

# Using DNS Firewall to filter outbound DNS traffic
<a name="resolver-dns-firewall"></a>

With Resolver DNS Firewall, you can filter and regulate outbound DNS traffic for your virtual private cloud (VPC). To do this, you create reusable collections of filtering rules in DNS Firewall rule groups, associate the rule groups to your VPC, and then monitor activity in DNS Firewall logs and metrics. Based on the activity, you can adjust the behavior of DNS Firewall accordingly. 

DNS Firewall provides protection for outbound DNS requests from your VPCs. These requests route through VPC Resolver for domain name resolution. A primary use of DNS Firewall protections is to help prevent DNS exfiltration of your data. DNS exfiltration can happen when a bad actor compromises an application instance in your VPC and then uses DNS lookup to send data out of the VPC to a domain that they control. With DNS Firewall, you can monitor and control the domains that your applications can query. You can deny access to the domains that you know to be bad and allow all other queries to pass through. Alternately, you can deny access to all domains except for the ones that you explicitly trust. 

You can also use DNS Firewall to block resolution requests to resources in private hosted zones (shared or local) including VPC endpoint names. It can also block requests for public or private Amazon EC2 instance names.

DNS Firewall is a feature of Route 53 VPC Resolver and doesn't require any additional VPC Resolver setup to use. 

**AWS Firewall Manager supports DNS Firewall**  
You can use Firewall Manager to centrally configure and manage your DNS Firewall rule group associations for your VPCs across your accounts in AWS Organizations. Firewall Manager automatically adds associations for VPCs that come into scope of your Firewall Manager DNS Firewall policy. For more information, see [AWS Firewall Manager](https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html) in the *AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide*.

**How DNS Firewall works with AWS Network Firewall**  
DNS Firewall and Network Firewall both offer domain name filtering, but for different types of traffic. With DNS Firewall and Network Firewall together, you can configure domain-based filtering for application layer traffic over two different network paths. 
+ DNS Firewall provides filtering for outbound DNS queries that pass through the Route 53 VPC Resolver from applications within your VPCs. You can also configure DNS Firewall to send custom responses for queries to blocked domain names. 
+ Network Firewall provides filtering for both network and application layer traffic, but does not have visibility into queries made by Route 53 VPC Resolver. 

For more information about Network Firewall, see the [Network Firewall Developer Guide](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html).

# How Resolver DNS Firewall works
<a name="resolver-dns-firewall-overview"></a>

Resolver DNS Firewall lets you control access to sites and block DNS-level threats for DNS queries going out from your VPC through the Route 53 VPC Resolver. With DNS Firewall, you define domain name filtering rules in rule groups that you associate with your VPCs. You can specify lists of domain names to allow or block, or Resolver DNS Firewall Advanced rules that offer protection from DNS tunneling and Domain Generation Algorithm (DGA) based threats. You can customize the responses for the DNS queries that you block. For rules that contain a domain list, you can also fine-tune the rule to allow certain query types, such as MX-records, through. 

DNS Firewall only filters on the domain name. It does not resolve that name to an IP address to be blocked. Additionally, DNS Firewall filters DNS traffic, but it doesn't filter other application layer protocols, such as HTTPS, SSH, TLS, FTP, and so on.

## Resolver DNS Firewall components and settings
<a name="resolver-dns-firewall-components"></a>

You manage DNS Firewall with the following central components and settings.

**DNS Firewall rule group**  
Defines a named, reusable collection of DNS Firewall rules for filtering DNS queries. You populate the rule group with the filtering rules, then associate the rule group with one or more VPCs. When you associate a rule group with a VPC, you enable DNS Firewall filtering for the VPC. Then, when VPC Resolver receives a DNS query for a VPC that has a rule group associated with it, VPC Resolver passes the query to DNS Firewall for filtering.   
If you associate multiple rule groups with a single VPC, you indicate their processing order through the priority setting in each association. DNS Firewall processes rule groups for a VPC from the lowest numeric priority setting on up.   
For more information, see [DNS Firewall rule groups and rules](resolver-dns-firewall-rule-groups.md). 

**DNS Firewall rule**  
Defines a filtering rule for DNS queries in a DNS Firewall rule group. Each rule specifies one domain list, or DNS Firewall protection and an action to take on DNS queries whose domains match the domain specifications in the rule. You can allow (rules with domain lists only), block, or alert on matching queries. In rules with domain lists you can also specify query types for the domains in the list, for example, you can block or allow an MX query type for a specific domain or domains. You can also define custom responses for blocked queries.   
For DNS Firewall rules you can only block or alert on matching queries.  
Each rule in a rule group has a priority setting that's unique within the rule group. DNS Firewall processes the rules in a rule group from the lowest numeric priority setting on up.   
DNS Firewall rules exist only in the context of the rule group in which they're defined. You can't reuse a rule or reference it independent of its rule group.   
For more information, see [DNS Firewall rule groups and rules](resolver-dns-firewall-rule-groups.md). 

**Domain list**  
Defines a named, reusable collection of domain specifications for use in DNS filtering. Each rule in a rule group requires a single domain list. You might choose to specify the domains that you want to allow access to, the domains that you want to deny access to, or a combination of both. You can create your own domain lists and you can use domain lists that AWS manages for you.  
For more information, see [Resolver DNS Firewall domain lists](resolver-dns-firewall-domain-lists.md). 

**Domain redirection setting (Domain lists only)**  
The domain redirection setting allows you to configure a DNS Firewall rule to inspect all the domains in the DNS redirection chain (default), such as CNAME, DNAME, etc., or just the first domain and trust the rest. If you choose to inspect the entire DNS redirection chain, you must add the subsequent domains to a domain list set to ALLOW in the rule. If you choose to inspect the entire DNS redirection chain, you must add the subsequent domains to a domain list and set to the action you want the rule to take, either ALLOW, BLOCK, or ALERT.  
The trust behavior of the domain redirection setting only applies within a single DNS query transaction. If a DNS client on your host separately queries a domain that appears in a DNS redirection chain (for example, querying the redirection target directly), DNS Firewall evaluates it as an independent query with no trust context from the original query. To allow such queries, add the redirection target domains to your domain list.
For more information, see [Rule settings in DNS Firewall](resolver-dns-firewall-rule-settings.md). 

**Query type (Domain lists only)**  
The query type setting allows you to configure a DNS Firewall rule to filter a particular DNS query type. If you don't select a query type, the rule is applied to all DNS query types. For example, you might want to block all the query types for a particular domain, but allow MX records.  
For more information, see [Rule settings in DNS Firewall](resolver-dns-firewall-rule-settings.md). 

**DNS Firewall Advanced protection**  
Detects suspicious DNS queries based on known threat signatures in DNS queries. Each rule in a rule group requires a single DNS Firewall Advanced protection setting. You can choose protection from:  
+ Domain Generation Algorithms (DGAs)

  DGAs are used by attackers to generate a large number of domains to launch malware attacks.
+ DNS tunneling

  DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
+ Dictionary DGA

  Dictionary DGAs are used by attackers to generate domains using dictionary words to evade detection in malware command-and-control communications.
In a DNS Firewall Advanced rule you can choose to either block, or alert on a query that matches the threat. The threat protection algorithms are managed and updated by AWS.  
For more information, see [Resolver DNS Firewall Advanced](firewall-advanced.md). 

**Confidence threshold(DNS Firewall Advanced protection only)**  
The confidence threshold for DNS threat protection. You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean:  
+ High – Detects only the most well corroborated threats with a low rate of false positives.
+ Medium – Provides a balance between detecting threats and false positives.
+ Low – Provides the highest detection rate for threats, but also increases false positives.
For more information, see [Rule settings in DNS Firewall](resolver-dns-firewall-rule-settings.md). 

