The request was throttled. Try again in a few minutes.
* + * @throws {@link ValidationException} (client fault) + *You have provided an invalid command. If you ran the UpdateFirewallDomains request. supported values are ADD,
+ * REMOVE, or REPLACE a domain.
Base exception class for all service exceptions from Route53Resolver service.
* diff --git a/clients/client-route53resolver/src/commands/ListFirewallRulesCommand.ts b/clients/client-route53resolver/src/commands/ListFirewallRulesCommand.ts index aa3ddce4015c..e28c6906c471 100644 --- a/clients/client-route53resolver/src/commands/ListFirewallRulesCommand.ts +++ b/clients/client-route53resolver/src/commands/ListFirewallRulesCommand.ts @@ -51,6 +51,7 @@ export interface ListFirewallRulesCommandOutput extends ListFirewallRulesRespons * // { // FirewallRule * // FirewallRuleGroupId: "STRING_VALUE", * // FirewallDomainListId: "STRING_VALUE", + * // FirewallThreatProtectionId: "STRING_VALUE", * // Name: "STRING_VALUE", * // Priority: Number("int"), * // Action: "ALLOW" || "BLOCK" || "ALERT", @@ -63,6 +64,8 @@ export interface ListFirewallRulesCommandOutput extends ListFirewallRulesRespons * // ModificationTime: "STRING_VALUE", * // FirewallDomainRedirectionAction: "INSPECT_REDIRECTION_DOMAIN" || "TRUST_REDIRECTION_DOMAIN", * // Qtype: "STRING_VALUE", + * // DnsThreatProtection: "DGA" || "DNS_TUNNELING", + * // ConfidenceThreshold: "LOW" || "MEDIUM" || "HIGH", * // }, * // ], * // }; diff --git a/clients/client-route53resolver/src/commands/UpdateFirewallRuleCommand.ts b/clients/client-route53resolver/src/commands/UpdateFirewallRuleCommand.ts index 407a363a4536..6e249700c5cc 100644 --- a/clients/client-route53resolver/src/commands/UpdateFirewallRuleCommand.ts +++ b/clients/client-route53resolver/src/commands/UpdateFirewallRuleCommand.ts @@ -37,7 +37,8 @@ export interface UpdateFirewallRuleCommandOutput extends UpdateFirewallRuleRespo * const client = new Route53ResolverClient(config); * const input = { // UpdateFirewallRuleRequest * FirewallRuleGroupId: "STRING_VALUE", // required - * FirewallDomainListId: "STRING_VALUE", // required + * FirewallDomainListId: "STRING_VALUE", + * FirewallThreatProtectionId: "STRING_VALUE", * Priority: Number("int"), * Action: "ALLOW" || "BLOCK" || "ALERT", * BlockResponse: "NODATA" || "NXDOMAIN" || "OVERRIDE", @@ -47,6 +48,8 @@ export interface UpdateFirewallRuleCommandOutput extends UpdateFirewallRuleRespo * Name: "STRING_VALUE", * FirewallDomainRedirectionAction: "INSPECT_REDIRECTION_DOMAIN" || "TRUST_REDIRECTION_DOMAIN", * Qtype: "STRING_VALUE", + * DnsThreatProtection: "DGA" || "DNS_TUNNELING", + * ConfidenceThreshold: "LOW" || "MEDIUM" || "HIGH", * }; * const command = new UpdateFirewallRuleCommand(input); * const response = await client.send(command); @@ -54,6 +57,7 @@ export interface UpdateFirewallRuleCommandOutput extends UpdateFirewallRuleRespo * // FirewallRule: { // FirewallRule * // FirewallRuleGroupId: "STRING_VALUE", * // FirewallDomainListId: "STRING_VALUE", + * // FirewallThreatProtectionId: "STRING_VALUE", * // Name: "STRING_VALUE", * // Priority: Number("int"), * // Action: "ALLOW" || "BLOCK" || "ALERT", @@ -66,6 +70,8 @@ export interface UpdateFirewallRuleCommandOutput extends UpdateFirewallRuleRespo * // ModificationTime: "STRING_VALUE", * // FirewallDomainRedirectionAction: "INSPECT_REDIRECTION_DOMAIN" || "TRUST_REDIRECTION_DOMAIN", * // Qtype: "STRING_VALUE", + * // DnsThreatProtection: "DGA" || "DNS_TUNNELING", + * // ConfidenceThreshold: "LOW" || "MEDIUM" || "HIGH", * // }, * // }; * diff --git a/clients/client-route53resolver/src/models/models_0.ts b/clients/client-route53resolver/src/models/models_0.ts index 4dcc955f4bdf..26a77aefb214 100644 --- a/clients/client-route53resolver/src/models/models_0.ts +++ b/clients/client-route53resolver/src/models/models_0.ts @@ -906,7 +906,7 @@ export interface ResolverQueryLogConfigAssociation { * *
