups and rules in the console, follow the guidance in this section.

When you make changes to DNS Firewall entities, like rules and domain lists, DNS Firewall propagates the changes everywhere that the entities are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you add a domain to a domain list that's referenced by a blocking rule, the new domain might briefly be blocked in one area of your VPC while still allowed in another. This temporary inconsistency can occur when you first configure your rule group and VPC associations and when you change existing settings. Generally, any inconsistencies of this type last only a few seconds.

# Creating a rule group and rules
<a name="resolver-dns-firewall-rule-group-adding"></a>

To create a rule group and add rules to it, follow the steps in this procedure.

**To create a rule group and its rules**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

   Choose **DNS Firewall** in the navigation pane to open the DNS Firewall **Rule groups** page on the Amazon VPC console. Continue to step 3.

   - OR - 

   Sign in to the AWS Management Console and open the 

   the Amazon VPC console under [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 

1. In the navigation pane, under **DNS Firewall**, choose **Rule groups**.

1. On the navigation bar, choose the Region for the rule group. 

1. Choose **Add rule group**, then follow the wizard guidance to specify your rule group and rule settings.

   For information about the values for rule groups, see [Rule group settings in DNS Firewall](resolver-dns-firewall-rule-group-settings.md).

   For information about the values for rules, see [Rule settings in DNS Firewall](resolver-dns-firewall-rule-settings.md).

# Viewing and updating a rule group and rules
<a name="resolver-dns-firewall-rule-group-editing"></a>

Use the following procedure to view the rule groups and the rules assigned to them. You can also update the rule group and rule settings.

**To view and update a rule group**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

   Choose **DNS Firewall** in the navigation pane to open the DNS Firewall **Rule groups** page on the Amazon VPC console. Continue to step 3.

   - OR - 

   Sign in to the AWS Management Console and open the 

   the Amazon VPC console under [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 

1. In the navigation pane, under **DNS Firewall**, choose **Rule groups**.

1. On the navigation bar, choose the Region for the rule group. 

1. Select the rule group that you want to view or edit, then choose **View details**. 

1. In the rule group's page, you can view and edit settings.

   For information about the values for rule groups, see [Rule group settings in DNS Firewall](resolver-dns-firewall-rule-group-settings.md).

   For information about the values for rules, see [Rule settings in DNS Firewall](resolver-dns-firewall-rule-settings.md).

# Deleting a rule group
<a name="resolver-dns-firewall-rule-group-deleting"></a>

To delete a rule group, perform the following procedure.

**Important**  
If you delete a rule group that's associated with a VPC, DNS Firewall removes the association and stops the protections that the rule group was providing to the VPC. 

**Deleting DNS Firewall entities**  
When you delete an entity that you can use in DNS Firewall, like a domain list that might be in use in a rule group, or a rule group that might be associated with a VPC, DNS Firewall checks to see if the entity is currently being used. If it finds that it is in use, DNS Firewall warns you. DNS Firewall is almost always able to determine if an entity is in use. However, in rare cases it might not be able to do so. If you need to be sure that nothing is currently using the entity, check for it in your DNS Firewall configurations before deleting it. If the entity is a referenced domain list, check that no rule groups are using it. If the entity is a rule group, check that it is not associated with any VPCs.

**To delete a rule group**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

   Choose **DNS Firewall** in the navigation pane to open the DNS Firewall **Rule groups** page on the Amazon VPC console. Continue to step 3.

   - OR - 

   Sign in to the AWS Management Console and open the 

   the Amazon VPC console under [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 

1. In the navigation pane, under **DNS Firewall**, choose **Rule groups**.

1. On the navigation bar, choose the Region for the rule group. 

1. Select the rule group that you want to delete, then choose ** Delete**, and confirm the deletion.