**Association between a DNS Firewall rule group and a VPC**  
Defines a protection for a VPC using a DNS Firewall rule group and enables the VPC Resolver DNS Firewall configuration for the VPC.   
If you associate multiple rule groups with a single VPC, you indicate their processing order through the priority setting in the associations. DNS Firewall processes rule groups for a VPC from the lowest numeric priority setting on up.   
For more information, see [Enabling Resolver DNS Firewall protections for your VPC](resolver-dns-firewall-vpc-protections.md). 

**DNS Firewall configuration for a VPC**  
Specifies how VPC Resolver should handle DNS Firewall protections at the VPC level. This configuration is in effect whenever you have at least one DNS Firewall rule group associated with the VPC.   
This configuration specifies how Route 53 VPC Resolver handles queries when DNS Firewall fails to filter them. By default, if VPC Resolver doesn't receive a response from DNS Firewall for a query, it fails closed and blocks the query.  
For more information, see [DNS Firewall VPC configuration](resolver-dns-firewall-vpc-configuration.md).

**Monitoring DNS Firewall actions**  
You can use Amazon CloudWatch to monitor the number of DNS queries that are filtered by DNS Firewall rule groups. CloudWatch collects and processes raw data into readable, near real-time metrics.   
For more information, see [Monitoring Resolver DNS Firewall rule groups with Amazon CloudWatch](monitoring-resolver-dns-firewall-with-cloudwatch.md).  
You can use Amazon EventBridge, a serverless service that uses events to connect application components together, to build scalable event-driven applications.  
For more information, see [Managing Resolver DNS Firewall events using Amazon EventBridge](dns-firewall-eventbridge-integration.md).

## How Resolver DNS Firewall filters DNS queries
<a name="resolver-dns-firewall-behavior"></a>

When a DNS Firewall rule group is associated with your VPC's Route 53 VPC Resolver, the following traffic is filtered by the firewall:
+ DNS queries originating within that VPC and passing through VPC DNS.
+ DNS queries that pass through Resolver endpoints from on-premises resources into that same VPC that has DNS Firewall associated to its resolver.

When DNS Firewall receives a DNS query, it filters the query using the rule groups, rules, and other settings that you've configured and sends the results back to VPC Resolver: 
+ DNS Firewall evaluates the DNS query using the rule groups that are associated with the VPC until it finds a match or exhausts all of the rule groups. DNS Firewall evaluates the rule groups in order of the priority that you set in the association, starting with the lowest numeric setting. For more information, see [DNS Firewall rule groups and rules](resolver-dns-firewall-rule-groups.md) and [Enabling Resolver DNS Firewall protections for your VPC](resolver-dns-firewall-vpc-protections.md).
+ Within each rule group, DNS Firewall evaluates the DNS query against each rule's domain list or DNS Firewall Advanced protections until it finds a match or exhausts all rules. DNS Firewall evaluates the rules in order of priority, starting with the lowest numeric setting. For more information, see [DNS Firewall rule groups and rules](resolver-dns-firewall-rule-groups.md).
+ When DNS Firewall finds a match with a rule's domain list, or anomalies identified by DNS Firewall Advanced rule protections, it terminates the query evaluation and responds to VPC Resolver with the result. If the action is `alert`, DNS Firewall also sends an alert to the configured VPC Resolver logs. For more information, see [Rule actions in DNS Firewall](resolver-dns-firewall-rule-actions.md), [Resolver DNS Firewall domain lists](resolver-dns-firewall-domain-lists.md), and [Resolver DNS Firewall Advanced](firewall-advanced.md).
+ If DNS Firewall evaluates all rule groups without finding a match, it responds to the query as normal. 

VPC Resolver routes the query according to the response from DNS Firewall. In the unlikely event that DNS Firewall fails to respond, VPC Resolver applies the VPC's configured DNS Firewall fail mode. For more information, see [DNS Firewall VPC configuration](resolver-dns-firewall-vpc-configuration.md).

## High-level steps for using Resolver DNS Firewall
<a name="resolver-dns-firewall-high-level-steps"></a>

To implement Resolver DNS Firewall filtering in your Amazon Virtual Private Cloud VPC, you perform the following high-level steps. 
+ **Define your filtering approach, your domain lists, or DNS Firewall protections** – Decide how you want to filter queries, identify the domain specifications that you'll need, and define the logic you'll use to evaluate queries. For example, you might want to allow all queries except for those that are in a list of known bad domains. Or you might want to do the opposite and block all but an approved list of domains, in what is known as a walled garden approach. You can create and manage your own lists of approved or blocked domain specifications and you can use domain lists that AWS manages for you. For DNS Firewall protections you can filter the queries by blocking them all, or you can alert on any suspicious query traffic to domains that may contain anomalies associated with threats (DGA, DNS tunneling, Dictionary DGA) to test your DNS Firewall settings. For more information, see [Resolver DNS Firewall domain lists](resolver-dns-firewall-domain-lists.md) and [Resolver DNS Firewall Advanced](firewall-advanced.md).
+ **Create a firewall rule group** – In DNS Firewall, create a rule group to filter DNS queries for your VPC. You must create a rule group in each Region where you want to use it. You might also want to separate your filtering behavior into more than one rule group for reusability in multiple filtering scenarios for your different VPCs. For information about rule groups, see [DNS Firewall rule groups and rules](resolver-dns-firewall-rule-groups.md). 
+ **Add and configure your rules** – Add a rule to your rule group for each domain list and filtering behavior that you want the rule group to provide. Set the priority settings for your rules so they process in the correct order within the rule group, giving the lowest priority to the rule that you want to evaluate first. For information about rules, see [DNS Firewall rule groups and rules](resolver-dns-firewall-rule-groups.md). 
+ **Associate the rule group to your VPC** – To begin using your DNS Firewall rule group, associate it with your VPC. If you are using more than one rule group for your VPC, set the priority of each association so the rule groups are processed in the correct order, giving the lowest priority to the rule group that you want to evaluate first. For more information, see [Managing associations between your VPC and Resolver DNS Firewall rule group](resolver-dns-firewall-vpc-associating-rule-group.md).
+ **(Optional) Change the firewall configuration for the VPC** – If you want Route 53 VPC Resolver to block queries when DNS Firewall fails to send a response back for them, in VPC Resolver, change the VPC's DNS Firewall configuration. For more information, see [DNS Firewall VPC configuration](resolver-dns-firewall-vpc-configuration.md).

## Using Resolver DNS Firewall rule groups in multiple Regions
<a name="resolver-dns-firewall-multiple-regions"></a>

Resolver DNS Firewall is a Regional service, so objects that you create in one AWS Region are available only in that Region. To use the same rule group in more than one Region, you must create it in each Region.

The AWS account that created a rule group can share it with other AWS accounts. For more information, see [Sharing Resolver DNS Firewall rule groups between AWS accounts](resolver-dns-firewall-rule-group-sharing.md).

