AWS Route53 - DNS Whitelisting using Geolocation Routing
Assumptions: Basic knowledge of AWS Route53
DNS can be a powerful tool, more so if you are using AWS Route53 as your provider.
In this post I will focus on how to use Route53’s Geolocation routing as a whitelist / blacklist of users originating from around the world.
So, let’s assume you only want users from the United Kingdom to access your website. This could be because all your customer base and operations are UK based, or maybe your application was DDoS’ed from various countries around the world, and you want to make sure any DNS query issued from this malicious Origin / IP is null routed.
First, let’s go to Route53 and create our first record set :
Please note this will be our default route, which will resolve to the IP Address 0.0.0.0. So, whenever a user attempts to reach your website domain (i.e. mywebsite.somedomain.co.uk) Route53 will resolve that DNS Query to
0.0.0.0, then your machine will attempt to reach the website via the IP 0.0.0.0 which obviously doesn’t exist and will fail.
Let’s setup now the record for users originating from the UK and assume our webserver will be hosted on a server with IP
That should be it, the A records just created along with the domain NS records should be listed in your website Hosted Zone like this:
But how do we test this is working correctly? It should be easy be using
dig via your terminal. Just grab one of the nameservers for your domain, listed above, and run the following command :
./bin/dig/dig @your-nameserver mywebsite.somedomain.co.uk +client=184.108.40.206/24
Caveat : You will need a patched version of
dig in order to use the
+client option. This option allows you to tell the nameserver the user ip address, which then it uses to return an IP Address from your records, based on the estimated geolocation of the IP Address you passed. This mainly works thanks to the client subnet in DNS queries.
I used the IP Address
220.127.116.11 which is from an American DNS Server I’ve found here https://public-dns.info/. Make sure you look again for a different IP since this might change.
Now, for the UK:
That’s about it really, hope you found it interesting and give some real use to it.