Check DNS support in a VPC to alert about possible DNS exfiltration??

prowler-cloud / prowler

Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more

https://prowler.com

Apache License 2.0

10.75k stars 1.53k forks source link

Check DNS support in a VPC to alert about possible DNS exfiltration?? #175

Closed toniblyx closed 6 years ago

toniblyx commented 6 years ago

I've been thinking about this article here: https://dejandayoff.com/using-dns-to-break-out-of-isolated-networks-in-a-aws-cloud-environment/

And also wondering if it does worth it to add a check that looks for VPC with EnableDnsSupport==true and alert about it.

Query could be like below:

# get all vpcs 
aws ec2 describe-vpcs --query Vpcs[*].VpcId --output text
# check if EnableDnsSupport.Value is set to true
aws ec2 describe-vpc-attribute --vpc-id $vpc --attribute enableDnsSupport --query EnableDnsSupport.Value --output text

What do you all think?

sidewinder12s commented 6 years ago

Wow, not sure if I've run into any VPCs with VPC DNS disabled.

If you did add it I'd say you'd want an explicit explanation of why it's a check. This may be more trouble than it's worth for many users. GuardDuty may also provide a control against this as I think it is supposed to analyse AWS DNS logs in your account.

toniblyx commented 6 years ago

Yeah, I still don't know if this worth it a check. Prowler already checks for GuardDuty and also Route53 logs. It shouldn't be a big problem, and as you say, GuardDuty controls DNS traffic inside the VPC. I'm gonna close this. Thanks for your comment!