# Region availability for Resolver DNS Firewall
<a name="resolver-dns-firewall-availability"></a>

The DNS Firewall is available in the following AWS Regions:
+ Africa (Cape Town) 
+ Asia Pacific (Hong Kong)
+ Asia Pacific (Hyderabad)
+ Asia Pacific (Jakarta) 
+ Asia Pacific (Malaysia)
+ Asia Pacific (Melbourne)
+ Asia Pacific (Mumbai)
+ Asia Pacific (Osaka) Region
+ Asia Pacific (Seoul)
+ Asia Pacific (Singapore)
+ Asia Pacific (Sydney)
+ Asia Pacific (Thailand)
+ Asia Pacific (Tokyo)
+ Canada (Central) Region
+ Canada West (Calgary)
+ Europe (Frankfurt) Region
+ Europe (Ireland) Region
+ Europe (London) Region
+ Europe (Milan) 
+ Europe (Paris) Region
+ Europe (Spain)
+ Europe (Stockholm)
+ Europe (Zurich)
+ Israel (Tel Aviv)
+ Mexico (Central)
+ Middle East (Bahrain)
+ Middle East (UAE)
+ South America (São Paulo)
+ US East (N. Virginia)
+ US East (Ohio)
+ US West (N. California)
+ US West (Oregon)
+ China (Beijing) 
+ China (Ningxia) 
+ AWS GovCloud (US)

# Getting started with Resolver DNS Firewall
<a name="resolver-dns-firewall-getting-started"></a>

The DNS Firewall console includes a wizard that guides you through the following steps for getting started with DNS Firewall:
+ Create rule groups for each set of rules that you want to use.
+ For each rule, populate the domain list that you want to inspect for. You can create your own domain lists and you can use AWS managed domain lists. 
+ Associate your rule groups with the VPCs where you want to use them.

## Resolver DNS Firewall walled garden example
<a name="dns-firewall-walled-garden-example"></a>

In this tutorial, you'll create a rule group that blocks all but a select group of domains that you trust. This is called a closed platform, or walled garden approach.

**To configure a DNS Firewall rule group using the console wizard**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

   Choose **DNS Firewall** in the navigation pane to open the DNS Firewall **Rule groups** page on the Amazon VPC console. Continue to step 3.

   - OR - 

   Sign in to the AWS Management Console and open the 

   the Amazon VPC console under [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 

1. In the navigation pane, under **DNS Firewall**, choose **Rule groups**.

1. On the navigation bar, choose the Region for the rule group. 

1. In the **Rule groups** page, choose **Add rule group**.

1. For the rule group name, enter **WalledGardenExample**. 

   In the **Tags** section, you can optionally enter a key-value pair for a tag. Tags help you organize and manage your AWS resources. For more information, see [Tagging Amazon Route 53 resources](tagging-resources.md). 

1. Choose **Add rule group**.

1. On the **WalledGardenExample** details page, choose the **Rules tab**, and then **Add rule**.

1. In the **Rule details** pane, enter the rule name ** BlockAll**.

1. In the **Domain list** pane, select **Add my own domain list**. 

1. Under **Choose or create a new domain list** select **Create new domain list**.

1. Enter a domain list name **AllDomains**, then in the **Enter one domain per line** text box, enter an asterisk: **\$1** . 

1. For **Domain redirection setting** accept the default, and leave **Query type - optional** empty.

1. For the **Action**, select **BLOCK** and then leave the response to send at the default setting of **NODATA** . 

1. Choose **Add rule**. Your rule **BlockAll** is displayed in the **Rules** tab on the ** WalledGardenExample** page.

1. On the **WalledGardenExample** page, choose **Add rule** to add a second rule to your rule group. 

1. In the **Rule details** pane, enter the rule name ** AllowSelectDomains** .

1. In the **Domain list** pane, select **Add my own domain list**. 

1. Under **Choose or create a new domain list**, select **Create new domain list**.

1. Enter a domain list name **ExampleDomains**.

1. In the **Enter one domain per line** text box, on the first line, enter **example.com** and on the second line, enter **example.org**. 
**Note**  
If you want the rule to apply to subdomains as well, you need to add those domains to the list also. For example, to add all of the example.com's subdomains, add **\$1.example.com** to the list.

1. For **Domain redirection setting** accept the default, and leave **Query type - optional** empty.

1. For the **Action**, select **ALLOW**. 

1. Choose **Add rule**. Your rules are both displayed in the ** Rules** tab on the **WalledGardenExample** page.

1. In the **Rules** tab on the **WalledGardenExample** page, you can adjust the evaluation order of the rules in your rule group by selecting the number listed in the **Priority column** and typing in a new number. DNS Firewall evaluates rules starting with the lowest priority setting, so the rule with the lowest priority is the first one evaluated. For this example, we want DNS Firewall to first identify and allow DNS queries for the select list of domains, and then block any remaining queries. 

   Adjust the rule priority so that **AllowSelectDomains** has a lower priority.

You now have a rule group that allows only specific domain queries through. To begin using it, you associate it with the VPCs where you want to use the filtering behavior. For more information, see [Managing associations between your VPC and Resolver DNS Firewall rule group](resolver-dns-firewall-vpc-associating-rule-group.md).

## Resolver DNS Firewall block list example
<a name="dns-firewall-block-list-example"></a>

In this tutorial, you’ll create a rule group that blocks domains that you know to be malicious. You'll also add a DNS query type that is allowed for the domains in the blocked list. The rule group allows all other outbound DNS requests over the VPC Resolver.

**To configure a DNS Firewall block list by using the console wizard**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

   Choose **DNS Firewall** in the navigation pane to open the DNS Firewall **Rule groups** page on the Amazon VPC console. Continue to step 3.

   - OR - 

   Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **DNS Firewall**, choose **Rule groups**.

1. On the navigation bar, choose the Region for the rule group. 

1. In the **Rule groups** page, choose **Add rule group**.

1. For the rule group name, enter **BlockListExample**. 

   In the **Tags** section, you can optionally enter a key-value pair for a tag. Tags help you organize and manage your AWS resources. For more information, see [Tagging Amazon Route 53 resources](tagging-resources.md). 

1. On the **BlockListExample** details page, choose the ** Rules** tab, and then **Add rule**.

1. In the **Rule details** pane, enter the rule name ** BlockList**.

1. In the **Domain list** pane, select **Add my own domain list**. 

1. Under **Choose or create a new domain list**, select **Create new domain list**.

1. Enter a domain list name **MaliciousDomains**, then in the text box, enter the domains you want to block. For example, ** example.org**. Enter one domain per line. 
**Note**  
If you want the rule to apply to subdomains as well, you must add those domains to the list also. For example, to add all of the example.org's subdomains, add **\$1.example.org** to the list.

1. For **Domain redirection setting** accept the default, and leave **Query type - optional** empty.

1. For the action, select **BLOCK** and then leave the response to send at the default setting of **NODATA**. 

1. Choose **Add rule**. Your rule is displayed in the ** Rules** tab on the **BlockListExample** page

1. in the **Rules** tab on the **BlockedListExample** page, you can adjust the evaluation order of the rules in your rule group by selecting the number listed in the **Priority column** and typing in a new number. DNS Firewall evaluates rules starting with the lowest priority setting, so the rule with the lowest priority is the first one evaluated. 

   Select and adjust the rule priority so that **BlockList** is evaluated either before or after any other rules you might have. Most of the time, known malicious domains should be blocked first. That is, the rules associated with them should have the lowest priority number.

1. To add a rule that allows MX records for the BlockList domains, on the ** BlockedListExample** details page in the **Rules** tab, choose **Add rule**.

1. In the **Rule details** pane, enter the rule name ** BlockList-allowMX**.

1. In the **Domain list** pane, select **Add my own domain list**. 

1. Under **Choose or create a new domain list**, select ** MaliciousDomains**.

1. For **Domain redirection setting** accept the default.

1. In the **DNS query type** list, select **MX: Specifies mail servers**.

1. For the action, select **ALLOW**. 

1. Choose **Add rule**. 

1. in the **Rules** tab on the **BlockedListExample** page, you can adjust the evaluation order of the rules in your rule group by selecting the number listed in the **Priority column** and typing in a new number. DNS Firewall evaluates rules starting with the lowest priority setting, so the rule with the lowest priority is the first one evaluated. 

