Interface IDnsFirewallRulesConfig

NetworkConfig / CentralNetworkServicesConfig / ResolverConfig / DnsFirewallRuleGroupConfig / DnsFirewallRulesConfig

Route 53 DNS firewall rule configuration.

Description

Use this configuration to define individual rules for your DNS firewall. This allows you to define the DNS firewall behavior for your VPCs.

Example

The following example creates a rule that blocks requests from a custom list of domains. The custom domain list path must exist in your accelerator configuration repository.

- name: accelerator-dns-rule
  action: BLOCK
  priority: 100
  blockResponse: NXDOMAIN
  customDomainList: path/to/domains.txt

The following example creates a rule referencing an AWS-managed domain list. The managed domain list must be available in the region you are deploying the rule to.

- name: accelerator-dns-rule
  action: BLOCK
  priority: 200
  blockResponse: NODATA
  managedDomainList: AWSManagedDomainsAggregateThreatList
interface IDnsFirewallRulesConfig {
    action: DnsFirewallRuleActionType;
    blockOverrideDomain?: string;
    blockOverrideTtl?: number;
    blockResponse?: DnsFirewallBlockResponseType;
    customDomainList?: string;
    managedDomainList?: DnsFirewallManagedDomainListsType;
    name: string;
    priority: number;
}

Properties

action blockOverrideDomain? blockOverrideTtl? blockResponse? customDomainList? managedDomainList? name priority

Properties

Readonlyaction

action: DnsFirewallRuleActionType

An action for the DNS firewall rule to take on matching requests.

See

NetworkConfigTypes.dnsFirewallRuleActionTypeEnum

Optional ReadonlyblockOverrideDomain

blockOverrideDomain?: string

(OPTIONAL) Configure an override domain for BLOCK actions. This is a custom DNS record to send back in response to the query.

Remarks

Only define this property if your are using a blockResponse of OVERRIDE.

Optional ReadonlyblockOverrideTtl

blockOverrideTtl?: number

(OPTIONAL) Configure a time-to-live (TTL) for the override domain. This is the recommended amount of time for the DNS resolver or web browser to cache the override record and use it in response to this query, if it is received again. By default, this is zero, and the record isn't cached.

Remarks

Only define this property if your are using a blockResponse of OVERRIDE.

Optional ReadonlyblockResponse

blockResponse?: DnsFirewallBlockResponseType

Configure a specific response type for BLOCK actions. Block response types are defined here: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-rule-actions.html

See

NetworkConfigTypes.dnsFirewallBlockResponseTypeEnum

Optional ReadonlycustomDomainList

customDomainList?: string

A file containing a custom domain list in TXT format.

Remarks

The file must exist in your accelerator configuration repository. The file must contain domain names separated by newlines.

Include only one of customDomainList or managedDomainList for each rule definition.

Optional ReadonlymanagedDomainList

managedDomainList?: DnsFirewallManagedDomainListsType

Configure a rule that uses an AWS-managed domain list. AWS-managed domain lists are defined here: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-managed-domain-lists.html.

Remarks

Before using a managed domain list, please ensure that it is available in the region you are deploying it to. Regional availability of managed domain lists is included in the link above.

Include only one of customDomainList or managedDomainList for each rule definition.

See

NetworkConfigTypes.dnsFirewallManagedDomainListEnum

Readonlyname

name: string

A friendly name for the DNS firewall rule.

Readonlypriority

priority: number

The priority of the DNS firewall rule.

Remarks

Rules are evaluated in order from low to high number. Priority values must be unique in each defined rule group.

Settings

Member Visibility

On This Page

Properties