A DNS lookup is typically the starting point for establishing outbound connections within a network. Unwanted direct communication between Amazon Virtual Private Cloud (VPC) resources and internet services could be prevented using AWS services like security groups, network access control lists (ACLs) or AWS Network Firewall. These services filter network traffic, but they do not block outbound DNS requests heading to the Amazon Route 53 Resolver that automatically answers DNS queries for public DNS records, Amazon Virtual Private Cloud (VPC) – specific DNS names, and Amazon Route 53 private hosted zones.
DNS exfiltration could potentially allow a bad actor to extract data through a DNS query to a domain they control. For instance, if a bad actor controlled the domain “example.com” and wanted to exfiltrate “sensitive-data,” they could issue a DNS lookup for “sensitive-data.example.com” from a compromised instance within a VPC. To prevent this, previously customers needed to incur costs
Original URL: http://feedproxy.google.com/~r/AmazonWebServicesBlog/~3/HBfmKNQlNH4/