   Select and adjust the rule priority so that **BlockList-allowMX** is evaluated either before or after any other rules you might have. Because you want to allow MX queries, make sure that the **BlockList-allowMX** rule has a lower priority than **BlockList**.

You now have a rule group that blocks specific malicious domain queries, but allows a specific DNS query type. To begin using it, you associate it with the VPCs where you want to use the filtering behavior. For more information, see [Managing associations between your VPC and Resolver DNS Firewall rule group](resolver-dns-firewall-vpc-associating-rule-group.md).

# DNS Firewall rule groups and rules
<a name="resolver-dns-firewall-rule-groups"></a>

This section describes the settings that you can configure for your DNS Firewall rule groups and rules, to define the DNS Firewall behavior for your VPCs. It also describes how to manage the settings for your rule groups and rules. 

When you have your rule groups configured the way you want them, you use them directly and you can share and manage them between accounts and across your organization in AWS Organizations.
+ You can associate a rule group with multiple VPCs, to provide consistent behavior across your organization. For information, see [Managing associations between your VPC and Resolver DNS Firewall rule group](resolver-dns-firewall-vpc-associating-rule-group.md).
+ You can share rule groups between accounts, for consistent DNS query management across your organization. For information, see [Sharing Resolver DNS Firewall rule groups between AWS accounts](resolver-dns-firewall-rule-group-sharing.md).
+ You can use rule groups across your organization in AWS Organizations by managing them in AWS Firewall Manager policies. For information about Firewall Manager, see [AWS Firewall Manager](https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html) in the *AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide*.

# Rule group settings in DNS Firewall
<a name="resolver-dns-firewall-rule-group-settings"></a>

When you create or edit a DNS Firewall rule group, you specify the following values:

**Name**  
A unique name that lets you easily find a rule group on the dashboard.

**(Optional) Description**  
A short description that provides more context for the rule group. 

**Region**  
The AWS Region that you choose when you create the rule group. A rule group that you create in one Region is available only in that Region. To use the same rule group in more than one Region, you must create it in each Region.

**Rules**  
The rule group filtering behavior is contained in its rules. For information, see the following section.

**Tags**  
Specify one or more keys and the corresponding values. For example, you might specify **Cost center** for **Key** and specify **456** for **Value**.  
These are the tags that AWS Billing and Cost Management provides for organizing your AWS bill. For more information about using tags for cost allocation, see [Using cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the *AWS Billing User Guide* .

# Rule settings in DNS Firewall
<a name="resolver-dns-firewall-rule-settings"></a>

When you create or edit a rule in a DNS Firewall rule group, you specify the following values:

**Name**  
A unique identifier for the rule in the rule group.

**(Optional) Description**  
A short description that provides more information about the rule. 

**Domain list**  
The list of domains that the rule inspects for. You can create and manage your own domain list or you can subscribe to a domain list that AWS manages for you. For more information, see [Resolver DNS Firewall domain lists](resolver-dns-firewall-domain-lists.md).   
A rule can contain ether a domain list or a DNS Firewall Advanced protection, but not both.

**Domain redirection setting (domain lists only)**  
You can choose for the DNS Firewall rule to inspect only the first domain or all (default) the domains in the DNS redirection chain, such as CNAME, DNAME, etc. If you choose to inspect all the domains, you must add the subsequent domains in the DNS redirection chain to the domain list and set to the action you want the rule to take, either ALLOW, BLOCK, or ALERT. For more information, see [Resolver DNS Firewall components and settings](resolver-dns-firewall-overview.md#resolver-dns-firewall-components).   
The trust behavior of the domain redirection setting only applies within a single DNS query transaction. If a DNS client on your host separately queries a domain that appears in a DNS redirection chain (for example, querying the redirection target directly), DNS Firewall evaluates it as an independent query with no trust context from the original query. To allow such queries, add the redirection target domains to your domain list.

**Query type (domain lists only)**  
The list of DNS query types that the rule inspects for. The following are the valid values:  
+  A: Returns an IPv4 address.
+ AAAA: Returns an Ipv6 address.
+ CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
+ CNAME: Returns another domain name.
+ DS: Record that identifies the DNSSEC signing key of a delegated zone.
+ MX: Specifies mail servers.
+ NAPTR: Regular-expression-based rewriting of domain names.
+ NS: Authoritative name servers.
+ PTR: Maps an IP address to a domain name.
+ SOA: Start of authority record for the zone.
+ SPF: Lists the servers authorized to send emails from a domain.
+ SRV: Application specific values that identify servers.
+ TXT: Verifies email senders and application-specific values.
+ A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPE* NUMBER*, where the *NUMBER* can be 1-65334, for example, TYPE28. For more information, see [List of DNS record types](https://en.wikipedia.org/wiki/List_of_DNS_record_types).

  You can create one query type per rule.
**Note**  
If you set up a firewall BLOCK rule with action NXDOMAIN on query type equals AAAA, this action will not be applied to synthetic IPv6 addresses generated when DNS64 is enabled. 

**DNS Firewall Advanced protection**  
Detects suspicious DNS queries based on known threat signatures in DNS queries. You can choose protection from:  
+ Domain Generation Algorithms (DGAs)

  DGAs are used by attackers to generate a large number of domains to launch malware attacks.
+ DNS tunneling

  DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
+ Dictionary DGA

  Dictionary DGAs are used by attackers to generate domains using dictionary words to evade detection in malware command-and-control communications.
In a DNS Firewall Advanced rule you can choose to either block, or alert on a query that matches the threat.   
For more information, see For more information, see [Resolver DNS Firewall Advanced](firewall-advanced.md).   
A rule can contain ether a DNS Firewall Advanced protection or a domain list, but not both.

**Confidence threshold (DNS Firewall Advanced only)**  
The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence level values mean:  
+ High – Detects only the most well corroborated threats with a low rate of false positives.
+ Medium – Provides a balance between detecting threats and false positives.
+ Low – Provides the highest detection rate for threats, but also increases false positives.
For more information, see [Rule settings in DNS Firewall](#resolver-dns-firewall-rule-settings). 

**Action**  
How you want DNS Firewall to handle a DNS query whose domain name matches the specifications in the rule's domain list. For more information, see [Rule actions in DNS Firewall](resolver-dns-firewall-rule-actions.md). 

**Priority**  
Unique positive integer setting for the rule within the rule group that determines processing order. DNS Firewall inspects DNS queries against the rules in a rule group starting with the lowest numeric priority setting and going up. You can change a rule's priority at any time, for example to change the order of processing or make space for other rules. 

# Rule actions in DNS Firewall
<a name="resolver-dns-firewall-rule-actions"></a>

When DNS Firewall finds a match between a DNS query and a domain specification in a rule, it applies the action that's specified in the rule to the query. 

You are required to specify one of the following options in each rule that you create: 
+ ** Allow ** – Stop inspecting the query and permit it to go through. Not available for DNS Firewall Advanced.
+ ** Alert ** – Stop inspecting the query, permit it to go through, and log an alert for the query in the Route 53 VPC Resolver logs. 
+ ** Block ** – Discontinue inspection of the query, block it from going to its intended destination, and log the block action for the query in the Route 53 VPC Resolver logs. 

  Reply with the configured block response, from the following: 
  + ** NODATA ** – Respond indicating that the query was successful, but no response is available for it.
  + ** NXDOMAIN **– Respond indicating that the query's domain name doesn't exist.
  + ** OVERRIDE **– Provide a custom override in the response. This option requires the following additional settings: 
    + ** Record value ** – The custom DNS record to send back in response to the query. 
    + ** Record type **– The DNS record's type. This determines the format of the record value. This must be `CNAME`.
    + ** Time to live in seconds **– The recommended amount of time for the DNS resolver or web browser to cache the override record and use it in response to this query, if it is received again. By default, this is zero, and the record isn't cached.

