Abstract image of a woman sitting on books and studying on a laptop

AWS User Group - Perth - April 2021 - DNS

Download as PPTX, PDF
James Bromberger, profile picture
James Bromberger

This document summarizes a presentation about DNS in AWS. It discusses using Route53 outbound resolvers and resolver rules to resolve VPC endpoints and avoid DNS traffic leaving the VPC. It also discusses using Guard Duty to monitor DNS activity and configure a DNS firewall to block exfiltration or botnet C&C queries. The presentation recommends configuring DNSSEC for hosted zones and validating responses. It suggests logging and analyzing DNS queries for security.

Technology
1 of 31
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
AWS USER GROUP – PERTH DNS IN AWS James Bromberger ( @JamesBromberger) April 2021
JAMES BROMBERGER Current: Global Head of Cloud for Modis (https://cloud.modis.com/) Previous: AWS Security Solution Architect Australia & New Zealand Previous: Vibrant Media (online advertising) Previous: Fotango (invented Serverless – see Wikipedia) Modis: 1,500 in Australia, 8,000 w/w in 17 countries. Established late 1980’s as Ajilon Parent company: Adecco Group (world’s largest HR recruiter) • Professional Consulting & Managed Services • Staffing & Placement/Recuiting • Training
JAMES BROMBERGER Current: Debian Gnu/Linux Developer (20 years): cloudfront.debian.net Previous: Debian AMI Maintainer Previous: Linux.conf.au chair Perth 2003, assisting Perth 2014 9x AWS Certified AWS Certification Subject Matter Expert (SA Pro, DevOps Pro, Networking, Security) AWS APN Partner Ambassador (ex Cloud Warrior)
TODAY WE SHALL BE LOOKING AT Route53 Outbound Resolvers and Resolver Rules Guard Duty (DNS findings) VPC Endpoints EXPLOT: DNS Data Exfiltration DNS Firewall DNSSEC
SECURITY: UNMONITORED
SECURITY: MONITOR
THE OLD ADAGE: DNS
DNS REQUIREMENTS 1. Reliable 2. Able to resolve VPC Endpoints (within each VPC) 3. Able to resolve on-premise (split horizon) Zones 4. Able to have Guard Duty alert on DNS activity
DNS BEST PRACTICE Do not let your instances use alternate DNS servers (security group egress, NAT, etc) Log DNS queries, set up some analysis and review Watch for DNS outages/SPOFs
Private subnet Private subnet Public subnet Public subnet LARGE ENTERPRISE (2019) VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Instance Endpoints Peering connection 10.0.0.0/16 10.1.0.0/16
Private subnet Private subnet Public subnet Public subnet LARGE ENTERPRISE (2019) VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Bind DNS 10.1.3.5 Instance Bind DNS 10.1.4.5 Endpoints Peering connection DHCP Options: DNS Resolver = 10.1.3.5, 10.1.4.5
Private subnet Private subnet Public subnet Public subnet DNS TRAFFIC CROSS-VPC (BIND) VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Bind DNS Instance Bind DNS Endpoints Peering connection Root resolve On Premises DNS server Split Horizon resolve 1. No VPC Endpoint resolution 2. No Guard Duty visibility 3. UDP & TCP 53 traffic through environment 4. DNS Instance downtime = intermittent outages
Private subnet Private subnet Public subnet Public subnet BIND USING VPC RESOLVER VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Bind DNS Instance Bind DNS Endpoints Peering connection Root resolve On Premises DNS server Split Horizon resolve 1. Endpoint resolution in DNS VPC (in wrong acct) 2. Guard Duty visibility (in wrong acct) 3. UDP & TCP 53 traffic through environment 4. DNS Instance downtime = intermittent outages VPC DNS Resolver .2 or 169.254.169.53
Private subnet Private subnet Public subnet Public subnet SOLUTION: R53 OUTBOUND ENDPOINTS VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Peering connection Root resolve On Premises DNS server Split Horizon resolve 1. Endpoint resolution 2. Guard Duty visibility 3. No UDP & TCP 53 traffic through environment 4. No DNS Instance downtime = no intermittent outages VPC DNS Resolver .2 or 169.254.169.53 R53 Outbound Resolver VPC DNS Resolver .2 or 169.254.169.53 1. Remove peering 2. Restrict Security Group Egress (no UDP)
