Unrestricted DNS Access Should Not Be Allowed

More Info:

No security group should allow unrestricted inbound access to TCP and UDP port 53 (DNS).

Risk Level

Medium

Address

Security

Compliance Standards

HIPAA, AWSWAF, GDPR, SOC2, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the unrestricted DNS access issue in AWS using AWS CLI, follow these steps:

Open the AWS CLI on your local machine.
Run the following command to list all the Route 53 hosted zones in your account:
```
aws route53 list-hosted-zones
```
Identify the hosted zone that has unrestricted DNS access and make a note of its ID.
Run the following command to update the hosted zone to restrict DNS access:
```
aws route53 update-hosted-zone-Comment \
--id <hosted-zone-id> \
--comment "Restricted DNS Access"
```
Note: Replace <hosted-zone-id> with the ID of the hosted zone identified in step 3.
Run the following command to verify that the hosted zone has been updated:
```
aws route53 get-hosted-zone \
--id <hosted-zone-id>
```
Note: Replace <hosted-zone-id> with the ID of the hosted zone identified in step 3.
Verify that the DNS access has been restricted by checking the DNS settings in the AWS Management Console. Note: The DNS access should now be restricted to authorized users only.

Using Python

To remediate the unrestricted DNS access misconfiguration in AWS using Python, you can follow these steps:

Connect to the AWS account using the Boto3 library in Python.
Get a list of all Route53 hosted zones using the list_hosted_zones() method.
For each hosted zone, get a list of all the record sets using the list_resource_record_sets() method.
Check each record set for any entries that have an empty or wildcard Name field and an A or CNAME record type.
If any such record sets are found, remove them using the change_resource_record_sets() method.

Here’s a sample Python code that implements the above steps:

import boto3

# Connect to AWS account
client = boto3.client('route53')

# Get a list of all hosted zones
response = client.list_hosted_zones()
hosted_zones = response['HostedZones']

# Loop through each hosted zone
for zone in hosted_zones:
    zone_id = zone['Id']
    zone_name = zone['Name']

    # Get a list of all record sets in the zone
    response = client.list_resource_record_sets(HostedZoneId=zone_id)
    record_sets = response['ResourceRecordSets']

    # Loop through each record set
    for record_set in record_sets:
        # Check if the record set has an empty or wildcard name and an A or CNAME record type
        if (record_set['Name'] == '' or record_set['Name'].startswith('*.')) and \
           (record_set['Type'] == 'A' or record_set['Type'] == 'CNAME'):
            # Remove the record set
            change_batch = {
                'Changes': [
                    {
                        'Action': 'DELETE',
                        'ResourceRecordSet': record_set
                    }
                ]
            }
            client.change_resource_record_sets(HostedZoneId=zone_id, ChangeBatch=change_batch)

Note: This code only removes the record sets that match the criteria mentioned in step 4. You may want to modify it to suit your specific requirements. Also, make sure to test the code thoroughly before running it in a production environment.

Additional Reading:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Unrestricted DNS Access Should Not Be Allowed

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: