AWS::Route53Resolver::FirewallRuleGroup FirewallRule
A single firewall rule in a rule group.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Action" :String, "BlockOverrideDnsType" :String, "BlockOverrideDomain" :String, "BlockOverrideTtl" :Integer, "BlockResponse" :String, "FirewallDomainListId" :String, "Priority" :Integer, "Qtype" :String}
YAML
Action:StringBlockOverrideDnsType:StringBlockOverrideDomain:StringBlockOverrideTtl:IntegerBlockResponse:StringFirewallDomainListId:StringPriority:IntegerQtype:String
Properties
Action-
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:
-
ALLOW- Permit the request to go through. -
ALERT- Permit the request to go through but send an alert to the logs. -
BLOCK- Disallow the request. If this is specified,thenBlockResponsemust also be specified.if
BlockResponseisOVERRIDE, then all of the followingOVERRIDEattributes must be specified:-
BlockOverrideDnsType -
BlockOverrideDomain -
BlockOverrideTtl
-
Required: Yes
Type: String
Allowed values:
ALLOW | BLOCK | ALERTUpdate requires: No interruption
-
BlockOverrideDnsType-
The DNS record's type. This determines the format of the record value that you provided in
BlockOverrideDomain. Used for the rule actionBLOCKwith aBlockResponsesetting ofOVERRIDE.Required: No
Type: String
Allowed values:
CNAMEUpdate requires: No interruption
BlockOverrideDomain-
The custom DNS record to send back in response to the query. Used for the rule action
BLOCKwith aBlockResponsesetting ofOVERRIDE.Required: No
Type: String
Minimum:
1Maximum:
255Update requires: No interruption
BlockOverrideTtl-
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action
BLOCKwith aBlockResponsesetting ofOVERRIDE.Required: No
Type: Integer
Minimum:
0Maximum:
604800Update requires: No interruption
BlockResponse-
The way that you want DNS Firewall to block the request. Used for the rule action setting
BLOCK.-
NODATA- Respond indicating that the query was successful, but no response is available for it. -
NXDOMAIN- Respond indicating that the domain name that's in the query doesn't exist. -
OVERRIDE- Provide a custom override in the response. This option requires custom handling details in the rule'sBlockOverride*settings.
Required: No
Type: String
Allowed values:
NODATA | NXDOMAIN | OVERRIDEUpdate requires: No interruption
-
FirewallDomainListId-
The ID of the domain list that's used in the rule.
Required: Yes
Type: String
Minimum:
1Maximum:
64Update requires: No interruption
Priority-
The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
Required: Yes
Type: Integer
Update requires: No interruption
Qtype-
The DNS query type you want the rule to evaluate. Allowed values are;
-
A: Returns an IPv4 address.
-
AAAA: Returns an Ipv6 address.
-
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
-
CNAME: Returns another domain name.
-
DS: Record that identifies the DNSSEC signing key of a delegated zone.
-
MX: Specifies mail servers.
-
NAPTR: Regular-expression-based rewriting of domain names.
-
NS: Authoritative name servers.
-
PTR: Maps an IP address to a domain name.
-
SOA: Start of authority record for the zone.
-
SPF: Lists the servers authorized to send emails from a domain.
-
SRV: Application specific values that identify servers.
-
TXT: Verifies email senders and application-specific values.
-
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65334, for example, TYPE28. For more information, see List of DNS record types
.
Required: No
Type: String
Minimum:
1Maximum:
16Update requires: No interruption
-