- * CREATED: The association between an Amazon VPC and a query logging configuration
+ * ACTIVE: The association between an Amazon VPC and a query logging configuration
* was successfully created. Resolver is logging queries that originate in the specified VPC.
The ID of the domain list that you want to use in the rule.
+ *The ID of the domain list that you want to use in the rule. Can't be used together with DnsThreatProtecton.
The setting that determines the processing order of the rule in the rule group. DNS Firewall @@ -1309,11 +1338,11 @@ export interface CreateFirewallRuleRequest { Priority: number | undefined; /** - *
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:
+ *The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
*
- * ALLOW - Permit the request to go through.
ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
* @@ -1382,10 +1411,10 @@ export interface CreateFirewallRuleRequest { * How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME. *
*
- * Inspect_Redirection_Domain (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be
+ * INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be
* added to the domain list.
- * Trust_Redirection_Domain inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to
+ * TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to
* the domain list.
+ * Use to create a DNS Firewall Advanced rule. + *
+ * @public + */ + DnsThreatProtection?: DnsThreatProtection | undefined; + + /** + *+ * The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence + * level values mean: + *
+ *
+ * LOW: Provides the highest detection rate for threats, but also increases false positives.
+ * MEDIUM: Provides a balance between detecting threats and false positives.
+ * HIGH: Detects only the most well corroborated threats with a low rate of false positives.
The unique identifier of the firewall rule group of the rule.
+ *The unique identifier of the Firewall rule group of the rule.
* @public */ FirewallRuleGroupId?: string | undefined; @@ -1466,6 +1526,14 @@ export interface FirewallRule { */ FirewallDomainListId?: string | undefined; + /** + *+ * ID of the DNS Firewall Advanced rule. + *
+ * @public + */ + FirewallThreatProtectionId?: string | undefined; + /** *The name of the rule.
* @public @@ -1479,11 +1547,11 @@ export interface FirewallRule { Priority?: number | undefined; /** - *The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:
+ *The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
*
- * ALLOW - Permit the request to go through.
ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
* @@ -1560,10 +1628,10 @@ export interface FirewallRule { * How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME. *
*
- * Inspect_Redirection_Domain (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be
+ * INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be
* added to the domain list.
- * Trust_Redirection_Domain inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to
+ * TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to
* the domain list.
+ * The type of the DNS Firewall Advanced rule. Valid values are: + *
+ *
+ * DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains
+ * to to launch malware attacks.
+ * DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without
+ * making a network connection to the client.
+ * The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence + * level values mean: + *
+ *
+ * LOW: Provides the highest detection rate for threats, but also increases false positives.
+ * MEDIUM: Provides a balance between detecting threats and false positives.
+ * HIGH: Detects only the most well corroborated threats with a low rate of false positives.
- * The protocols for the Resolver endpoints. DoH-FIPS is applicable for inbound endpoints only. - * - *
- *For an inbound endpoint you can apply the protocols as follows:
- *Do53 and DoH in combination.
