Cloud Security - Preventing DNS Tunneling

In this article, we are going to understand how to secure and regulate outbound DNS traffic for your virtual private connections (VPCs) in AWS and Azure VNet

Let us see what is DNS is, Domain Name System is the protocol that translates human-friendly URLs into machine-friendly IP addresses. Essentially, it’s the phone book of the internet. This makes DNS a critical component of business operations, requiring firewalls to let it pass through and preventing network operators from blocking DNS traffic.

What are the DNS based attacks?

There are several attacks based on DNS and below are some of the sophisticated attacks being used by hackers

DNS Tunneling – Attackers use the DNS resolver to route queries to the attacker’s C2 server, where a tunneling program is installed. Once the connection is established between the victim and the attacker through the DNS resolver, the tunnel can be used to exfiltrate data or execute other malicious purposes.

Fast Flux – Attackers set up multiple IP addresses per malicious domain name and change them in quick succession to avoid IP controls, making it difficult for threat hunters to find their locations.

How to prevent DNS Tunneling and Fast Flux attacks in the Cloud?

Here we take AWS DNS Firewall and how to prevent the DNS attacks

Route 53 Resolver is a DNS server (sometimes referred to as “Amazon Provided DNS” or the “.2 resolver”) that is available by default in all Amazon VPCs. Route 53 Resolver responds to DNS queries from AWS resources within a VPC for public DNS records, VPC-specific domain names, and Route 53 private hosted zones.

Route 53 Resolver DNS Firewall lets you create “blocklists” for domains you don’t want your VPC resources to communicate with via DNS.

The DNS query handled in AWS as follows

  • Route 53 Resolver checks Private Hosted Zone (PHZ) associations and determines if the query is destined for private DNS

  • Then, Route 53 Resolver checks if the query is destined for AWS internal domain names that cover AWS resources, such as EC2 instance names, VPC endpoints, and others.

  • If none of the preceding are matched and no Route 53 forwarding rules exist, the query is sent to a public DNS authority

Route 53 Resolver does not use the Internet Gateway (IGW), Security Groups, or network ACLs attached to your VPC to resolve public DNS zones. That means DNS queries will be resolved even if the VPC does not have an Internet Gateway attached, or a route to the internet.

Route 53 Resolver DNS Firewall, you can filter and regulate outbound DNS traffic for your virtual private connections (VPCs). To do this, you create reusable collections of filtering rules in DNS Firewall rule groups, associate the rule groups to your VPC, and then monitor activity in DNS Firewall logs and metrics. Based on the activity, you can adjust the behavior of DNS Firewall accordingly.

DNS Firewall provides protection for outbound DNS requests from your VPCs. These requests route through Resolver for domain name resolution. A primary use of DNS Firewall protections is to help prevent DNS exfiltration of your data

DNS Firewall is made up of the following components:

Rules – A DNS Firewall rule specifies a single domain list and action to take when the DNS domain query matches a domain in the domain list. You can allow, block, or alert on the matching queries. Each rule has a unique priority in the rule group, and rules are processed from lowest priority to highest priority.

Domain List – A domain list can be reused across many rules, but a single rule has only one domain list. You specify domains in a domain list, associate them with a rule, and provide an action to take (allow, block, alert) when any of those domains are matched in the DNS query. You create your own domain lists or use AWS managed domain lists.

Rule Group – A DNS Firewall rule group is a collection of rules that define how to inspect and handle DNS queries. A rule group can be associated with many VPCs, hence providing protection to multiple VPCs in an AWS account. With AWS Firewall Manager, you apply this rule group to VPCs across your organization and centrally manage it from an AWS Firewall Manager administrator account, which will be discussed later.

Capacity Units – Each rule group includes up to 100 rules. Within each rule, you specify a domain list that can have multiple domains defined. Additionally, you can attach multiple rule groups to the VPC.

Applying the filter in DNS Firewall

You can block the specified domains based on the type of record like NODATA,NXDOMAIN or OVERRIDE

Once the rule group created, the same can attached to the VPC for any DNS based attacks


We learned on how Route 53 DNS resolver works and how to block malicious domain using DNS Firewall filter. DNS Firewall with Network Firewall can be managed centrally and prevent other DNS based attacks as well

References :

12 views0 comments

Gopi Narayanaswamy