How Ironclad Clickwrap Implements the DNS Firewall

Security expert Magnus Thorne shares the steps for adding a layer of defense to a cloud environment.

The AWS DNS firewall is just one layer of defense in protecting a cloud environment.

A breached server needs to communicate back to a command and control server. Hackers prefer to talk to an FQDN rather than an IP address. For example, if the C2C server is an EC2 instance and Amazon detects the malicious activity, they can shut down the C2C server. A FQDN keeps the C2C IP within the hacker’s control. A DNS firewall will block the C2C communication.

When the server queries DNS, it will ask .2, which is Route 53 behind the scenes. The DNS firewall adds a layer of security at this point. Route 53 compares every DNS query against its database and blocks the query. Communication is blocked before the typical connection is made to the internet.

chart showing dns server queries

The steps to set up the DNS Firewall

Step 1: Enable DNS query logging and Goto Route 53 Service & click Resolver >  Query logging.

Step 1.1: Click Configure query logging

screenshot showing query logging configurations

Step 1.2: Provide a name, select Cloudwatch Logs log group, and create a log group.

screenshot showing query log groups

Step 1.3: Add the VPC that will have the DNS firewall.

screenshot showing vpc that will have firewall

Step 1.4: Add any tags and click Configure query logging.

screenshot showing where to add tags

Step 2: Now, we’ll add the block lists. Click DNS Firewall > Domain lists.

Step 2.1: Under Domain Lists, click Add domain list.

screenshot showing domain lists

NOTE: AWS has two existing malicious links that you can use, but there is no way of testing these lists.

AWS doesn’t provide a means to test its filters, so you need to create your own.

Step 2.2: Create a list with your name. In the screenshot below, the name is “Test
Domains” and Click Add Domain List

screenshot of domain list builder

Step 2.3: Open DNS Firewall > Rule Groups, then click Add rule group.

screenshot showing where to add rule group details

Step 2.4: You’ll add two predefined rules and one custom rule to the above rule group
by clicking Add rule and selecting AWS managed domain list.

  • Rule 1:  aws_malware_list.  Select the AWSManagedDomainsMalwareDomainList.
  • Rule 2:  aws_botnet_list and select the AWSManagedDomainsBotnetCommandandControl domain list.
  • Rule 3:  Test Domains, naming after custom list.

screenshot showing optional rules

screenshot showing more optional rules

Note: In this example, the selected action was to Block.
You can also select Alert which will allow the malicious traffic to query, but you will
receive an alert.

Step 2.5: Click Create rule group after creating the rules

screenshot showing review and create info

Step 3: Now we need to associate a VPC to our DNS Firewall configuration.

Step 3.1: Click the name of the rule group to open the configuration screen for this
rule group.

screenshot showing rule groups

Step 3.2: Click the VPC associated tab.

screenshot showing dns firewall policy

Step 3.3: Click the VPC associated tab.

screenshot showing associate vpc

Finally, you are monitoring your VPC’s DNS queries.

NOTE: Make sure to create alerts based on the cloudwatch logs.
At Ironclad, we forward our logs to Datadog and manage our alerts on slack

 

We’re hiring!

If this sounds exciting to you and you’d like to help the Security Engineering team deliver an even better experience with automation and security, please see our current openings.

Table of contents