NetworkConfig / CentralNetworkServicesConfig / ResolverConfig / DnsFirewallRuleGroupConfig / DnsFirewallRulesConfig

Route 53 DNS firewall rule configuration. Use this configuration to define individual rules for your DNS firewall. This allows you to define the DNS firewall behavior for your VPCs.

Example

The following example creates a rule that blocks requests from a custom list of domains. The custom domain list path must exist in your accelerator configuration repository.

- name: accelerator-dns-rule
action: BLOCK
priority: 100
blockResponse: NXDOMAIN
customDomainList: path/to/domains.txt

The following example creates a rule referencing an AWS-managed domain list. The managed domain list must be available in the region you are deploying the rule to.

- name: accelerator-dns-rule
action: BLOCK
priority: 200
blockResponse: NODATA
managedDomainList: AWSManagedDomainsAggregateThreatList

Hierarchy

  • DnsFirewallRulesConfig

Implements

Constructors

Properties

action: "BLOCK" | "ALLOW" | "ALERT" = 'ALERT'

An action for the DNS firewall rule to take on matching requests.

See

dnsFirewallRuleActionTypeEnum

blockOverrideDomain: undefined | string = undefined

(OPTIONAL) Configure an override domain for BLOCK actions. This is a custom DNS record to send back in response to the query.

Remarks

Only define this property if your are using a blockResponse of OVERRIDE.

blockOverrideTtl: undefined | number = undefined

(OPTIONAL) Configure a time-to-live (TTL) for the override domain. This is the recommended amount of time for the DNS resolver or web browser to cache the override record and use it in response to this query, if it is received again. By default, this is zero, and the record isn't cached.

Remarks

Only define this property if your are using a blockResponse of OVERRIDE.

blockResponse: undefined | "OVERRIDE" | "NODATA" | "NXDOMAIN" = undefined

Configure a specific response type for BLOCK actions. Block response types are defined here: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-rule-actions.html

See

dnsFirewallBlockResponseTypeEnum

customDomainList: undefined | string = undefined

A file containing a custom domain list in TXT format.

Remarks

The file must exist in your accelerator configuration repository. The file must contain domain names separated by newlines.

Include only one of customDomainList or managedDomainList for each rule definition.

managedDomainList: undefined | "AWSManagedDomainsAggregateThreatList" | "AWSManagedDomainsBotnetCommandandControl" | "AWSManagedDomainsMalwareDomainList" = undefined

Configure a rule that uses an AWS-managed domain list. AWS-managed domain lists are defined here: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-managed-domain-lists.html.

Remarks

Before using a managed domain list, please ensure that it is available in the region you are deploying it to. Regional availability of managed domain lists is included in the link above.

Include only one of customDomainList or managedDomainList for each rule definition.

See

dnsFirewallManagedDomainListEnum

name: string = ''

A friendly name for the DNS firewall rule.

priority: number = 100

The priority of the DNS firewall rule.

Remarks

Rules are evaluated in order from low to high number. Priority values must be unique in each defined rule group.

Generated using TypeDoc