Closed SimonPPledger closed 3 weeks ago
Was this not done here? What was the outcome of this issue? https://github.com/ministryofjustice/modernisation-platform/issues/5149
This issue is stale because it has been open 90 days with no activity.
This is to implement pDNS for modplatform owned DNS - including a process for checking
After a chat at planning we decided to:
I've reached out to the Operations Engineering team / @AntonyBishop to see if they have any outcomes we can refer to but this doesn't look like a good fit for us as a platform (although it does look like a worthwhile implementation for a different on-premise / enterprise infrastructure).
To implement this we would need to set up route53 resolver rules and endpoints to forward DNS requests through our infrastructure and out of our egress VPCs which feels like a replication of a solution meant for on-premise, rather than a cloud-native architecture pattern.
We would also need to consider the impact on implementing this not as a whole org (MOJ) but just a small subset of it. Is such a subscription / implementation possible?
If we have real concerns about customers inadvertently contacting malware domains then AWS offer a broadly similar solution - AWS Route53 Firewall - which can be implemented at an AWS Organization level and applied consistently across accounts & VPCs.
PDNS | Route53 Resolver DNS Firewall | |
---|---|---|
Price | Free to implement[^1] | $0.60 per million queries^2 |
Sources | "The rules are created based on knowledge of malicious domains we obtain from commercial, internal and open sources." | "The AWS Managed Domain Lists source their data from both internal AWS sources as well as RecordedFuture, and are continually updated." |
Complexity | High[^3] | Low |
[^1]: We'd still incur costs to send DNS traffic through our cloud infrastructure and out to the internet.
[^3]: Implementing PDNS would involve more moving parts and points of contact, as well as not being entirely manageable through infrastructure-as-code
User Story
As a team we need to ensure that the environment is secure. As part of this we want to implement some NCSC checking. One of the items that has been suggested is to make use of pDNS. However we don't really know what this means, what impact it will have on the modernisation platform and applications that use it, what the advantages and disadvantages are.
This ticket is to investigate this and to draw up options.
Value / Purpose
This work will enable us to get alerts from NCSC
Useful Contacts
worth checking with the PandA security team - Steve Merrills and /or Todor Christov
Additional Information
Mark has already put together this document https://docs.google.com/document/d/1XijS36bkb0rN3FchQyZzQf0MBQQmFzKb8os2RSH3p_c/edit
David S has already suggested this https://mojdt.slack.com/archives/C013RM6MFFW/p1717663503175999 (it might simply be that we cannot do pDNS)
here is NCSC's documentation https://www.ncsc.gov.uk/information/pdns
Proposal / Unknowns
No response
Definition of Done