- *Do53 and DoH-FIPS in combination.
- *Do53 alone.
- *DoH alone.
- *DoH-FIPS alone.
- *None, which is treated as Do53.
- *For an outbound endpoint you can apply the protocols as follows:
- *Do53 and DoH in combination.
- *Do53 alone.
- *DoH alone.
- *None, which is treated as Do53.
- *The ID of the domain list that's used in the rule.
* @public */ - FirewallDomainListId: string | undefined; + FirewallDomainListId?: string | undefined; + + /** + *+ * The ID that is created for a DNS Firewall Advanced rule. + *
+ * @public + */ + FirewallThreatProtectionId?: string | undefined; /** *@@ -4374,11 +4455,11 @@ export interface ListFirewallRulesRequest { /** *
Optional additional filter for the rules to retrieve.
- *The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:
+ *The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
*
- * ALLOW - Permit the request to go through.
ALLOW - Permit the request to go through. Not availabe for DNS Firewall Advanced rules.
* @@ -5579,7 +5660,15 @@ export interface UpdateFirewallRuleRequest { *
The ID of the domain list to use in the rule.
* @public */ - FirewallDomainListId: string | undefined; + FirewallDomainListId?: string | undefined; + + /** + *+ * The DNS Firewall Advanced rule ID. + *
+ * @public + */ + FirewallThreatProtectionId?: string | undefined; /** *The setting that determines the processing order of the rule in the rule group. DNS Firewall @@ -5592,11 +5681,11 @@ export interface UpdateFirewallRuleRequest { Priority?: number | undefined; /** - *
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:
+ *The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
*
- * ALLOW - Permit the request to go through.
ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
* @@ -5660,10 +5749,10 @@ export interface UpdateFirewallRuleRequest { * How you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME. *
*
- * Inspect_Redirection_Domain (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be
+ * INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be
* added to the domain list.
- * Trust_Redirection_Domain inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to
+ * TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to
* the domain list.
+ * The type of the DNS Firewall Advanced rule. Valid values are: + *
+ *
+ * DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains
+ * to to launch malware attacks.
+ * DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without
+ * making a network connection to the client.
+ * The confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence + * level values mean: + *
+ *
+ * LOW: Provides the highest detection rate for threats, but also increases false positives.
+ * MEDIUM: Provides a balance between detecting threats and false positives.
+ * HIGH: Detects only the most well corroborated threats with a low rate of false positives.
The ID of the domain list that you want to use in the rule.
", - "smithy.api#required": {} + "smithy.api#documentation": "The ID of the domain list that you want to use in the rule. Can't be used together with DnsThreatProtecton.
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:
\n\n ALLOW - Permit the request to go through.
\n ALERT - Permit the request and send metrics and logs to Cloud Watch.
\n BLOCK - Disallow the request. This option requires additional details in the rule's BlockResponse.
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
\n\n ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
\n ALERT - Permit the request and send metrics and logs to Cloud Watch.
\n BLOCK - Disallow the request. This option requires additional details in the rule's BlockResponse.
\n\t\t\tHow you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME. \n\t\t
\n\n Inspect_Redirection_Domain (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be \n\t\t\tadded to the domain list.
\n Trust_Redirection_Domain inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to \n\t\t\tthe domain list.
\n\t\t\tHow you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME. \n\t\t
\n\n INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be \n\t\t\tadded to the domain list.
\n TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to \n\t\t\tthe domain list.
\n\t\t\tThe DNS query type you want the rule to evaluate. Allowed values are;\n\t\t
\n\n\t\t\t\tA: Returns an IPv4 address.
\nAAAA: Returns an Ipv6 address.
\nCAA: Restricts CAs that can create SSL/TLS certifications for the domain.
\nCNAME: Returns another domain name.
\nDS: Record that identifies the DNSSEC signing key of a delegated zone.
\nMX: Specifies mail servers.
