DNS over HTTPS is now available in Amazon Route 53 Resolver

Trending 3 months ago

Voiced by Polly

Web Development - Starting today, Amazon Route 53 Resolver supports utilizing nan DNS complete HTTPS (DoH) protocol for some inbound and outbound Resolver endpoints. As nan sanction suggests, DoH supports HTTP aliases HTTP/2 complete TLS to encrypt nan information exchanged for Domain Name System (DNS) resolutions.

Using TLS encryption, DoH increases privateness and information by preventing eavesdropping and manipulation of DNS information arsenic it is exchanged betwixt a DoH customer and nan DoH-based DNS resolver.

This helps you instrumentality a zero-trust architecture wherever nary actor, system, network, aliases work operating extracurricular aliases wrong your information perimeter is trusted and each web postulation is encrypted. Using DoH besides helps travel recommendations specified arsenic those described successful this memorandum of nan US Office of Management and Budget (OMB).

DNS complete HTTPS support successful Amazon Route 53 Resolver
You tin usage Amazon Route 53 Resolver to resoluteness DNS queries successful hybrid unreality environments. For example, it allows AWS services entree for DNS requests from anyplace wrong your hybrid network. To do so, you tin group up inbound and outbound Resolver endpoints:

After you configure nan Resolver endpoints, you tin group up rules that specify nan sanction of nan domains for which you want to guardant DNS queries from your VPC to an on-premises DNS resolver (outbound) and from on-premises to your VPC (inbound).

More news :The AWS Canada West (Calgary) Region is now available

Now, erstwhile you create aliases update an inbound aliases outbound Resolver endpoint, you tin specify which protocols to use:

  • DNS complete larboard 53 (Do53), which is utilizing either UDP aliases TCP to nonstop nan packets.
  • DNS complete HTTPS (DoH), which is utilizing TLS to encrypt nan data.
  • Both, depending connected which 1 is utilized by nan DNS client.
  • For FIPS compliance, location is simply a circumstantial implementation (DoH-FIPS) for inbound endpoints.

Let’s spot really this useful successful practice.

Using DNS complete HTTPS pinch Amazon Route 53 Resolver
In nan Route 53 console, I take Inbound endpoints from nan Resolver conception of nan navigation pane. There, I take Create inbound endpoint.

I participate a sanction for nan endpoint, prime nan VPC, nan information group, and nan endpoint type (IPv4, IPv6, aliases dual-stack). To let utilizing some encrypted and unencrypted DNS resolutions, I prime Do53, DoH, and DoH-FIPS in nan Protocols for this endpoint option.

Console screenshot.

After that, I configure nan IP addresses for DNS queries. I prime 2 Availability Zones and, for each, a subnet. For this setup, I usage nan action to person nan IP addresses automatically selected from those disposable successful nan subnet.

After I complete nan creation of nan inbound endpoint, I configure nan DNS server successful my web to guardant requests for nan amazonaws.com domain (used by AWS work endpoints) to nan inbound endpoint IP addresses.

Similarly, I create an outbound Resolver endpoint and and prime some Do53 and DoH arsenic protocols. Then, I create forwarding rules that show for which domains nan outbound Resolver endpoint should guardant requests to nan DNS servers successful my network.

Now, erstwhile nan DNS clients successful my hybrid situation usage DNS complete HTTPS successful their requests, DNS resolutions are encrypted. Optionally, I tin enforce encryption and prime only DoH successful nan configuration of inbound and outbound endpoints.

Things to know
DNS complete HTTPS support for Amazon Route 53 Resolver is disposable coming successful each AWS Regions wherever Route 53 Resolver is offered, including GovCloud Regions and Regions based successful China.

DNS complete larboard 53 continues to beryllium nan default for inbound aliases outbound Resolver endpoints. In this way, you don’t request to update your existing automation tooling unless you want to adopt DNS complete HTTPS.

There is nary further costs for utilizing DNS complete HTTPS pinch Resolver endpoints. For much information, spot Route 53 pricing.

Start utilizing DNS complete HTTPS pinch Amazon Route 53 Resolver to summation privateness and information for your hybrid unreality environments.

— Danilo

Source AWS Blog
AWS Blog