0

I am new to AWS and started learning. While going through Security Groups, I found that we can apply rule based on IP address but not on DNS name.

I referenced couple of pages on the internet:

They provide alternative mechanism for a solution.

But why has AWS not allowed it? Is there any security concern which I am missing if we configure security group based on DNS name?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Prateek Pathak
  • 97
  • 9
  • 1
    You are asking why AWS chose to do something. This would not be public knowledge, so you'd probably only discover an answer by joining the company and working on the team that makes EC2 and VPC! One security concern I would have, however, is that the DNS Name might be controlled by an external entity who could effectively modify your security group by changing their DNS settings. This could open a system to potential unintended attack. Then, the DNS owner could change it back again, thus hiding the evidence. This would not be a secure way to operate. – John Rotenstein Mar 01 '20 at 23:28
  • @JohnRotenstein You should make your comment into answer. I would up-vote it. – Marcin Mar 02 '20 at 00:28
  • The layer implementing firewall rules has only IP addresses in the traffic it inspects. It would have to perform reverse lookup on the IP to find an FQDN. This would be slow, somewhat unreliable (what if DNS were temporarily unavailable), and likely not very secure. – jarmod Mar 02 '20 at 00:40

1 Answers1

5

One security concern I would have is that the DNS Name might be controlled by an external entity who could effectively modify your security group by changing their DNS settings.

This could open a system to potential unintended attack:

  • DNS settings are modified to include an unwanted IP address
  • Attacker could access the system
  • DNS settings changed back again, thus hiding the evidence

This would not be a secure way to operate.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • This makes a lot of sense. However, I think it is not enough reason for AWS not to have such a feature. AWS could recommend that users should use IP addresses for whitelisting access to and from external services, and not the DNS names due to the security concerns you listed above. – Promise Preston Jun 21 '22 at 06:46
  • 1
    The DNS Name of the "source" request is not available in traffic sent to resources in AWS. There is a thing called "reverse IP lookup" where an IP address could be converted into a DNS Name, but it isn't always supported and would be too slow for every request going through a Security Group. – John Rotenstein Jun 21 '22 at 07:45