DNS EXFIL DNS is often working in all environments DNS is often not monitored DNS often doesn’t block known Bad Domains DNS Exfil: slow! 255 bytes at a time, unreliable (directly; see QUIC). But a compromised machine can use this to COPY and to TUNNEL!
GUARD DUTY DNS exfil may be spotted by Guard Duty, but won’t be blocked. Wouldn’t it be better if it actively blocked it.
BOTNET C&C Command And Control Botnets sometimes don’t trust local DNS services not to rat them out! So they will do DNS queries against their own DNS servers. UDP 53 -> Internet.
GUARD DUTY External DNS resolves may be spotted by Guard Duty, but won’t be blocked. Wouldn’t it be better if it actively blocked it.
Private subnet Private subnet Public subnet Public subnet CISCO UMBRELLA VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Forward to Cisco IPs 1. Cisco provides two IPv4 addresses to send queries to 2. They identify their customers by DNS query Source address VPC DNS Resolver .2 or 169.254.169.53 R53 Outbound Resolver VPC DNS Resolver .2 or 169.254.169.53
DNS LEVEL PROTECTION Instance: DNS lookup for foo.com please Umbrella: response is… (a) The real IP, 3.4.5.6 (ok) (b) NXDOMAIN (blocked) (c) The IP of my Cisco HTTPS Proxy server (questionable; will scan content) Customer choses the response based upon lists: Malware: block Known good: resolve Not sure: proxy intercept (NB: Clients should have Cisco Umbrella Root CA installed)
DNS FIREWALL 1. Define a Rule Group 2. Add one or more rules 3. Each rule has a List of Domains 4. Customer can define their own list, or…. 5. Managed list of bad domains! 6. Each rule is either PERMIT, ALERT, BLOCK 7. Block can return NODATA, NXDOMAIN, or override with new data (honeypot?) Can also block by default: permit specific exceptions. Costs: around US$0.60/million queries
DNS FIREWALL: MANAGED DOMAIN LISTS
DNSSEC IN 30 SECONDS Two parts to it: • Does your upstream DNS resolve validate DNSSEC responses? • Does your hosted Route53 zones issue DNSSEC responses?
DNSSEC: VPC VALIDATION
DNSSEC: YOUR HOSTED ZONES Key Signing Key (KSK) backed by KMS! Keys automatically rotate. Signing key pushed to parent Domain, except for: • Com.au • Net.au • Edu.au • Gov.au !!!!!!!
DNSSEC: YOUR HOSTED ZONES
HARDENIZE.COM Similar to other security validation tools. But also gives you verification of your DNSSEC. Getting all these squares green should cost $0.
FROM YOUR PROD INSTANCE… Can you resolve: • “google.com”? • “google.com” using 8.8.8.8 as the resolver? Do you have: • a LOG that you looked up google.com? • … and analytics/alerts on that log? • anything that can REPORT on what was looked up • something that can BLOCK the DNS lookup
BLOCK IT For each Security Group, look at the EGRESS rules. If your DHCP DNS points to “.2”, or link-local, then probably remove all UDP traffic!
WHATS THIS? AS/NZS 3112 (a.k.a. Type I) Since 2000, the nominal voltage in most areas of Australia has been 230 V, except for Western Australia and Queensland which both remain at 240 V, though Queensland is transitioning to 230 V. The voltage in New Zealand is also 230 V.
WE ARE HIRING AWS TALENT Largest AWS Partner in Western Australia: More than 100 engineers in WA (https://aws.modis.com/) Worldwide AWS Practice: US, UK, Italy, Bulgaria, Japan, Australia >30 AWS related roles open Serverless Developers (.Net, NodeJS), Integration Developers, Architects, SysOps, DevOps, Project Managers, Networking, Databases, Data Engineer & Analytics

More Related Content

PPTX
CableTap - Wirelessly Tapping Your Home Network
Christopher Grayson
 
PDF
Docker Online Meetup #22: Docker Networking
Docker, Inc.
 
