interface FirewallRuleProperty
Language | Type name |
---|---|
.NET | Amazon.CDK.AWS.Route53Resolver.CfnFirewallRuleGroup.FirewallRuleProperty |
Go | github.com/aws/aws-cdk-go/awscdk/v2/awsroute53resolver#CfnFirewallRuleGroup_FirewallRuleProperty |
Java | software.amazon.awscdk.services.route53resolver.CfnFirewallRuleGroup.FirewallRuleProperty |
Python | aws_cdk.aws_route53resolver.CfnFirewallRuleGroup.FirewallRuleProperty |
TypeScript | aws-cdk-lib » aws_route53resolver » CfnFirewallRuleGroup » FirewallRuleProperty |
A single firewall rule in a rule group.
Example
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import { aws_route53resolver as route53resolver } from 'aws-cdk-lib';
const firewallRuleProperty: route53resolver.CfnFirewallRuleGroup.FirewallRuleProperty = {
action: 'action',
firewallDomainListId: 'firewallDomainListId',
priority: 123,
// the properties below are optional
blockOverrideDnsType: 'blockOverrideDnsType',
blockOverrideDomain: 'blockOverrideDomain',
blockOverrideTtl: 123,
blockResponse: 'blockResponse',
qtype: 'qtype',
};
Properties
Name | Type | Description |
---|---|---|
action | string | The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list: - ALLOW - Permit the request to go through. |
firewall | string | The ID of the domain list that's used in the rule. |
priority | number | The priority of the rule in the rule group. |
block | string | The DNS record's type. |
block | string | The custom DNS record to send back in response to the query. |
block | number | The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record. |
block | string | The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK . |
qtype? | string | The DNS query type you want the rule to evaluate. Allowed values are; |
action
Type:
string
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list: - ALLOW
- Permit the request to go through.
ALERT
- Permit the request to go through but send an alert to the logs.BLOCK
- Disallow the request. If this is specified,thenBlockResponse
must also be specified.
if BlockResponse
is OVERRIDE
, then all of the following OVERRIDE
attributes must be specified:
BlockOverrideDnsType
BlockOverrideDomain
BlockOverrideTtl
firewallDomainListId
Type:
string
The ID of the domain list that's used in the rule.
priority
Type:
number
The priority of the rule in the rule group.
This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.
blockOverrideDnsType?
Type:
string
(optional)
The DNS record's type.
This determines the format of the record value that you provided in BlockOverrideDomain
. Used for the rule action BLOCK
with a BlockResponse
setting of OVERRIDE
.
blockOverrideDomain?
Type:
string
(optional)
The custom DNS record to send back in response to the query.
Used for the rule action BLOCK
with a BlockResponse
setting of OVERRIDE
.
blockOverrideTtl?
Type:
number
(optional)
The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record.
Used for the rule action BLOCK
with a BlockResponse
setting of OVERRIDE
.
blockResponse?
Type:
string
(optional)
The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK
.
NODATA
- Respond indicating that the query was successful, but no response is available for it.NXDOMAIN
- Respond indicating that the domain name that's in the query doesn't exist.OVERRIDE
- Provide a custom override in the response. This option requires custom handling details in the rule'sBlockOverride*
settings.
qtype?
Type:
string
(optional)
The DNS query type you want the rule to evaluate. Allowed values are;
- A: Returns an IPv4 address.
- AAAA: Returns an Ipv6 address.
- CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
- CNAME: Returns another domain name.
- DS: Record that identifies the DNSSEC signing key of a delegated zone.
- MX: Specifies mail servers.
- NAPTR: Regular-expression-based rewriting of domain names.
- NS: Authoritative name servers.
- PTR: Maps an IP address to a domain name.
- SOA: Start of authority record for the zone.
- SPF: Lists the servers authorized to send emails from a domain.
- SRV: Application specific values that identify servers.
- TXT: Verifies email senders and application-specific values.
- A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be defined as TYPE NUMBER , where the NUMBER can be 1-65334, for example, TYPE28. For more information, see List of DNS record types .