AWS VPC DNS Security: Cisco Umbrella Integration

James Bromberger Posted 26 August 2021

The Problem

An electrical energy retailer has started a migration into AWS for its VM based business applications, with Modis helping prepare solid, evidence-based business cases and run adoption workshops for the customer since mid-2020.

However, as they commenced this, they wanted to integrate some of their existing security services.

The Scenario

As part of its on-premises architecture, the Modis customer uses the Cisco Umbrella DNS resolver and proxy service as part of its protection of outbound requests. This service uses a Cisco-provided recursive DNS resolver which identifies the client systems by the origin source IP addresses in use. The service permits the administrator to classify the target sites being resolved, so to being allow-listed, block-listed, or matching certain categories.

The DNS result returns a different result based upon the target site being safe, unsafe, or somewhere in between:

  • Safe sites: the authoritative DNS record is returned to the DNS client
  • Unsafe sites: an NXDOMAIN is returned to the DNS client
  • Questionable sites: have a DNS result returned that points at a Cisco-operated HTTPS proxy

This Cisco proxy permits clients to connect, make their request, and then scans the response before providing it back to the client system.

This HTTPS request interception requires the client system to have the Cisco Umbrella Root CA as a Trusted Certificate Authority, as the Cisco service will generate a matching certificate on-the-fly for those sites deemed in the ‘questionable’ range.

The Modis customer wanted to leverage this protection, but also not make other cloud-based services such as AWS Guard Duty blind to the query traffic being used, and not remove the effectiveness of AWS VPC Endpoints to resolve correctly in each AWS VPC.

The customer turned to the Modis AWS Practice in December 2020 to implement a solution…

The Solution

This situation is suitable for Route 53 Outbound Resolver configurations; the templated solution created a pair of outbound Resolver Endpoint interfaces in a pair of private subnets (each in different Availability Zones), with access to the Internet via a NAT gateway. These NAT gateways have static IP addresses, registered with the Cisco Umbrella service.

A Route 53 Resolver Rule was defined to forward queries to the supplied IPv4 addresses for the Cisco recursive DNS resolvers. This Resolver Rule was then shared using AWS Resource Access Manager to various AWS accounts, which in turn then bound the rule to the required VPCs.

Figure 1: Route53 Resolver Outbound Endpoints and Resolver Rule shared across-account

DHCP options within the VPC can be left as pointing at the AmazonProvidedResolver, and VPC Security Groups can remain closed for TCP and UDP port 53. This also prevents any other DNS Resolver being used directly, a technique which is often used by compromised hosts trying to find their command-and-control services.

Modis researched and architected the solution, authored the CloudFormation Template to apply this change, and deployed the templates to the customer environments to affect the change.

The Outcome

With this solution in place, the DNS protection of the fleet is visible via the Cisco Umbrellas service (however without the visibility of which instance made the request).

The VPC environment is also further protected from alternate DNS providers being used. DNS results are cached by the VPC-provided resolver, and multiple VPCs do not require VPC Peering or Transit Gateway connectivity between VPCs or Instances for this solution to work.

Furthermore, there are zero customer-managed DNS recursive resolvers deployed that would require maintenance and upgrades over time, further making the service cost effective, scalable, and reliable.

As at April 2021, Modis continues to assist this customer on its journey to the AWS Cloud, helping port serverless application, and migrate traditional workloads into the EC2 environment.


About Modis

At Modis we connect people, technology and businesses to the opportunities they need to thrive in a rapidly advancing world. With 1,300+ technology professionals across six locations (Sydney, Melbourne, Brisbane, Adelaide, Canberra and Perth), we work with our clients to deliver solutions and talent to transform technology portfolios, streamline business functions, drive innovation or enhance organisational capability.

Find out how Modis can provide you with innovative AWS cloud based solutions and servicesModis has been an AWS Advanced Tier Partner since 2014. Modis' AWS Cloud Consulting services encompasses fundamentals of cyber security, fault tolerant digital system architecture, modernisation, traditional virtual machine or through to modern Serverless approaches, commercial off-the-shelf software operation to bespoke software development, delivered with high throughput, repeatable DevOps approaches to operations. With over half a decade of running critical authoritative government data sets that affects the lives of millions of citizens and the economies of the state, Modis has one of the most mature, experienced and recognised consulting service providers in the world. More importantly, we like to work very closely with our customers, not providing something to purchase, but taking a deep understanding of their business, and providing the recommendations and implementations to ensure a modern, efficient, reliable and secure environment for digital business systems.Contact us
Modis Australia | Animated map showing global locations
We operate around the world. Would you like to find out more about your local office?Find out about Modis