PDF
Deeper Dive in Docker Overlay Networks
Docker, Inc.
 
PDF
Docker Security - Continuous Container Security
Dieter Reuter
 
PDF
Deep Dive in Docker Overlay Networks - Laurent Bernaille - Architect, D2SI
Docker, Inc.
 
PPTX
Global Operations with Docker Enterprise
Nicola Kabar
 
PDF
DockerCon EU 2015: Docker Networking Deep Dive
Docker, Inc.
 
PPTX
[OpenStack 하반기 스터디] DPDK & OpenStack why?
OpenStack Korea Community
 
CableTap - Wirelessly Tapping Your Home Network
Christopher Grayson
 
Docker Online Meetup #22: Docker Networking
Docker, Inc.
 
Deeper Dive in Docker Overlay Networks
Docker, Inc.
 
Docker Security - Continuous Container Security
Dieter Reuter
 
Deep Dive in Docker Overlay Networks - Laurent Bernaille - Architect, D2SI
Docker, Inc.
 
Global Operations with Docker Enterprise
Nicola Kabar
 
DockerCon EU 2015: Docker Networking Deep Dive
Docker, Inc.
 
[OpenStack 하반기 스터디] DPDK & OpenStack why?
OpenStack Korea Community
 

What's hot (19)

PPTX
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
Guillaume Morini
 
PPTX
Libnetwork update at Moby summit June 2017
Docker, Inc.
 
PDF
Chris Swan at Container.Camp: Docker networking
Cohesive Networks
 
PPTX
Tectonic Summit 2016: Networking for Kubernetes
CoreOS
 
PDF
Container Orchestration Integration: OpenStack Kuryr & Apache Mesos
MidoNet
 
PDF
KubeConEU - NATS Deep Dive
wallyqs
 
PDF
DDoS mitigation EPIC FAIL collection - 32C3
Moshe Zioni
 
PDF
Cloudstack at Spotify
Noa Resare
 
PPTX
Docker Container Security - A Network View
NeuVector
 
PDF
The Zen of High Performance Messaging with NATS (Strange Loop 2016)
wallyqs
 
PDF
DNSSEC in Windows DNS Server
Kumar Ashutosh
 
PDF
Docker security introduction-task-2016
Ricardo Gerardi
 
PDF
Docker network performance in the public cloud
Arjan Schaaf
 
PDF
Docker Meetup: Docker Networking 1.11, by Madhu Venugopal
Michelle Antebi
 
PPTX
Docker Online Meetup #29: Docker Networking is Now GA
Docker, Inc.
 
PPTX
Getting Started with XenServer and OpenStack.pptx
OpenStack Foundation
 
PDF
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
Yongyoon Shin
 
PPT
Linux VDI with OpenStack – How to Deliver Linux Virtual Desktops on Demand
Leostream
 
PPTX
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeAcademy
 
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
Guillaume Morini
 
Libnetwork update at Moby summit June 2017
Docker, Inc.
 
Chris Swan at Container.Camp: Docker networking
Cohesive Networks
 
Tectonic Summit 2016: Networking for Kubernetes
CoreOS
 
Container Orchestration Integration: OpenStack Kuryr & Apache Mesos
MidoNet
 
KubeConEU - NATS Deep Dive
wallyqs
 
DDoS mitigation EPIC FAIL collection - 32C3
Moshe Zioni
 
Cloudstack at Spotify
Noa Resare
 
Docker Container Security - A Network View
NeuVector
 
The Zen of High Performance Messaging with NATS (Strange Loop 2016)
wallyqs
 
DNSSEC in Windows DNS Server
Kumar Ashutosh
 
Docker security introduction-task-2016
Ricardo Gerardi
 
Docker network performance in the public cloud
Arjan Schaaf
 
Docker Meetup: Docker Networking 1.11, by Madhu Venugopal
Michelle Antebi
 
Docker Online Meetup #29: Docker Networking is Now GA
Docker, Inc.
 