\nNAPTR: Regular-expression-based rewriting of domain names.
\nNS: Authoritative name servers.
\nPTR: Maps an IP address to a domain name.
\nSOA: Start of authority record for the zone.
\nSPF: Lists the servers authorized to send emails from a domain.
\nSRV: Application specific values that identify servers.
\nTXT: Verifies email senders and application-specific values.
\nA query type you define by using the DNS type ID, for example 28 for AAAA. The values must be\n\t\t\t\tdefined as TYPENUMBER, where the\n\t\t\t\tNUMBER can be 1-65334, for\n\t\t\t\texample, TYPE28. For more information, see \n\t\t\t\tList of DNS record types.
\n\n\t\t\tUse to create a DNS Firewall Advanced rule.\n\t\t
" + } + }, + "ConfidenceThreshold": { + "target": "com.amazonaws.route53resolver#ConfidenceThreshold", + "traits": { + "smithy.api#documentation": "\n\t\t\tThe confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence\n\t\t\tlevel values mean:\n\t\t
\n\n LOW: Provides the highest detection rate for threats, but also increases false positives.
\n MEDIUM: Provides a balance between detecting threats and false positives.
\n HIGH: Detects only the most well corroborated threats with a low rate of false positives.
The ID of the domain list that's used in the rule.
", - "smithy.api#required": {} + "smithy.api#documentation": "The ID of the domain list that's used in the rule.
" + } + }, + "FirewallThreatProtectionId": { + "target": "com.amazonaws.route53resolver#ResourceId", + "traits": { + "smithy.api#documentation": "\n\t\t\tThe ID that is created for a DNS Firewall Advanced rule.\n\t\t
" } }, "Qtype": { @@ -1903,6 +1945,23 @@ "smithy.api#output": {} } }, + "com.amazonaws.route53resolver#DnsThreatProtection": { + "type": "enum", + "members": { + "DGA": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "DGA" + } + }, + "DNS_TUNNELING": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "DNS_TUNNELING" + } + } + } + }, "com.amazonaws.route53resolver#DomainListFileUrl": { "type": "string", "traits": { @@ -2254,7 +2313,7 @@ "FirewallRuleGroupId": { "target": "com.amazonaws.route53resolver#ResourceId", "traits": { - "smithy.api#documentation": "The unique identifier of the firewall rule group of the rule.
" + "smithy.api#documentation": "The unique identifier of the Firewall rule group of the rule.
" } }, "FirewallDomainListId": { @@ -2263,6 +2322,12 @@ "smithy.api#documentation": "The ID of the domain list that's used in the rule.
" } }, + "FirewallThreatProtectionId": { + "target": "com.amazonaws.route53resolver#ResourceId", + "traits": { + "smithy.api#documentation": "\n\t\t\tID of the DNS Firewall Advanced rule.\n\t\t
" + } + }, "Name": { "target": "com.amazonaws.route53resolver#Name", "traits": { @@ -2278,7 +2343,7 @@ "Action": { "target": "com.amazonaws.route53resolver#Action", "traits": { - "smithy.api#documentation": "The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:
\n\n ALLOW - Permit the request to go through.
\n ALERT - Permit the request to go through but send an alert to the logs.
\n BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
\n\n ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
\n ALERT - Permit the request to go through but send an alert to the logs.
\n BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.
\n\t\t\tHow you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME. \n\t\t
\n\n Inspect_Redirection_Domain (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be \n\t\t\tadded to the domain list.
\n Trust_Redirection_Domain inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to \n\t\t\tthe domain list.
\n\t\t\tHow you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME. \n\t\t
\n\n INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be \n\t\t\tadded to the domain list.
\n TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to \n\t\t\tthe domain list.
\n\t\t\tThe DNS query type you want the rule to evaluate. Allowed values are;\n\t\t
\n\n\t\t\t\tA: Returns an IPv4 address.
\nAAAA: Returns an Ipv6 address.