For more information about the query logs configuration and the contents, see [Resolver query logging](resolver-query-logs.md) and [Values that appear in VPC Resolver query logs](resolver-query-logs-format.md). 

**Use Alert to test blocking rules**  
When you first create a blocking rule, you can test it by configuring it with the action set to Alert. You can then look at the number of queries that the rule alerts on to see how many would be blocked if you set the action to Block. 

# Managing rule groups and rules in DNS Firewall
<a name="resolver-dns-firewall-rule-group-managing"></a>

To manage rule groups and rules in the console, follow the guidance in this section.

When you make changes to DNS Firewall entities, like rules and domain lists, DNS Firewall propagates the changes everywhere that the entities are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you add a domain to a domain list that's referenced by a blocking rule, the new domain might briefly be blocked in one area of your VPC while still allowed in another. This temporary inconsistency can occur when you first configure your rule group and VPC associations and when you change existing settings. Generally, any inconsistencies of this type last only a few seconds.

# Creating a rule group and rules
<a name="resolver-dns-firewall-rule-group-adding"></a>

To create a rule group and add rules to it, follow the steps in this procedure.

**To create a rule group and its rules**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

   Choose **DNS Firewall** in the navigation pane to open the DNS Firewall **Rule groups** page on the Amazon VPC console. Continue to step 3.

   - OR - 

   Sign in to the AWS Management Console and open the 

   the Amazon VPC console under [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 

1. In the navigation pane, under **DNS Firewall**, choose **Rule groups**.

1. On the navigation bar, choose the Region for the rule group. 

1. Choose **Add rule group**, then follow the wizard guidance to specify your rule group and rule settings.

   For information about the values for rule groups, see [Rule group settings in DNS Firewall](resolver-dns-firewall-rule-group-settings.md).

   For information about the values for rules, see [Rule settings in DNS Firewall](resolver-dns-firewall-rule-settings.md).

# Viewing and updating a rule group and rules
<a name="resolver-dns-firewall-rule-group-editing"></a>

Use the following procedure to view the rule groups and the rules assigned to them. You can also update the rule group and rule settings.

**To view and update a rule group**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

   Choose **DNS Firewall** in the navigation pane to open the DNS Firewall **Rule groups** page on the Amazon VPC console. Continue to step 3.

   - OR - 

   Sign in to the AWS Management Console and open the 

   the Amazon VPC console under [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 

1. In the navigation pane, under **DNS Firewall**, choose **Rule groups**.

1. On the navigation bar, choose the Region for the rule group. 

1. Select the rule group that you want to view or edit, then choose **View details**. 

1. In the rule group's page, you can view and edit settings.

   For information about the values for rule groups, see [Rule group settings in DNS Firewall](resolver-dns-firewall-rule-group-settings.md).

   For information about the values for rules, see [Rule settings in DNS Firewall](resolver-dns-firewall-rule-settings.md).

# Deleting a rule group
<a name="resolver-dns-firewall-rule-group-deleting"></a>

To delete a rule group, perform the following procedure.

**Important**  
If you delete a rule group that's associated with a VPC, DNS Firewall removes the association and stops the protections that the rule group was providing to the VPC. 

**Deleting DNS Firewall entities**  
When you delete an entity that you can use in DNS Firewall, like a domain list that might be in use in a rule group, or a rule group that might be associated with a VPC, DNS Firewall checks to see if the entity is currently being used. If it finds that it is in use, DNS Firewall warns you. DNS Firewall is almost always able to determine if an entity is in use. However, in rare cases it might not be able to do so. If you need to be sure that nothing is currently using the entity, check for it in your DNS Firewall configurations before deleting it. If the entity is a referenced domain list, check that no rule groups are using it. If the entity is a rule group, check that it is not associated with any VPCs.

**To delete a rule group**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

   Choose **DNS Firewall** in the navigation pane to open the DNS Firewall **Rule groups** page on the Amazon VPC console. Continue to step 3.

   - OR - 

   Sign in to the AWS Management Console and open the 

   the Amazon VPC console under [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 

1. In the navigation pane, under **DNS Firewall**, choose **Rule groups**.

1. On the navigation bar, choose the Region for the rule group. 

1. Select the rule group that you want to delete, then choose ** Delete**, and confirm the deletion.

# Resolver DNS Firewall domain lists
<a name="resolver-dns-firewall-domain-lists"></a>

A *domain list* is a reusable set of domain specifications that you use in a DNS Firewall rule, inside a rule group. When you associate a rule group with a VPC, DNS Firewall compares your DNS queries against the domain lists that are used in the rules. If it finds a match, it handles the DNS query according to the matching rule's action. For more information about rule groups and rules, see [DNS Firewall rule groups and rules](resolver-dns-firewall-rule-groups.md). 

Domain lists allow you to separate your explicit domain specifications from the actions that you want to take on them. You can use a single domain list in multiple rules and any updates that you do to the domain list automatically affects all rules that use it. 

Domain lists fall into two main categories: 
+ Managed domain lists, which AWS creates and maintains for you.
+ Your own domain lists, which you create and maintain.

This section describes the types of managed domain lists that are available to you and provides guidance for creating and managing your own domain lists, if you choose to do so. 

# Managed Domain Lists
<a name="resolver-dns-firewall-managed-domain-lists"></a>

Managed Domain Lists contain domain names that are associated with malicious activity or other potential threats. AWS maintains these lists to enable Route 53 VPC Resolver customers to check outbound DNS queries against them for free when using DNS Firewall. 

Keeping up to date on the constantly changing threat landscape can be time consuming and expensive. Managed Domain Lists can save you time when you implement and use DNS Firewall. AWS automatically updates the lists when new vulnerabilities and threats emerge. AWS is often notified of new vulnerabilities before public disclosure, so DNS Firewall can deploy mitigations for you often before a new threat has become widely known. 

Managed domain lists are designed to help protect you from common web threats and they add another layer of security for your applications. The AWS Managed Domain Lists source their data from both internal AWS sources as well as [ RecordedFuture](https://partners.amazonaws.com/partners/001E000001V9CaHIAV/Recorded%20Future), and are continually updated. However, AWS Managed Domain Lists aren't intended as a replacement for other security controls, such as Amazon GuardDuty, which are determined by the AWS resources that you select.

As a best practice, before using a Managed Domain List in production, test it in a non-production environment, with the rule action set to `Alert`. Evaluate the rule using Amazon CloudWatch metrics combined with Resolver DNS Firewall sampled requests or DNS Firewall logs. When you're satisfied that the rule does what you want, change the action setting as needed. 

**Available AWS Managed Domain Lists**  
This section describes the Managed Domain Lists that are currently available. When you're in a Region where these lists are supported, you see them on the console when you manage domain lists and when you specify the domain list for a rule. In the logs, the domain list is logged within the `firewall_domain_list_id field`.