Getting Started with XenServer and OpenStack.pptx
OpenStack Foundation
 
OpenStack KOREA 정기 세미나_OpenStack meet iNaaS SDN Controller
Yongyoon Shin
 
Linux VDI with OpenStack – How to Deliver Linux Virtual Desktops on Demand
Leostream
 
KubeCon EU 2016: Secure, Cloud-Native Networking with Project Calico
KubeAcademy
 
Ad

Similar to AWS User Group - Perth - April 2021 - DNS (18)

PDF
Mens jan piet_dnssec-in-practice
kuchinskaya
 
PDF
Namespaces for Local Networks
Men and Mice
 
PPTX
ION Bucharest - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
PPT
Dns protocol design attacks and security
Michael Earls
 
PDF
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
PDF
DNS DDoS Attack and Risk
Sukbum Hong
 
PDF
Spotlight private dns-oraclecloudservices
Tammy Bednar
 
PDF
Azure DNS Private Resolver - Azure Example Scenarios _ Microsoft Learn.pdf
Kenneth Nnadikwe
 
PPTX
Living on the edge
Adrian Cole
 
PDF
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
PDF
Die ultimative Anleitung für HCL Nomad Web Administratoren
panagenda
 
PDF
US-23-MOSHE-Pain-in-the-NAS-----------------.pdf
AkashPanchal
 
PPT
Docker based Hadoop provisioning - Hadoop Summit 2014
Janos Matyas
 
PPTX
Dragonflow Austin Summit Talk
Eran Gampel
 
PPT
Safe Swiss Cloud: Swiss Enterprise Cloud since 2012
Safe Swiss Cloud
 
PDF
DNSSEC and VoIP: Who are you really calling?
Deploy360 Programme (Internet Society)
 
PDF
Microservices reativos usando a stack do Netflix na AWS
Diego Pacheco
 
PDF
Enterprise Cloud Security
MongoDB
 
Mens jan piet_dnssec-in-practice
kuchinskaya
 
Namespaces for Local Networks
Men and Mice
 
ION Bucharest - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
Dns protocol design attacks and security
Michael Earls
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
DNS DDoS Attack and Risk
Sukbum Hong
 
Spotlight private dns-oraclecloudservices
Tammy Bednar
 
Azure DNS Private Resolver - Azure Example Scenarios _ Microsoft Learn.pdf
Kenneth Nnadikwe
 
Living on the edge
Adrian Cole
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
Felipe Prado
 
Die ultimative Anleitung für HCL Nomad Web Administratoren
panagenda
 
US-23-MOSHE-Pain-in-the-NAS-----------------.pdf
AkashPanchal
 
Docker based Hadoop provisioning - Hadoop Summit 2014
Janos Matyas
 
Dragonflow Austin Summit Talk
Eran Gampel
 
Safe Swiss Cloud: Swiss Enterprise Cloud since 2012
Safe Swiss Cloud
 
DNSSEC and VoIP: Who are you really calling?
Deploy360 Programme (Internet Society)
 
Microservices reativos usando a stack do Netflix na AWS
Diego Pacheco
 
Enterprise Cloud Security
MongoDB
 
Ad

More from James Bromberger (6)

PPTX
Modis : AISA Perth Breakfast March 26 2019: Cloud Migrations Lessons from the...
James Bromberger
 
PPTX
Linux confau 2019: Web Security 2019
James Bromberger
 
PPTX
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
James Bromberger
 
PPTX
Recent AWS Security Improvements - AWS User Group Perth - November 2018
James Bromberger
 
PPTX
AWS Cost Optimisation - November 2018
James Bromberger
 
PPTX
Debian Cloud - building the Debian AMIs
James Bromberger
 
Modis : AISA Perth Breakfast March 26 2019: Cloud Migrations Lessons from the...
James Bromberger
 
