Check your Amazon EC2 security groups for inbound rules that allow unrestricted access (i.e. 0.0.0.0/0 or ::/0) on TCP and UDP port 53 in order to reduce the attack surface and protect the DNS server instances associated with your security groups. TCP/UDP port 53 is used by the Domain Name System during DNS resolution (DNS lookup) when the requests are sent from clients to DNS servers or between DNS servers.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Allowing unrestricted inbound/ingress access on TCP and UDP port 53 (DNS) to your Amazon EC2 instances can increase opportunities for malicious activities such as Denial of Service (DoS) attacks and Distributed Denial of Service (DDoS) attacks. Amazon EC2 security groups should be configured so that the communication to specific resources is restricted to only those hosts or networks that have a legitimate requirement for access.
Audit
To determine if your Amazon EC2 security groups allow unrestricted DNS access, perform the following actions:
Remediation / Resolution
To update the inbound rule configuration for your Amazon EC2 security groups in order to restrict Domain Name System (DNS) access to trusted entities only (i.e. authorized IP addresses and IP ranges, or other security groups), perform the following actions:
References
- AWS Documentation
- Amazon EC2 security groups for Linux instances
- Work with security groups
- Security group rules for different use cases
- Authorize inbound traffic for your Linux instances
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-security-groups
- revoke-security-group-ingress
- authorize-security-group-ingress