\nCAA: Restricts CAs that can create SSL/TLS certifications for the domain.
\nCNAME: Returns another domain name.
\nDS: Record that identifies the DNSSEC signing key of a delegated zone.
\nMX: Specifies mail servers.
\nNAPTR: Regular-expression-based rewriting of domain names.
\nNS: Authoritative name servers.
\nPTR: Maps an IP address to a domain name.
\nSOA: Start of authority record for the zone.
\nSPF: Lists the servers authorized to send emails from a domain.
\nSRV: Application specific values that identify servers.
\nTXT: Verifies email senders and application-specific values.
\nA query type you define by using the DNS type ID, for example 28 for AAAA. The values must be\n\t\t\t\tdefined as TYPENUMBER, where the\n\t\t\t\tNUMBER can be 1-65334, for\n\t\t\t\texample, TYPE28. For more information, see \n\t\t\t\tList of DNS record types.
\n\n\t\t\tThe type of the DNS Firewall Advanced rule. Valid values are:\n\t\t
\n\n DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains \n\t\t\t\tto to launch malware attacks.
\n DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without \n\t\t\t\tmaking a network connection to the client.
\n\t\t\tThe confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence\n\t\t\tlevel values mean:\n\t\t
\n\n LOW: Provides the highest detection rate for threats, but also increases false positives.
\n MEDIUM: Provides a balance between detecting threats and false positives.
\n HIGH: Detects only the most well corroborated threats with a low rate of false positives.
Optional additional filter for the rules to retrieve.
\nThe action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:
\n\n ALLOW - Permit the request to go through.
\n ALERT - Permit the request to go through but send an alert to the logs.
\n BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.
Optional additional filter for the rules to retrieve.
\nThe action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
\n\n ALLOW - Permit the request to go through. Not availabe for DNS Firewall Advanced rules.
\n ALERT - Permit the request to go through but send an alert to the logs.
\n BLOCK - Disallow the request. If this is specified, additional handling details are provided in the rule's BlockResponse setting.
The status of the specified query logging association. Valid values include the following:
\n\n CREATING: Resolver is creating an association between an Amazon VPC and a query logging configuration.
\n CREATED: The association between an Amazon VPC and a query logging configuration \n\t\t\t\twas successfully created. Resolver is logging queries that originate in the specified VPC.
\n DELETING: Resolver is deleting this query logging association.
\n FAILED: Resolver either couldn't create or couldn't delete the query logging association.
The status of the specified query logging association. Valid values include the following:
\n\n CREATING: Resolver is creating an association between an Amazon VPC and a query logging configuration.
\n ACTIVE: The association between an Amazon VPC and a query logging configuration \n\t\t\t\twas successfully created. Resolver is logging queries that originate in the specified VPC.
\n DELETING: Resolver is deleting this query logging association.
\n FAILED: Resolver either couldn't create or couldn't delete the query logging association.
\n\t\t\tThe protocols for the Resolver endpoints. DoH-FIPS is applicable for inbound endpoints only.\n\t\t\t\n\t\t
\nFor an inbound endpoint you can apply the protocols as follows:
\nDo53 and DoH in combination.
\nDo53 and DoH-FIPS in combination.
\nDo53 alone.
\nDoH alone.
\nDoH-FIPS alone.
\nNone, which is treated as Do53.
\nFor an outbound endpoint you can apply the protocols as follows:
\nDo53 and DoH in combination.
\nDo53 alone.
\nDoH alone.
\nNone, which is treated as Do53.
\n\n\t\t\tThe protocols for the target address. The protocol you choose needs to be supported by the outbound endpoint of the Resolver rule.
" } }, "ServerNameIndication": { @@ -8608,8 +8685,13 @@ "FirewallDomainListId": { "target": "com.amazonaws.route53resolver#ResourceId", "traits": { - "smithy.api#documentation": "The ID of the domain list to use in the rule.