Linux confau 2019: Web Security 2019
James Bromberger
 
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
James Bromberger
 
Recent AWS Security Improvements - AWS User Group Perth - November 2018
James Bromberger
 
AWS Cost Optimisation - November 2018
James Bromberger
 
Debian Cloud - building the Debian AMIs
James Bromberger
 

Recently uploaded (20)

PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
The various Industrial Revolutions .pptx
bandileshozi3
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Modernising the Digital Integration Hub
Daniel Toomey
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 

AWS User Group - Perth - April 2021 - DNS

  • 1. AWS USER GROUP – PERTH DNS IN AWS James Bromberger ( @JamesBromberger) April 2021
  • 2. JAMES BROMBERGER Current: Global Head of Cloud for Modis (https://cloud.modis.com/) Previous: AWS Security Solution Architect Australia & New Zealand Previous: Vibrant Media (online advertising) Previous: Fotango (invented Serverless – see Wikipedia) Modis: 1,500 in Australia, 8,000 w/w in 17 countries. Established late 1980’s as Ajilon Parent company: Adecco Group (world’s largest HR recruiter) • Professional Consulting & Managed Services • Staffing & Placement/Recuiting • Training
  • 3. JAMES BROMBERGER Current: Debian Gnu/Linux Developer (20 years): cloudfront.debian.net Previous: Debian AMI Maintainer Previous: Linux.conf.au chair Perth 2003, assisting Perth 2014 9x AWS Certified AWS Certification Subject Matter Expert (SA Pro, DevOps Pro, Networking, Security) AWS APN Partner Ambassador (ex Cloud Warrior)
  • 4. TODAY WE SHALL BE LOOKING AT Route53 Outbound Resolvers and Resolver Rules Guard Duty (DNS findings) VPC Endpoints EXPLOT: DNS Data Exfiltration DNS Firewall DNSSEC
  • 8. DNS REQUIREMENTS 1. Reliable 2. Able to resolve VPC Endpoints (within each VPC) 3. Able to resolve on-premise (split horizon) Zones 4. Able to have Guard Duty alert on DNS activity
  • 9. DNS BEST PRACTICE Do not let your instances use alternate DNS servers (security group egress, NAT, etc) Log DNS queries, set up some analysis and review Watch for DNS outages/SPOFs
  • 10. Private subnet Private subnet Public subnet Public subnet LARGE ENTERPRISE (2019) VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Instance Endpoints Peering connection 10.0.0.0/16 10.1.0.0/16
  • 11. Private subnet Private subnet Public subnet Public subnet LARGE ENTERPRISE (2019) VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Bind DNS 10.1.3.5 Instance Bind DNS 10.1.4.5 Endpoints Peering connection DHCP Options: DNS Resolver = 10.1.3.5, 10.1.4.5
  • 12. Private subnet Private subnet Public subnet Public subnet DNS TRAFFIC CROSS-VPC (BIND) VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Bind DNS Instance Bind DNS Endpoints Peering connection Root resolve On Premises DNS server Split Horizon resolve 1. No VPC Endpoint resolution 2. No Guard Duty visibility 3. UDP & TCP 53 traffic through environment 4. DNS Instance downtime = intermittent outages
  • 13. Private subnet Private subnet Public subnet Public subnet BIND USING VPC RESOLVER VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Bind DNS Instance Bind DNS Endpoints Peering connection Root resolve On Premises DNS server Split Horizon resolve 1. Endpoint resolution in DNS VPC (in wrong acct) 2. Guard Duty visibility (in wrong acct) 3. UDP & TCP 53 traffic through environment 4. DNS Instance downtime = intermittent outages VPC DNS Resolver .2 or 169.254.169.53
  • 14. Private subnet Private subnet Public subnet Public subnet SOLUTION: R53 OUTBOUND ENDPOINTS VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Peering connection Root resolve On Premises DNS server Split Horizon resolve 1. Endpoint resolution 2. Guard Duty visibility 3. No UDP & TCP 53 traffic through environment 4. No DNS Instance downtime = no intermittent outages VPC DNS Resolver .2 or 169.254.169.53 R53 Outbound Resolver VPC DNS Resolver .2 or 169.254.169.53 1. Remove peering 2. Restrict Security Group Egress (no UDP)
