DNSSEC and FedRAMP Requirements
As businesses increasingly rely on cloud services, ensuring the integrity and authenticity of DNS responses becomes even more critical. Amazon Web Services (AWS) Route 53, a highly scalable and available DNS service, offers a robust solution for managing DNS in the cloud. In this blog post, we delve into the world of DNS Security Extensions (DNSSEC) and how you can implement them effectively with AWS Route 53 to fortify your AWS infrastructure and meet FedRAMP requirements.
DNS Security Extensions (DNSSEC) is an add-on for the Domain Name System (DNS) used to verify the origin and integrity of data in responses received from authoritative DNS servers. This is important for cloud service providers (CSPs) as it adds an extra layer of security to protect against DNS cyber-attacks.
The use of DNSSEC is an SC-21 requirement for CSPs that aim to achieve and maintain Authority to Operate (ATO) for FedRAMP at the low, moderate, and high baselines. It is an important technical control that can improve security posture by validating the integrity and authenticity of DNS data.
Route 53 is FedRAMP authorized for both AWS East/West and AWS GovCloud. CSPs can configure Amazon Route 53 to enable DNSSEC validation on Virtual Private Cloud (VPC) DNS resolvers to fulfill the FedRAMP requirements for SC-21.
Chain of Trust Importance
A chain of trust is critical for establishing security in DNS by ensuring that responses are authentic and inviolable. This is done by creating a hierarchical verification process starting from a trusted anchor point (usually the root zone’s DNSKEY) and continuing down to the appropriate child zone. Each zone signs its DNSKEY record with its own KSK, and a hash of this DNSKEY is then placed in the parent zone as a DS record. This process creates a continuous, verifiable link from the root zone down to the specific DNS record in question. When validating DNSSEC artifacts, each link in the chain is cryptographically tested, resulting in a secure DNS lookup process.
Implementation, Testing, and Identifying Issues
Implementing DNSSEC with Route 53 enhances the security and reliability of your DNS infrastructure. To satisfy SC-21, CSP’s must ensure that DNSSEC validation is enabled for all Amazon Route 53 Resolvers used to resolve address requests initiated from inside the authorization boundary. This feature is activated within the VPC settings in the Route 53 console. Once enabled, the Route 53 Resolver applies DNSSEC validation to public signed names during recursive DNS resolution. It’s important to note that if Route 53 Resolver forwards queries to another DNS resolver, that resolver must also perform DNSSEC validation to ensure security.
Testing AWS resolvers differs from non-AWS resolvers due to the specific behavior and limitations of Amazon Route 53 Resolver, particularly regarding DNSSEC validation. To test DNSSEC validation on your VPC, log in to an Amazon EC2 instance within the VPC, and then query a domain that is signed incorrectly. For example, you can query the domain dnssec-failed.org (i.e., dig dnssec-failed.org). If DNS validation is set up correctly for your VPC, you’ll see a SERVFAIL response.
Conclusion
DNSSEC plays a vital role in enhancing DNS security and helps CSPs mitigate the risk of DNS-related attacks. By integrating DNSSEC with AWS Route 53 and configuring DNS resolvers to support DNSSEC validation, you can strengthen the security of DNS resolution within your AWS environment while also fulfilling the requirements defined in SC-21.
Reference Links:
- https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dnssec-validation.html
- https://aws.amazon.com/blogs/networking-and-content-delivery/configuring-dnssec-signing-and-validation-with-amazon-route-53
- https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html
About Fortreum:
We started with a mission to simplify cloud and cybersecurity challenges for our customers. With an extensive track record spanning nearly a quarter of a century across Public and Private Sectors, we possess a keen dedication to solving our customers complex cloud and cybersecurity challenges. Our industry commitment extends to supporting and fostering the development of future cybersecurity experts within our communities. We encourage you to investigate our services further to learn how leverage to cybersecurity as a business enabler.
Should you have questions about your cloud and cybersecurity readiness, please reach out to us at Compliance@fortreum.com or Contact Us at https://fortreum.com/contact/