A company has deployed a custom DNS server in AWS. The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-provided DNS. How can the Security Engineer block access to the Amazon-provided DNS in the VPC?
A.
Deny access to the Amazon DNS IP within all security groups.
B.
Add a rule to all network access control lists that deny access to the Amazon DNS IP.
C.
Add a route to all route tables that black holes traffic to the Amazon DNS IP.
D.
Disable DNS resolution within the VPC configuration.
D is the correct answer.
Additionally, a custom DNS server must be specified through the dhcp option-set.
A incorrect answer. Security groups cannot specify deny rules
B incorrect answer. If VPC DNSSupport is enabled, the Amazon-provided DNS IP is configured in that subnet. Communication is not out of the subnet and cannot be rejected by NACL.
C incorrect answer. Routing and traffic blocking have nothing to do with it.
Cloud Network Engineer here working with AWS DNS daily:
If you disable "enableDnsSupport" for VPC DNS That means EC2 instances won't resolve their DNS with Amazon provided Internal DNS servers
But you can go into the EC2 and for eg. on Linux you can customly edit
/etc/resolv.conf
And put your own specificly created DNS servers
Disabling DNS resolution would also block access to the Amazon-provided DNS server. However, it would also block access to all other resources in the VPC, including the custom DNS server. This would be a very disruptive measure, and it would not be specific to blocking access to the Amazon-provided DNS server.
Cloud Network Engineer here working with AWS DNS daily:
If you disable "enableDnsSupport" for VPC DNS That means EC2 instances won't resolve their DNS with Amazon provided Internal DNS servers
But you can go into the EC2 and for eg. on Linux you can customly edit
/etc/resolv.conf
And put your own specificly created DNS servers
Option C is correct because it effectively prevents any instance in the VPC from using the Amazon-provided DNS by routing all traffic destined for the Amazon DNS IP to a "blackhole." This ensures that EC2 instances can only use the custom DNS server as specified.
Keep this option disabled if you're using a custom DNS server in the DHCP Options set, and you're not using a private hosted zone.
https://aws.amazon.com/premiumsupport/knowledge-center/vpc-enable-private-hosted-zone/
Ans (D)
https://aws.amazon.com/premiumsupport/knowledge-center/vpc-enable-private-hosted-zone/
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
rootkim
Highly Voted 3 years, 6 months agosanjaym
Highly Voted 3 years, 6 months agoSickcnt
Most Recent 1 year, 10 months agodcyberguy
1 year, 10 months agoKarthikeyanTK
1 year, 10 months agoSickcnt
1 year, 10 months agoOCHT
1 year, 11 months agoboooliyooo
2 years, 5 months agojanvandermerwer
2 years, 5 months agosapien45
2 years, 9 months agoankitja999
2 years, 11 months agoteo2157
3 years agoTigerInTheCloud
3 years agoRadhaghosh
3 years, 3 months agoNANDY666
3 years, 6 months agoStpn2me
3 years, 6 months agodevjava
3 years, 6 months agoAfricanCloudGuru
3 years, 6 months ago