DNS Firewall VPC configuration - Amazon Route 53 (original) (raw)
The DNS Firewall configuration for your VPC determines whether Route 53 Resolver allows queries through or blocks them during failures, for example when DNS Firewall is impaired, unresponsive, or not available in the zone. Resolver enforces a VPC's firewall configuration whenever you have one or more DNS Firewall rule groups associated with the VPC.
You can configure a VPC to fail open or fail closed.
- By default, the failure mode is closed, which means that Resolver blocks any queries for which it doesn't receive a reply from DNS Firewall and sends a
SERVFAILDNS response. This approach favors security over availability. - If you enable fail open, Resolver allows queries through if it doesn't receive a reply from DNS Firewall. This approach favors availability over security.
To change the DNS Firewall configuration for a VPC (console)
- Sign in to the AWS Management Console and open the Resolver console at https://console.aws.amazon.com/route53resolver/.
- In the navigation pane under Resolvers, chooseVPCs.
- In the VPCs page, locate and edit the VPC. Change the DNS Firewall configuration to fail open or fail closed as needed.
To change the DNS Firewall behavior for a VPC (API)
- Update your VPC firewall configuration by calling UpdateFirewallConfig and enabling or disabling
FirewallFailOpen.
You can retrieve a list of your VPC firewall configurations through the API by calling ListFirewallConfigs.
Managing associations between your VPC and firewall rule groups
What are Amazon Route 53 Profiles?
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.