  • 15. DNS EXFIL DNS is often working in all environments DNS is often not monitored DNS often doesn’t block known Bad Domains DNS Exfil: slow! 255 bytes at a time, unreliable (directly; see QUIC). But a compromised machine can use this to COPY and to TUNNEL!
  • 16. GUARD DUTY DNS exfil may be spotted by Guard Duty, but won’t be blocked. Wouldn’t it be better if it actively blocked it.
  • 17. BOTNET C&C Command And Control Botnets sometimes don’t trust local DNS services not to rat them out! So they will do DNS queries against their own DNS servers. UDP 53 -> Internet.
  • 18. GUARD DUTY External DNS resolves may be spotted by Guard Duty, but won’t be blocked. Wouldn’t it be better if it actively blocked it.
  • 19. Private subnet Private subnet Public subnet Public subnet CISCO UMBRELLA VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Instance Endpoints Private subnet Private subnet Public subnet Public subnet VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT gateway NAT gateway Forward to Cisco IPs 1. Cisco provides two IPv4 addresses to send queries to 2. They identify their customers by DNS query Source address VPC DNS Resolver .2 or 169.254.169.53 R53 Outbound Resolver VPC DNS Resolver .2 or 169.254.169.53
  • 20. DNS LEVEL PROTECTION Instance: DNS lookup for foo.com please Umbrella: response is… (a) The real IP, 3.4.5.6 (ok) (b) NXDOMAIN (blocked) (c) The IP of my Cisco HTTPS Proxy server (questionable; will scan content) Customer choses the response based upon lists: Malware: block Known good: resolve Not sure: proxy intercept (NB: Clients should have Cisco Umbrella Root CA installed)
  • 21. DNS FIREWALL 1. Define a Rule Group 2. Add one or more rules 3. Each rule has a List of Domains 4. Customer can define their own list, or…. 5. Managed list of bad domains! 6. Each rule is either PERMIT, ALERT, BLOCK 7. Block can return NODATA, NXDOMAIN, or override with new data (honeypot?) Can also block by default: permit specific exceptions. Costs: around US$0.60/million queries
  • 23. DNSSEC IN 30 SECONDS Two parts to it: • Does your upstream DNS resolve validate DNSSEC responses? • Does your hosted Route53 zones issue DNSSEC responses?
  • 25. DNSSEC: YOUR HOSTED ZONES Key Signing Key (KSK) backed by KMS! Keys automatically rotate. Signing key pushed to parent Domain, except for: • Com.au • Net.au • Edu.au • Gov.au !!!!!!!
  • 27. HARDENIZE.COM Similar to other security validation tools. But also gives you verification of your DNSSEC. Getting all these squares green should cost $0.
  • 28. FROM YOUR PROD INSTANCE… Can you resolve: • “google.com”? • “google.com” using 8.8.8.8 as the resolver? Do you have: • a LOG that you looked up google.com? • … and analytics/alerts on that log? • anything that can REPORT on what was looked up • something that can BLOCK the DNS lookup
  • 29. BLOCK IT For each Security Group, look at the EGRESS rules. If your DHCP DNS points to “.2”, or link-local, then probably remove all UDP traffic!
  • 30. WHATS THIS? AS/NZS 3112 (a.k.a. Type I) Since 2000, the nominal voltage in most areas of Australia has been 230 V, except for Western Australia and Queensland which both remain at 240 V, though Queensland is transitioning to 230 V. The voltage in New Zealand is also 230 V.
  • 31. WE ARE HIRING AWS TALENT Largest AWS Partner in Western Australia: More than 100 engineers in WA (https://aws.modis.com/) Worldwide AWS Practice: US, UK, Italy, Bulgaria, Japan, Australia >30 AWS related roles open Serverless Developers (.Net, NodeJS), Integration Developers, Architects, SysOps, DevOps, Project Managers, Networking, Databases, Data Engineer & Analytics