", - "smithy.api#required": {} + "smithy.api#documentation": "The ID of the domain list to use in the rule.
" + } + }, + "FirewallThreatProtectionId": { + "target": "com.amazonaws.route53resolver#ResourceId", + "traits": { + "smithy.api#documentation": "\n\t\t\tThe DNS Firewall Advanced rule ID.\n\t\t
" } }, "Priority": { @@ -8621,7 +8703,7 @@ "Action": { "target": "com.amazonaws.route53resolver#Action", "traits": { - "smithy.api#documentation": "The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list:
\n\n ALLOW - Permit the request to go through.
\n ALERT - Permit the request to go through but send an alert to the logs.
\n BLOCK - Disallow the request. This option requires additional details in the rule's BlockResponse.
The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list, or a threat in a DNS Firewall Advanced rule:
\n\n ALLOW - Permit the request to go through. Not available for DNS Firewall Advanced rules.
\n ALERT - Permit the request to go through but send an alert to the logs.
\n BLOCK - Disallow the request. This option requires additional details in the rule's BlockResponse.
\n\t\t\tHow you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME. \n\t\t
\n\n Inspect_Redirection_Domain (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be \n\t\t\tadded to the domain list.
\n Trust_Redirection_Domain inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to \n\t\t\tthe domain list.
\n\t\t\tHow you want the the rule to evaluate DNS redirection in the DNS redirection chain, such as CNAME or DNAME. \n\t\t
\n\n INSPECT_REDIRECTION_DOMAIN: (Default) inspects all domains in the redirection chain. The individual domains in the redirection chain must be \n\t\t\tadded to the domain list.
\n TRUST_REDIRECTION_DOMAIN: Inspects only the first domain in the redirection chain. You don't need to add the subsequent domains in the domain in the redirection list to \n\t\t\tthe domain list.
\n\t\t\tThe DNS query type you want the rule to evaluate. Allowed values are;\n\t\t
\n\n\t\t\t\tA: Returns an IPv4 address.
\nAAAA: Returns an Ipv6 address.
\nCAA: Restricts CAs that can create SSL/TLS certifications for the domain.
\nCNAME: Returns another domain name.
\nDS: Record that identifies the DNSSEC signing key of a delegated zone.
\nMX: Specifies mail servers.
\nNAPTR: Regular-expression-based rewriting of domain names.
\nNS: Authoritative name servers.
\nPTR: Maps an IP address to a domain name.
\nSOA: Start of authority record for the zone.
\nSPF: Lists the servers authorized to send emails from a domain.
\nSRV: Application specific values that identify servers.
\nTXT: Verifies email senders and application-specific values.
\nA query type you define by using the DNS type ID, for example 28 for AAAA. The values must be\n\t\t\t\tdefined as TYPENUMBER, where the\n\t\t\t\tNUMBER can be 1-65334, for\n\t\t\t\texample, TYPE28. For more information, see \n\t\t\t\tList of DNS record types.
\nIf you set up a firewall BLOCK rule with action NXDOMAIN on query type equals AAAA, \n\t\t\t\t\tthis action will not be applied to synthetic IPv6 addresses generated when DNS64 is enabled.
\n\n\t\t\tThe type of the DNS Firewall Advanced rule. Valid values are:\n\t\t
\n\n DGA: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains \n\t\t\t\tto to launch malware attacks.
\n DNS_TUNNELING: DNS tunneling detection. DNS tunneling is used by attackers to exfiltrate data from the client by using the DNS tunnel without\n\t\t\t\tmaking a network connection to the client.
\n\t\t\tThe confidence threshold for DNS Firewall Advanced. You must provide this value when you create a DNS Firewall Advanced rule. The confidence\n\t\t\tlevel values mean:\n\t\t
\n\n LOW: Provides the highest detection rate for threats, but also increases false positives.
\n MEDIUM: Provides a balance between detecting threats and false positives.
\n HIGH: Detects only the most well corroborated threats with a low rate of false positives.