AWS provides the following Managed Domain Lists, in the Regions they are available, for all users of Resolver DNS Firewall. 
+ `AWSManagedDomainsMalwareDomainList` – – Domains associated with sending malware, hosting malware, or distributing malware.
+ `AWSManagedDomainsBotnetCommandandControl` – Domains associated with controlling networks of computers that are infected with spamming malware. 
+ `AWSManagedDomainsAggregateThreatList` – Domains associated with multiple DNS threat categories including malware, ransomware, botnet, spyware, and DNS tunneling to help block multiple types of threats. `AWSManagedDomainsAggregateThreatList` includes all the domains in the other AWS Managed Domain Lists listed here.
+ `AWSManagedDomainsAmazonGuardDutyThreatList` – Domains associated with Amazon GuardDuty DNS security findings. The domains are sourced from the GuardDuty's threat intelligence systems only, and do not contain domains sourced from external third-party sources. More specifically, currently this list will only block domains that are internally generated and used for following detections in GuardDuty: Impact:EC2/AbusedDomainRequest.Reputation, Impact:EC2/BitcoinDomainRequest.Reputation, Impact:EC2/MaliciousDomainRequest.Reputation, Impact:Runtime/AbusedDomainRequest.Reputation, Impact:Runtime/BitcoinDomainRequest.Reputation, and Impact:Runtime/MaliciousDomainRequest.Reputation.

  For more information see [Finding types](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) in the *Amazon GuardDuty User Guide*.

AWS Managed Domain Lists cannot be downloaded or browsed. To protect intellectual property, you can't view or edit the individual domain specifications within an AWS Managed Domain Lists. This restriction also helps to prevent malicious users from designing threats that specifically circumvent published lists. 

**To test the Managed Domain lists**  
We provide the following set of domains for testing the Managed Domain Lists:

**AWSManagedDomainsBotnetCommandandControl**  
+  controldomain1.botnetlist.firewall.route53resolver.us-east-1.amazonaws.com
+  controldomain2.botnetlist.firewall.route53resolver.us-east-1.amazonaws.com
+  controldomain3.botnetlist.firewall.route53resolver.us-east-1.amazonaws.com

**AWSManagedDomainsMalwareDomainList**  
+  controldomain1.malwarelist.firewall.route53resolver.us-east-1.amazonaws.com
+  controldomain2.malwarelist.firewall.route53resolver.us-east-1.amazonaws.com
+  controldomain3.malwarelist.firewall.route53resolver.us-east-1.amazonaws.com

**AWSManagedDomainsAggregateThreatList and AWSManagedDomainsAmazonGuardDutyThreatList**  
+  controldomain1.aggregatelist.firewall.route53resolver.us-east-1.amazonaws.com
+  controldomain2.aggregatelist.firewall.route53resolver.us-east-1.amazonaws.com
+  controldomain3.aggregatelist.firewall.route53resolver.us-east-1.amazonaws.com

These domains will resolve to 1.2.3.4 if they aren't blocked. If you're using the Managed Domain Lists in a VPC, querying for these domains will return the response that a block action in the rule is set to (for example NODATA). 

For more information about Managed Domain Lists, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/). 

The following table lists the Region availability for AWS Managed Domain Lists.


**Managed Domain List Region availability**  

| Region | Managed Domain Lists available? | 
| --- | --- | 
|  Africa (Cape Town)   |  Yes  | 
|  Asia Pacific (Hong Kong)  | Yes | 
|  Asia Pacific (Hyderabad)  | Yes | 
|  Asia Pacific (Jakarta)   |  Yes  | 
|  Asia Pacific (Malaysia)  |  Yes  | 
|  Asia Pacific (Melbourne)  | Yes | 
|  Asia Pacific (Mumbai)  |  Yes  | 
|  Asia Pacific (Osaka) Region  |  Yes  | 
|  Asia Pacific (Seoul)  |  Yes  | 
|  Asia Pacific (Singapore)  |  Yes  | 
|  Asia Pacific (Sydney)  |  Yes  | 
|  Asia Pacific (Thailand)  |  Yes  | 
|  Asia Pacific (Tokyo)  |  Yes  | 
|  Canada (Central) Region  |  Yes  | 
|  Canada West (Calgary)  |  Yes  | 
|  Europe (Frankfurt) Region  |  Yes  | 
|  Europe (Ireland) Region  |  Yes  | 
|  Europe (London) Region  |  Yes  | 
|  Europe (Milan)   |  Yes  | 
|  Europe (Paris) Region  |  Yes  | 
|  Europe (Spain)  | Yes | 
|  Europe (Stockholm)  |  Yes  | 
|  Europe (Zurich)  | Yes | 
|  Israel (Tel Aviv)  | Yes | 
|  Middle East (Bahrain)  | Yes | 
|  Middle East (UAE)  | Yes | 
|  South America (São Paulo)  |  Yes  | 
|  US East (N. Virginia)  |  Yes  | 
|  US East (Ohio)  |  Yes  | 
|  US West (N. California)  |  Yes  | 
|  US West (Oregon)  |  Yes  | 
|  China (Beijing)   |  Yes  | 
|  China (Ningxia)   |  Yes  | 
|  AWS GovCloud (US)  |  Yes  | 

**Additional security considerations**  
AWS Managed Domain Lists are designed to help protect you from common web threats. When used in accordance with the documentation, these lists add another layer of security for your applications. However, the Managed Domain Lists aren't intended as a replacement for other security controls, which are determined by the AWS resources that you select. To ensure that your resources in AWS are properly protected, see the guidance at [Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/). 

**Mitigating false positive scenarios**  
If you are encountering false-positive scenarios in rules that use Managed Domain Lists to block queries, perform the following steps: 

1. In the VPC Resolver logs, identify the rule group and managed domain list that are causing the false positive. You do this by finding the log for the query that DNS Firewall is blocking, but that you want to allow through. The log record lists the rule group, rule action, and the managed list. For information about the logs, see [Values that appear in VPC Resolver query logs](resolver-query-logs-format.md).

1. Create a new rule in the rule group that explicitly allows the blocked query through. When you create the rule, you can define your own domain list with just the domain specification that you want to allow. Follow the guidance for rule group and rule management at [Creating a rule group and rules](resolver-dns-firewall-rule-group-adding.md).

1. Prioritize the new rule inside the rule group so that it runs before the rule that's using the managed list. To do this, give the new rule a lower numeric priority setting.

When you have updated your rule group, the new rule will explicitly allow the domain name that you want to allow before the blocking rule runs. 

# Managing your own domain lists
<a name="resolver-dns-firewall-user-managed-domain-lists"></a>

You can create your own domain lists to specify domain categories that you either don't find in the managed domain list offerings or that you prefer to handle on your own. 

In addition to the procedures described in this section, in the console, you can create a domain list in the context of Resolver DNS Firewall rule management, when you create or update a rule. 

Each domain specification in your domain list must satisfy the following requirements: 
+ It can optionally start with `*` (asterisk).
+ With the exception of the optional starting asterisk and a period, as a delimiter between labels, it must only contain the following characters: `A-Z` , `a-z`, `0-9`, `-` (hyphen).
+ It must be from 1-255 characters in length. 

When you make changes to DNS Firewall entities, like rules and domain lists, DNS Firewall propagates the changes everywhere that the entities are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you add a domain to a domain list that's referenced by a blocking rule, the new domain might briefly be blocked in one area of your VPC while still allowed in another. This temporary inconsistency can occur when you first configure your rule group and VPC associations and when you change existing settings. Generally, any inconsistencies of this type last only a few seconds.

**Test your domain list before using it in production**  
As a best practice, before using a domain list in production, test it in a non-production environment, with the rule action set to `Alert`. Evaluate the rule using Amazon CloudWatch metrics and the VPC Resolver logs. The logs provide the domain list name for all alerts and blocking actions. When you're satisfied that the domain list is matching your DNS queries the way you want it to, change the rule action setting as needed. For information about CloudWatch metrics and the query logs, see [Monitoring Resolver DNS Firewall rule groups with Amazon CloudWatch](monitoring-resolver-dns-firewall-with-cloudwatch.md), [Values that appear in VPC Resolver query logs](resolver-query-logs-format.md), and [Managing Resolver query logging configurations](resolver-query-logging-configurations-managing.md). 

