AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Unrestricted DNS Access Should Not Be Allowed
More Info:
No security group should allow unrestricted inbound access to TCP and UDP port 53 (DNS).
Risk Level
Medium
Address
Security
Compliance Standards
HIPAA, AWSWAF, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the unrestricted DNS access issue in AWS, you can follow the below steps:
- Login to the AWS console and navigate to the Route 53 service.
- Click on the Hosted Zones option in the left-hand menu.
- Select the hosted zone for which you want to restrict DNS access.
- Click on the “Create Record Set” button to create a new record set.
- In the “Name” field, enter the domain name for which you want to restrict DNS access.
- In the “Type” field, select the appropriate DNS record type (such as A, CNAME, etc.).
- In the “Value” field, enter the IP address or domain name of the resource that the DNS record should point to.
- Scroll down to the “Routing Policy” section and select “Simple” routing policy.
- In the “Alias” section, select “No” to disable the alias feature.
- Click on the “Create” button to create the record set.
By following these steps, you have created a new DNS record set that restricts access to the specified resource. Only authorized users will be able to access the resource through the DNS record.
To remediate the unrestricted DNS access issue in AWS using AWS CLI, follow these steps:
-
Open the AWS CLI on your local machine.
-
Run the following command to list all the Route 53 hosted zones in your account:
aws route53 list-hosted-zones -
Identify the hosted zone that has unrestricted DNS access and make a note of its ID.
-
Run the following command to update the hosted zone to restrict DNS access:
aws route53 update-hosted-zone-Comment \ --id <hosted-zone-id> \ --comment "Restricted DNS Access"Note: Replace
<hosted-zone-id>with the ID of the hosted zone identified in step 3. -
Run the following command to verify that the hosted zone has been updated:
aws route53 get-hosted-zone \ --id <hosted-zone-id>Note: Replace
<hosted-zone-id>with the ID of the hosted zone identified in step 3. -
Verify that the DNS access has been restricted by checking the DNS settings in the AWS Management Console.
Note: The DNS access should now be restricted to authorized users only.
To remediate the unrestricted DNS access misconfiguration in AWS using Python, you can follow these steps:
- Connect to the AWS account using the Boto3 library in Python.
- Get a list of all Route53 hosted zones using the
list_hosted_zones()method. - For each hosted zone, get a list of all the record sets using the
list_resource_record_sets()method. - Check each record set for any entries that have an empty or wildcard
Namefield and anAorCNAMErecord type. - If any such record sets are found, remove them using the
change_resource_record_sets()method.
Here’s a sample Python code that implements the above steps:
import boto3
# Connect to AWS account
client = boto3.client('route53')
# Get a list of all hosted zones
response = client.list_hosted_zones()
hosted_zones = response['HostedZones']
# Loop through each hosted zone
for zone in hosted_zones:
zone_id = zone['Id']
zone_name = zone['Name']
# Get a list of all record sets in the zone
response = client.list_resource_record_sets(HostedZoneId=zone_id)
record_sets = response['ResourceRecordSets']
# Loop through each record set
for record_set in record_sets:
# Check if the record set has an empty or wildcard name and an A or CNAME record type
if (record_set['Name'] == '' or record_set['Name'].startswith('*.')) and \
(record_set['Type'] == 'A' or record_set['Type'] == 'CNAME'):
# Remove the record set
change_batch = {
'Changes': [
{
'Action': 'DELETE',
'ResourceRecordSet': record_set
}
]
}
client.change_resource_record_sets(HostedZoneId=zone_id, ChangeBatch=change_batch)
Note: This code only removes the record sets that match the criteria mentioned in step 4. You may want to modify it to suit your specific requirements. Also, make sure to test the code thoroughly before running it in a production environment.