Route 53 Resolver DNS Firewall

Concepts Covered

• Route 53 Resolver DNS Firewall
• DNS query filtering
• Firewall rule groups
• Domain lists
• Allow, block, and alert actions
• Rule priority
• VPC associations
• Query logging
• Firewall Manager deployment
• DNS Firewall versus Network Firewall, WAF, and Route 53 routing

1. Plain-English Mental Model

Route 53 Resolver DNS Firewall filters DNS queries from resources in a VPC.

The simple model is:

VPC workload -> Route 53 Resolver DNS query -> DNS Firewall rule group -> allow, block, or alert

Applications often connect to domains, not hardcoded IPs. If a compromised instance tries to resolve a known malicious domain, or if policy forbids certain external domains, DNS is a useful control point.

DNS Firewall does not replace WAF. WAF inspects web requests at supported resources. DNS Firewall inspects DNS queries. It also does not replace Network Firewall for general network traffic inspection.

It is a DNS-layer security control for VPCs.

2. Why This Service Exists

Security teams often need to control which domains workloads can resolve.

An instance may try to contact a command-and-control domain. A workload may resolve unapproved package repositories. A sandbox may need to block known malicious or adult domains. A company may want alerting when certain domains are queried even if traffic is not blocked yet.

Security groups and NACLs are weak tools for this. They understand IPs and ports, not domain intent. WAF sees HTTP requests at protected resources, not every DNS query a workload makes.

DNS Firewall exists to add policy to VPC DNS resolution.

For SAA-C03, DNS Firewall appears in questions about blocking outbound DNS queries to malicious domains, applying domain block lists, alerting on DNS queries, associating DNS filtering with VPCs, and managing DNS Firewall rules across accounts using Firewall Manager.

3. The Naive Approach And Where It Breaks

The naive pattern is IP blocking:

block known bad IPs in NACLs or security groups

This breaks when domains resolve to changing IP addresses, cloud-hosted infrastructure, CDNs, or many endpoints.

Another naive pattern is to rely on application code not to call bad domains. That fails if the host is compromised or if a dependency behaves unexpectedly.

Another mistake is confusing Route 53 public hosted zones with Resolver DNS Firewall. Public hosted zones answer DNS for domains you manage. DNS Firewall filters DNS queries from VPC resources.

DNS Firewall is about controlling resolver behavior, not hosting a public DNS zone.

4. Core Primitives

A firewall rule group contains ordered DNS Firewall rules.

A rule references a domain list and an action.

A domain list contains domain names or patterns that the rule evaluates.

Actions include allow, block, and alert. Block responses can return different response behavior depending on configuration.

Rule priority determines evaluation order.

A VPC association applies a rule group to DNS queries from that VPC.

Query logging can record DNS queries for visibility and investigation.

Firewall Manager can apply DNS Firewall rule groups across accounts and OUs.

Route 53 Resolver is the DNS resolver path used by VPC resources.

5. Architecture Use Cases

Use DNS Firewall to block known malicious domains from being resolved by workloads in a VPC.

Use alert mode to observe policy impact before blocking:

domain query -> DNS Firewall alert -> log and security workflow

Use allow lists for tightly controlled workloads that should resolve only approved domains.

Use DNS query logs to investigate compromised hosts or unexpected dependencies.

Use Firewall Manager to apply DNS Firewall policies across many accounts.

Use DNS Firewall with Network Firewall. DNS Firewall can block name resolution, while Network Firewall can inspect routed traffic.

7. Security Model

DNS Firewall protects the DNS resolution path, but it is not the only path attackers can use.

If a workload uses a custom resolver, encrypted DNS, hardcoded IPs, or an external DNS path that bypasses Route 53 Resolver, DNS Firewall may not see the query.

Control outbound network paths so workloads use intended DNS resolvers.

Limit who can modify DNS Firewall rule groups, domain lists, VPC associations, and logging.

Domain lists should be managed carefully. A bad block can break production dependencies. A bad allow list can be too permissive.

Logs can reveal domains queried by applications and users. Protect them.

8. Reliability And Resilience

DNS Firewall improves security resilience by blocking or alerting on risky domain lookups early in the connection flow.

However, DNS blocks can cause application outages if rules are too broad or stale.

Use alert mode, logs, staged rollout, and non-production testing before enforcing broad domain policies.

Understand dependencies. Applications may call package repositories, license servers, identity providers, observability endpoints, payment APIs, or third-party SaaS domains.

Use multiple rule groups and clear priorities so exceptions are understandable.

9. Performance And Scaling

DNS Firewall is managed by AWS, but rule complexity and organization scale matter.

Large domain lists and many rule groups require governance. Teams need ownership for allow lists, deny lists, and exceptions.

At organization scale, central deployment through Firewall Manager can reduce drift.

DNS Firewall is not a replacement for general egress architecture. It filters queries, but approved domains can still be abused if application-layer or network-layer controls are weak.

Use it as part of layered egress security.

10. Cost Model

DNS Firewall pricing depends on rule group associations and DNS query volume according to current AWS pricing.

Query logs create storage and analysis costs.

Firewall Manager can add policy management value but may involve related service costs.

The operational cost is exception management. Domain policies need updates as applications and vendors change.

Use alerting and scoped rollout to avoid expensive outages caused by overblocking.

12. SAA-C03 Exam Signals

"Block DNS queries to malicious domains from VPC resources" points to Route 53 Resolver DNS Firewall.

"Create domain block lists or allow lists for VPC DNS" points to DNS Firewall.

"Alert on DNS queries without blocking" points to DNS Firewall alert action.

"Centrally manage DNS Firewall across accounts" points to Firewall Manager.

"Public DNS routing for a domain" points to Route 53 hosted zones, not DNS Firewall.

"HTTP header, path, or SQL injection rules" points to WAF.

"Network packet inspection" points to Network Firewall.

13. Common Exam Traps

Do not confuse Route 53 public hosted zones with Resolver DNS Firewall.

Do not use WAF for general VPC DNS query filtering.

Do not assume DNS Firewall blocks hardcoded IP connections.

Do not forget VPC association.

Do not deploy block lists without testing application dependencies.

Do not ignore query logging and alert mode for rollout.

15. Related Topics

Review Amazon Route 53, AWS Network Firewall, AWS Firewall Manager, and VPC Networking Model.

Official AWS references:

• Amazon Route 53 Resolver DNS Firewall
• Route 53 Resolver DNS Firewall components and settings
• Managing Route 53 Resolver DNS Firewall rule groups