Class DnsFirewallRulesConfig

NetworkConfig / CentralNetworkServicesConfig / ResolverConfig / DnsFirewallRuleGroupConfig / DnsFirewallRulesConfig

Route 53 DNS firewall rule configuration. Use this configuration to define individual rules for your DNS firewall. This allows you to define the DNS firewall behavior for your VPCs.

Example

The following example creates a rule that blocks requests from a custom list of domains. The custom domain list path must exist in your accelerator configuration repository.

- name: accelerator-dns-rule
  action: BLOCK
  priority: 100
  blockResponse: NXDOMAIN
  customDomainList: path/to/domains.txt

The following example creates a rule referencing an AWS-managed domain list. The managed domain list must be available in the region you are deploying the rule to.

- name: accelerator-dns-rule
  action: BLOCK
  priority: 200
  blockResponse: NODATA
  managedDomainList: AWSManagedDomainsAggregateThreatList

Hierarchy

  • DnsFirewallRulesConfig

Implements

Constructors

constructor

Properties

action blockOverrideDomain blockOverrideTtl blockResponse customDomainList managedDomainList name priority

Constructors

constructor

Properties

Readonly action

action: "BLOCK" | "ALLOW" | "ALERT" = 'ALERT'

An action for the DNS firewall rule to take on matching requests.

See

dnsFirewallRuleActionTypeEnum

Readonly blockOverrideDomain

blockOverrideDomain: undefined | string = undefined

(OPTIONAL) Configure an override domain for BLOCK actions. This is a custom DNS record to send back in response to the query.

Remarks

Only define this property if your are using a blockResponse of OVERRIDE.

Readonly blockOverrideTtl

blockOverrideTtl: undefined | number = undefined

(OPTIONAL) Configure a time-to-live (TTL) for the override domain. This is the recommended amount of time for the DNS resolver or web browser to cache the override record and use it in response to this query, if it is received again. By default, this is zero, and the record isn't cached.

Remarks

Only define this property if your are using a blockResponse of OVERRIDE.

Readonly blockResponse

blockResponse: undefined | "OVERRIDE" | "NODATA" | "NXDOMAIN" = undefined

Configure a specific response type for BLOCK actions. Block response types are defined here: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-rule-actions.html

See

dnsFirewallBlockResponseTypeEnum

Readonly customDomainList

customDomainList: undefined | string = undefined

A file containing a custom domain list in TXT format.

Remarks

The file must exist in your accelerator configuration repository. The file must contain domain names separated by newlines.

Include only one of customDomainList or managedDomainList for each rule definition.

Readonly managedDomainList

managedDomainList: undefined | "AWSManagedDomainsAggregateThreatList" | "AWSManagedDomainsBotnetCommandandControl" | "AWSManagedDomainsMalwareDomainList" = undefined

Configure a rule that uses an AWS-managed domain list. AWS-managed domain lists are defined here: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-managed-domain-lists.html.

Remarks

Before using a managed domain list, please ensure that it is available in the region you are deploying it to. Regional availability of managed domain lists is included in the link above.

Include only one of customDomainList or managedDomainList for each rule definition.

See

dnsFirewallManagedDomainListEnum

Readonly name

name: string = ''

A friendly name for the DNS firewall rule.

Readonly priority

priority: number = 100

The priority of the DNS firewall rule.

Remarks

Rules are evaluated in order from low to high number. Priority values must be unique in each defined rule group.

Settings

Member Visibility

Theme

Generated using TypeDoc