There are many security tools available, each serving a unique purpose in safeguarding your digital environment. Among them, the DNS firewall is one of the most effective and well-established. It acts as a critical line of defense against cyber threats by filtering and blocking access to malware and phishing websites, and data exfiltration points among others malicious resources. This prevents users from inadvertently visiting dangerous sites or falling victim to cyber attacks.
Amazon Route 53 is a Domain Name System (DNS) service that connects user requests to Internet applications running on AWS or on-premises. Among the features this service offers is protection via the Route 53 Resolver DNS Firewall. It allows the use of AWS Managed Domain Lists, as well as custom Domain Lists (outside sources or your own). This step-by-step guide shows how to integrate Malware Patrol’s Malicious Domains threat intelligence with the AWS Route 53 Resolver DNS Firewall.
Add Malware Patrol’s Malicious Domains List to Amazon Route 53 Resolver DNS Firewall
You’ll need your Malware Patrol subscription username and password to proceed.
Malware Patrol uses CloudFormation to create all the necessary AWS systems that keep a Route 53 Domain list updated with Malware Patrol data. Basically, it creates an S3 bucket and a Lambda function that downloads and updates the Malicious Domains feed every hour, importing it into the Route 53 Domain List once it’s update.
The process is simple. Start by signing into your AWS Management Console and click the following link:
(URL will be provided by your account manager)
When you click on this link, you will see fields for inputting your Malware Patrol username and password. Click “Create Stack”. (Do NOT modify any other field on the page!) The following resources are generated automatically:
- CloudFormation stack: DomainListForMalwarePatrolRoute53
- EventBridge rule: ScheduleForMalwarePatrolRoute53
- Bucket: domainlistformalwarepatr-s3bucketformalwarepatrol-RANDOMNUMBER
- Lambda Function: LambdaForMalwarePatrolRoute53
- DNS Firewall Domain List: malware-patrol-malicious-domains
The following screenshots show the process that begins once you have clicked on the link above.
In the parameters section, enter your customer username and password.
In the capabilities section, you must acknowledge the IAM resources-related information. Click “Create Stack”.
The stack will show as being in progress for a few moments.
Once it is complete, you will see the following screen:
Navigate to your Route 53 console. You can do this by searching Route 53 in the search bar at the top of the screen.
From your Route 53 dashboard, select DNS Firewall from the left side menu.
Click on Rule Groups from the DNS Firewall entry on the left side menu and then click Create rule group.
Give the rule group a name and click Next.
Select Add rule.
Name the rule and select “Add my own domain list”. Under “Choose or create a new domain list”, select the Malware Patrol list.
For Action, drop down and select BLOCK and then select NXDOMAIN. Click Add rule.
Congratulations, your Malware Patrol Malicious Domains threat list is active and ready to protect your organization against the latest threats!
The next steps will vary by organization. Generally, you will want to enable firewall protection for your VPC(s). An Amazon resource outlining this process can be found below.
Notice that the newly created Domain List may take more than an hour to populate depending on how long it takes for AWS to execute the Lambda function. After that, updates will be automatically pushed every hour.
Amazon Route 53 Resources
- Managing Your Own Domain Lists: “You can create your own domain lists to specify domain categories that you either don’t find in the managed domain list offerings or that you prefer to handle on your own.
- Configuring logging for DNS Firewall: “You can evaluate your DNS Firewall rules by using Amazon CloudWatch metrics and the Resolver query logs. The logs provide the domain list name for all alerts and blocking actions.”
- DNS Firewall rule groups and rules: “This section describes the settings that you can configure for your DNS Firewall rule groups and rules, to define the DNS Firewall behavior for your VPCs. It also describes how to manage the settings for your rule groups and rules.”
- Enabling Route 53 Resolver DNS Firewall protections for your VPC: “You enable DNS Firewall protections for your VPC by associating one or more rule groups with the VPC. Whenever a VPC is associated with a DNS Firewall rule group, Route 53 Resolver provides the following DNS Firewall protections […]”
If you encounter any problems with your Route 53 DNS Resolver Firewall integration, please contact your account manager or send an email to support ( @ ) malwarepatrol.net.