resolver_dns

Resolver DNS

This module enabled resolver DNS query logging so you can see the DNS queries being made by your VPC resources.

Optionally, it can also enable a resolver DNS firewall that only permits DNS queries for specific domains to resolve. This helps prevent unexpected egress from your VPC resources.

⚠️ Note

Although this module helps prevent egress, it doesn't stop direct IP connections when a DNS query is not required. To fully lock down your VPC egress, you should use Network ACLs and Security Groups that only allow egress to expected destinations.

Requirements

No requirements.

Providers

Name	Version
aws	n/a

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_log_group.route53_vpc_dns	resource
aws_cloudwatch_log_resource_policy.route53_vpc_dns	resource
aws_route53_resolver_firewall_domain_list.allowed	resource
aws_route53_resolver_firewall_domain_list.blocked	resource
aws_route53_resolver_firewall_rule.allowed	resource
aws_route53_resolver_firewall_rule.blocked	resource
aws_route53_resolver_firewall_rule_group.firewall_rules	resource
aws_route53_resolver_firewall_rule_group_association.firewall_rules	resource
aws_route53_resolver_query_log_config.route53_vpc_dns	resource
aws_route53_resolver_query_log_config_association.route53_vpc_dns	resource
aws_iam_policy_document.route53_resolver_logging_policy	data source

Inputs

Name	Description	Type	Default	Required
allowed_domains	(Optional) List of domains to allow through the DNS firewall. Required if firewall_enabled is true.	list(string)	[ "*." ]	no
billing_tag_key	(Optional, default 'CostCentre') The name of the billing tag	string	"CostCentre"	no
billing_tag_value	(Required) The value of the billing tag	string	n/a	yes
firewall_enabled	(Optional) Should the resolver DNS firewall be enabled	bool	false	no
vpc_id	(Required) The ID of the VPC to associate the query log and firewall with	string	n/a	yes

Outputs

No outputs.