**To add a domain list**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

   Choose **DNS Firewall** in the navigation pane to open the DNS Firewall **Rule groups** page on the Amazon VPC console. Continue to step 2.

   - OR - 

   Sign in to the AWS Management Console and open the 

   the Amazon VPC console under [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 

1. In the navigation pane, under **DNS Firewall**, choose **Domain lists**. In the **Domain lists** page, you can select and edit existing domain lists and you can add your own.

1. To add a domain list, choose **Add domain list**. 

1. Provide a name for your domain list, and then enter your domain specifications in the text box, one per line. 

   If you slide **Switch to bulk upload** to **on**, enter the URI of the Amazon S3 bucket where you created a domain list. This domain list should have one domain name per line.
**Note**  
Duplicate domain names will cause the bulk import to fail.

1. Choose **Add domain list**. The **Domain lists** page lists your new domain list. 

After you create the domain list, you can reference it by name from your DNS Firewall rules. 

**Deleting DNS Firewall entities**  
When you delete an entity that you can use in DNS Firewall, like a domain list that might be in use in a rule group, or a rule group that might be associated with a VPC, DNS Firewall checks to see if the entity is currently being used. If it finds that it is in use, DNS Firewall warns you. DNS Firewall is almost always able to determine if an entity is in use. However, in rare cases it might not be able to do so. If you need to be sure that nothing is currently using the entity, check for it in your DNS Firewall configurations before deleting it. If the entity is a referenced domain list, check that no rule groups are using it. If the entity is a rule group, check that it is not associated with any VPCs.

**To delete a domain list**

1. In the navigation pane, choose **Domain lists**.

1. On the navigation bar, choose the Region for the domain list. 

1. Select the domain list that you want to delete, then choose ** Delete**, and confirm the deletion.

# Resolver DNS Firewall Advanced
<a name="firewall-advanced"></a>

DNS Firewall Advanced detects suspicious DNS queries based on known threat signatures in DNS queries. You can specify a threat type in a rule that you use in a DNS Firewall rule, inside a rule group. When you associate a rule group with a VPC, DNS Firewall compares your DNS queries against the domains that are flagged in the rules. If it finds a match, it handles the DNS query according to the matching rule's action.

DNS Firewall Advanced works by identifying suspicious DNS threat signatures by inspecting a range of key identifiers in the DNS payload including the timestamp of requests, frequency of request and responses, the DNS query strings, and the length, type or size of both outbound and inbound DNS queries. Based on the type of threat signature, you can configure policies to block, or simply log and alert on the query. By using an expanded set of threat identifiers, you can protect against DNS threats from domain sources that may yet be unclassified by threat intelligence feeds maintained by the broader security community.

Currently, DNS Firewall Advanced offers protections from: 
+ Domain Generation Algorithms (DGAs)

  DGAs are used by attackers to generate a large number of domains to launch malware attacks.
+ DNS tunneling

  DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without making a network connection to the client.
+ Dictionary DGA

  Dictionary DGAs are used by attackers to generate domains using dictionary words to evade detection in malware command-and-control communications.

To learn how to create rules, see [Creating a rule group and rules](resolver-dns-firewall-rule-group-adding.md) and [Rule settings in DNS Firewall](resolver-dns-firewall-rule-settings.md). 

**Mitigating false positive scenarios**  
If you are encountering false-positive scenarios in rules that use DNS Firewall Advanced protections to block queries, perform the following steps: 

1. In the VPC Resolver logs, identify the rule group and DNS Firewall Advanced protections that are causing the false positive. You do this by finding the log for the query that DNS Firewall is blocking, but that you want to allow through. The log record lists the rule group, rule action, and the DNS Firewall Advanced protection. For information about the logs, see [Values that appear in VPC Resolver query logs](resolver-query-logs-format.md).

1. Create a new rule in the rule group that explicitly allows the blocked query through. When you create the rule, you can define your own domain list with just the domain specification that you want to allow. Follow the guidance for rule group and rule management at [Creating a rule group and rules](resolver-dns-firewall-rule-group-adding.md).

1. Prioritize the new rule inside the rule group so that it runs before the rule that's using the managed list. To do this, give the new rule a lower numeric priority setting.

When you have updated your rule group, the new rule will explicitly allow the domain name that you want to allow before the blocking rule runs. 

# Configuring logging for DNS Firewall
<a name="firewall-resolver-query-logs-configuring"></a>

 You can evaluate your DNS Firewall rules by using Amazon CloudWatch metrics and the Resolver query logs. The logs provide the domain list name for all alerts and blocking actions. For more information about Amazon CloudWatch, see [Monitoring Resolver DNS Firewall rule groups with Amazon CloudWatch](monitoring-resolver-dns-firewall-with-cloudwatch.md).

When you enable DNS Firewall, associate it to a VPC, and you have logging enabled, ` firewall_rule_group_id`, `firewall_rule_action`, and ` firewall_domain_list_id` are the DNS Firewall specific fields provided within your logs.

**Note**  
 The query logs will show the additional DNS Firewall fields for only the queries that are blocked by DNS Firewall rules.

To start logging the DNS queries that are filtered by DNS Firewall rules that originate in your VPCs, you perform the following tasks in the Amazon Route 53 console:<a name="firewall-resolver-query-logs-configuring-procedure"></a>

**To configure Resolver query logging for DNS Firewall**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. Expand the Route 53 console menu. In the upper left corner of the console, choose the three horizontal bars (![\[Menu icon\]](http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/images/menu-icon.png)) icon.

1. Within the Resolver menu, choose **Query logging**.

1. In the Region selector, choose the AWS Region where you want to create the query logging configuration. 

   This must be the same Region where you created the VPCs that are associated with DNS Firewall that you want to log queries for. If you have VPCs in multiple Regions, you must create at least one query logging configuration for each Region.

1. Choose **Configure query logging**.

1. Specify the following values:  
**Query logging configuration name**  
Enter a name for your query logging configuration. The name appears in the console in the list of query logging configurations. Enter a name that will help you find this configuration later.  
**Query logs destination**  
Choose the type of AWS resource that you want VPC Resolver to send query logs to. For information about how to choose among the options (CloudWatch Logs log group, S3 bucket, and Firehose delivery stream), see [AWS resources that you can send VPC Resolver query logs to](resolver-query-logs-choosing-target-resource.md).  
After you choose the type of resource, you can either create another resource of that type or choose an existing resource that was created by the current AWS account.  
You can choose only resources that were created in the AWS Region that you chose in step 4, the Region where you're creating the query logging configuration. If you choose to create a new resource, that resource will be created in the same Region.  
**VPCs to log queries for**  
This query logging configuration will log DNS queries that originate in the VPCs that you choose. Check the check box for each VPC in the current Region that you want VPC Resolver to log queries for, then choose **Choose**.  
VPC log delivery can be enabled only once for a specific destination type. The logs can't be delivered to multiple destinations of the same type. For example, VPC logs can't be delivered to two Amazon S3 destinations.

1. Choose **Configure query logging**.

**Note**  
You should start to see DNS queries made by resources in your VPC in the logs within a few minutes of successfully creating the query logging configuration.

# Sharing Resolver DNS Firewall rule groups between AWS accounts
<a name="resolver-dns-firewall-rule-group-sharing"></a>

You can share DNS Firewall rule groups between AWS accounts. To share rule groups, you use AWS Resource Access Manager (AWS RAM). The DNS Firewall console integrates with the AWS RAM console. For more information about AWS RAM, see the [Resource Access Manager User Guide](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html).

