AWS::Route53Resolver::FirewallRuleGroup FirewallRule - AWS CloudFormation

AWS::Route53Resolver::FirewallRuleGroup FirewallRule

A single firewall rule in a rule group.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Action" : String, "BlockOverrideDnsType" : String, "BlockOverrideDomain" : String, "BlockOverrideTtl" : Integer, "BlockResponse" : String, "FirewallDomainListId" : String, "FirewallDomainRedirectionAction" : String, "Priority" : Integer, "Qtype" : String }

Properties

Action

The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:

  • ALLOW - Permit the request to go through.

  • ALERT - Permit the request to go through but send an alert to the logs.

  • BLOCK - Disallow the request. If this is specified,then BlockResponse must also be specified.

    if BlockResponse is OVERRIDE, then all of the following OVERRIDE attributes must be specified:

    • BlockOverrideDnsType

    • BlockOverrideDomain

    • BlockOverrideTtl

Required: Yes

Type: String

Allowed values: ALLOW | BLOCK | ALERT

Update requires: No interruption

BlockOverrideDnsType

The DNS record's type. This determines the format of the record value that you provided in BlockOverrideDomain. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

Required: No

Type: String

Allowed values: CNAME

Update requires: No interruption

BlockOverrideDomain

The custom DNS record to send back in response to the query. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

Required: No

Type: String

Minimum: 1

Maximum: 255

Update requires: No interruption

BlockOverrideTtl

The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE.

Required: No

Type: Integer

Minimum: 0

Maximum: 604800

Update requires: No interruption

BlockResponse

The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK.

  • NODATA - Respond indicating that the query was successful, but no response is available for it.

  • NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.

  • OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.

Required: No

Type: String

Allowed values: NODATA | NXDOMAIN | OVERRIDE

Update requires: No interruption

FirewallDomainListId

The ID of the domain list that's used in the rule.

Required: Yes

Type: String

Minimum: 1

Maximum: 64

Update requires: No interruption

FirewallDomainRedirectionAction

How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME, or DNAME.

Inspect_Redirection_Domain (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be added to the domain list.

Trust_Redirection_Domain inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to the domain list.

Required: No

Type: String

Allowed values: INSPECT_REDIRECTION_DOMAIN | TRUST_REDIRECTION_DOMAIN

Update requires: No interruption

Priority

The priority of the rule in the rule group. This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.

Required: Yes

Type: Integer

Update requires: No interruption

Qtype

The DNS query type you want the rule to evaluate. Allowed values are;

  • A: Returns an IPv4 address.

  • AAAA: Returns an Ipv6 address.

  • CAA: Restricts CAs that can create SSL/TLS certifications for the domain.

  • CNAME: Returns another domain name.

  • DS: Record that identifies the DNSSEC signing key of a delegated zone.

  • MX: Specifies mail servers.

  • NAPTR: Regular-expression-based rewriting of domain names.

  • NS: Authoritative name servers.

  • PTR: Maps an IP address to a domain name.

  • SOA: Start of authority record for the zone.

  • SPF: Lists the servers authorized to send emails from a domain.

  • SRV: Application specific values that identify servers.

  • TXT: Verifies email senders and application-specific values.

  • A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPENUMBER, where the NUMBER can be 1-65334, for example, TYPE28. For more information, see List of DNS record types.

Required: No

Type: String

Minimum: 1

Maximum: 16

Update requires: No interruption