AWS recently announced that Amazon Route 53 Resolver will support using the Domain Name System (DNS) over HTTPS (DoH) protocol for both inbound and outbound Resolver endpoints.
Amazon Route 53 Resolver is a comprehensive set of tools for resolving DNS queries across AWS, the internet, and on-premises networks, ensuring secure control over the DNS of your Amazon Virtual Private Cloud (VPC). Earlier, the company announced the availability of the service on AWS Outposts Rack. Now, another enhancement is added with the support of the DoH protocol - data exchanged for DNS resolutions is encrypted. It enhances privacy and security by preventing eavesdropping and manipulation of DNS data during transmission between a DoH client and the DNS resolver based on DoH.
Furthermore, enabling DoH on Resolver endpoints aids customers in fulfilling regulatory and business compliance requirements, aligning with standards outlined in the US Office of Management and Budget memorandum.
Customers can utilize Amazon Route 53 Resolver to address DNS queries in hybrid cloud environments. For instance, AWS services can respond to DNS requests from any location within the hybrid network by setting up inbound and outbound resolver endpoints. Upon configuring the Resolver endpoints, customers will have the option to establish rules specifying the domains' names for forwarding DNS queries from their VPC to an on-premises DNS resolver (outbound) and vice versa, from on-premises to their VPC (inbound).
Danilo Poccia, a Chief Evangelist at AWS, writes:
When you create or update an inbound or outbound Resolver endpoint, you can specify which protocols to use:
- DNS over port 53 (Do53), which is using either UDP or TCP to send the packets.
- DNS over HTTPS (DoH), which is using TLS to encrypt the data.
- Both, depending on which one is used by the DNS client.
- For FIPS compliance, there is a specific implementation (DoH-FIPS) for inbound endpoints.
In the Route 53 console, users can choose Inbound endpoints or Outbound endpoints from the Resolver section of the navigation pane.
Inbound endpoint Amazon Route 53 Resolver (Source: AWS News blog post)
In a research report on to what extent DoH prevents on-path devices from eavesdropping and interfering with DNS requests, Frank Nijeboer concluded:
We have shown in this research that, while eavesdropping of individual queries has not been evaluated, it is probably possible to deduce a visit to a specific website by looking at patterns in DoH packet sizes. Furthermore, interfering with DoH traffic by manipulating responses might not be possible, but detecting DoH resolvers and thereby blocking DoH is possible. As a consequence, the promised privacy protection of DoH is debatable, and the advantage of DoH against DoT (DNS over TLS) is getting smaller.
Other public cloud providers like Google offer DNS services like Cloud DNS, which also has DoH support. Furthermore, Cloudflare DNS and Infoblox provide DoH support with their Cloud DNS offerings.
Currently, DNS over HTTPS support for Amazon Route 53 Resolver is available in all AWS Regions where Route 53 Resolver is offered, including GovCloud Regions and Regions based in China. In addition, according to the company, there is no additional cost for using DNS over HTTPS with Resolver endpoints. The pricing details of Amazon 53 Resolver are available on the pricing page.