Note the following:

**Associating shared rule groups with VPCs**  
If another AWS account has shared a rule group with your account, you can associate it with your VPCs the same way that you associate rule groups that you've created. For more information, see [Managing associations between your VPC and Resolver DNS Firewall rule group](resolver-dns-firewall-vpc-associating-rule-group.md).

**Deleting or unsharing a shared rule group**  
If you share a rule group with other accounts and then either delete the rule group or stop sharing it, DNS Firewall removes all associations that the other accounts created between the rule group and their VPCs. 

**Maximum settings for rule groups and associations**  
Shared rule groups and their associations with VPCs are included in the counts for the accounts with which the rule groups are shared.   
For current DNS Firewall quotas, see [Quotas on Resolver DNS Firewall](DNSLimitations.md#limits-api-entities-resolver-dns-firewall).

**Permissions**  
To share a rule group with another AWS account, you must have permission to use the [ PutFirewallRuleGroupPolicy](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_PutFirewallRuleGroupPolicy.html) action.

**Restrictions on the AWS account that a rule group is shared with**  
The account that a rule group is shared with can't change or delete the rule group. 

**Tagging**  
Only the account that created a rule group can add, delete, or see tags on the rule group.

To view the current sharing status of a rule group (including the account that shared the rule group or the account that a rule group is shared with), and to share rule groups with another account, perform the following procedure.

**To view sharing status and share rule groups with another AWS account**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Rule groups**.

1. On the navigation bar, choose the Region where you created the rule group.

   The **Sharing status** column shows the current sharing status of rule groups that were created by the current account or that are shared with the current account:
   + **Not shared**: The current AWS account created the rule group, and the rule group is not shared with any other accounts.
   + **Shared by me**: The current account created the rule group and shared it with one or more accounts.
   + **Shared with me**: Another account created the rule group and shared it with the current account.

1. Choose the name of the rule group that you want to display sharing information for or that you want to share with another account.

   On the **Rule group: *rule group name*** page, the value under **Owner** displays the ID of the account that created the rule group. That's the current account unless the value of **Sharing status** is **Shared with me**. In that case, ** Owner** is the account that created the rule group and shared it with the current account.

1. Choose **Share** to view additional information or to share the rule group with another account. A page in the AWS RAM console appears, depending on the value of **Sharing status**:
   + **Not shared**: The **Create resource share** page appears. For information about how to share the rule group with another account, organizational unit (OU), or organization, go to the step that follows this one.
   + **Shared by me**: The **Shared resources** page shows the rule groups and other resources that are owned by the current account and shared with other accounts.
   + **Shared with me**: The **Shared resources** page shows the rule groups and other resources that are owned by other accounts and shared with the current account.

1. To share a rule group with another AWS account, OU, or organization, specify the following values.
**Note**  
You can't update sharing settings. To change any of the following settings, you must reshare a rule group with the new settings and then remove the old sharing settings.  
**Description**  
Enter a short description that helps you remember why you shared the rule group.  
**Resources**  
Choose the check box for the rule group that you want to share.  
**Principals**  
Enter the AWS account number, OU name, or organization name.  
**Tags**  
Specify one or more keys and the corresponding values. For example, you might specify **Cost center** for ** Key** and specify **456** for ** Value**.  
These are the tags that AWS Billing and Cost Management provides for organizing your AWS bill; you can use also tags for other purposes. For more information about using tags for cost allocation, see [Using cost allocation tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the *AWS Billing User Guide*.

# Enabling Resolver DNS Firewall protections for your VPC
<a name="resolver-dns-firewall-vpc-protections"></a>

You enable DNS Firewall protections for your VPC by associating one or more rule groups with the VPC. Whenever a VPC is associated with a DNS Firewall rule group, Route 53 VPC Resolver provides the following DNS Firewall protections: 
+ VPC Resolver routes the VPC's outbound DNS queries through DNS Firewall, and DNS Firewall filters the queries using the associated rule groups. 
+ VPC Resolver enforces the settings in the VPC's DNS Firewall configuration. 

To provide DNS Firewall protections to your VPC, you do the following: 
+ Create and manage associations between your DNS Firewall rule groups and your VPC. For information about rule groups, see [DNS Firewall rule groups and rules](resolver-dns-firewall-rule-groups.md).
+ Configure how you want VPC Resolver to handle DNS queries for the VPC during a failure, for example if DNS Firewall doesn't provide a response for a DNS query.

# Managing associations between your VPC and Resolver DNS Firewall rule group
<a name="resolver-dns-firewall-vpc-associating-rule-group"></a>

**To view a rule group's VPC associations**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

   Choose **DNS Firewall** in the navigation pane to open the DNS Firewall **Rule groups** page on the Amazon VPC console.

   - OR - 

   Sign in to the AWS Management Console and open the 

   the Amazon VPC console under [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/). 

1. In the navigation pane, under **DNS Firewall**, choose **Rule groups**.

1. On the navigation bar, choose the Region for the rule group. 

1. Select the rule group that you want to associate.

1. Choose **View details**. The rule group page displays. 

1. Toward the bottom, you can see a tabbed details area that includes rules and associated VPCs. Choose the tab **Associated VPCs**.

**To associate a rule group with a VPC**

1. Locate the rule group's VPC associations by following the instructions in [ the preceding procedure](resolver-dns-firewall-rule-group-sharing.md) **To view a rule group's VPC associations**. 

1. In the **Associated VPCs** tab, choose **Associate VPC**.

1. Locate the VPC that you want to associate with the rule group in the dropdown. Select it, then choose **Associate**.

In the rule group page, your VPC is listed in the **Associated VPCs** tab. At first, the association's **Status** reports **Updating**. When the association is complete, the status changes to **Complete**. 

**To remove an association between a rule group and a VPC**

1. Locate the rule group's VPC associations by following the instructions in [ the preceding procedure](resolver-dns-firewall-rule-group-sharing.md) **To view a rule group's VPC associations**. 

1. Select the VPC that you want to remove from the list, then choose ** Disassociate**. Verify, and then confirm the action. 

On the rule group page, your VPC is listed in the **Associated VPCs** tab with the status of **Disassociating**. When the operation completes, DNS Firewall updates the list to remove the VPC. 

# DNS Firewall VPC configuration
<a name="resolver-dns-firewall-vpc-configuration"></a>

The DNS Firewall configuration for your VPC determines whether Route 53 VPC Resolver allows queries through or blocks them during failures, for example when DNS Firewall is impaired, unresponsive, or not available in the zone. VPC Resolver enforces a VPC's firewall configuration whenever you have one or more DNS Firewall rule groups associated with the VPC.

You can configure a VPC to fail open or fail closed. 
+ By default, the failure mode is closed, which means that VPC Resolver blocks any queries for which it doesn't receive a reply from DNS Firewall and sends a ` SERVFAIL` DNS response. This approach favors security over availability. 
+ If you enable fail open, VPC Resolver allows queries through if it doesn't receive a reply from DNS Firewall. This approach favors availability over security. 

**To change the DNS Firewall configuration for a VPC (console)**

1. Sign in to the AWS Management Console and open the VPC Resolver console at [ https://console.aws.amazon.com/route53resolver/](https://console.aws.amazon.com/route53resolver/).

1. In the navigation pane under **Resolvers**, choose ** VPCs**. 

1. In the **VPCs** page, locate and edit the VPC. Change the DNS Firewall configuration to fail open or fail closed as needed. 

**To change the DNS Firewall behavior for a VPC (API)**
+ Update your VPC firewall configuration by calling [ UpdateFirewallConfig](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_UpdateFirewallConfig.html) and enabling or disabling ` FirewallFailOpen`. 

You can retrieve a list of your VPC firewall configurations through the API by calling [ ListFirewallConfigs](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_ListFirewallConfigs.html).