Skip to content

Commit

Permalink
feat(client-route53resolver): Route 53 Resolver Forwarding Rules can …
Browse files Browse the repository at this point in the history 
…now include a server name indication (SNI) in the target address for rules that use the DNS-over-HTTPS (DoH) protocol. When a DoH-enabled Outbound Resolver Endpoint forwards a request to a DoH server, it will provide the SNI in the TLS handshake.
  • Loading branch information
awstools committed Oct 10, 2024
1 parent 1ec3fb8 commit 278471b
Show file tree
Hide file tree
Showing 7 changed files with 39 additions and 4 deletions.
2 changes: 2 additions & 0 deletions clients/client-route53resolver/src/commands/CreateResolverRuleCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ export interface CreateResolverRuleCommandOutput extends CreateResolverRuleRespo
* Port: Number("int"),
* Ipv6: "STRING_VALUE",
* Protocol: "DoH" || "Do53" || "DoH-FIPS",
* ServerNameIndication: "STRING_VALUE",
* },
* ],
* ResolverEndpointId: "STRING_VALUE",
Expand Down Expand Up @@ -75,6 +76,7 @@ export interface CreateResolverRuleCommandOutput extends CreateResolverRuleRespo
* // Port: Number("int"),
* // Ipv6: "STRING_VALUE",
* // Protocol: "DoH" || "Do53" || "DoH-FIPS",
* // ServerNameIndication: "STRING_VALUE",
* // },
* // ],
* // ResolverEndpointId: "STRING_VALUE",
Expand Down
1 change: 1 addition & 0 deletions clients/client-route53resolver/src/commands/DeleteResolverRuleCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ export interface DeleteResolverRuleCommandOutput extends DeleteResolverRuleRespo
* // Port: Number("int"),
* // Ipv6: "STRING_VALUE",
* // Protocol: "DoH" || "Do53" || "DoH-FIPS",
* // ServerNameIndication: "STRING_VALUE",
* // },
* // ],
* // ResolverEndpointId: "STRING_VALUE",
Expand Down
1 change: 1 addition & 0 deletions clients/client-route53resolver/src/commands/GetResolverRuleCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ export interface GetResolverRuleCommandOutput extends GetResolverRuleResponse, _
* // Port: Number("int"),
* // Ipv6: "STRING_VALUE",
* // Protocol: "DoH" || "Do53" || "DoH-FIPS",
* // ServerNameIndication: "STRING_VALUE",
* // },
* // ],
* // ResolverEndpointId: "STRING_VALUE",
Expand Down
1 change: 1 addition & 0 deletions clients/client-route53resolver/src/commands/ListResolverRulesCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ export interface ListResolverRulesCommandOutput extends ListResolverRulesRespons
* // Port: Number("int"),
* // Ipv6: "STRING_VALUE",
* // Protocol: "DoH" || "Do53" || "DoH-FIPS",
* // ServerNameIndication: "STRING_VALUE",
* // },
* // ],
* // ResolverEndpointId: "STRING_VALUE",
Expand Down
2 changes: 2 additions & 0 deletions clients/client-route53resolver/src/commands/UpdateResolverRuleCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ export interface UpdateResolverRuleCommandOutput extends UpdateResolverRuleRespo
* Port: Number("int"),
* Ipv6: "STRING_VALUE",
* Protocol: "DoH" || "Do53" || "DoH-FIPS",
* ServerNameIndication: "STRING_VALUE",
* },
* ],
* ResolverEndpointId: "STRING_VALUE",
Expand All @@ -69,6 +70,7 @@ export interface UpdateResolverRuleCommandOutput extends UpdateResolverRuleRespo
* // Port: Number("int"),
* // Ipv6: "STRING_VALUE",
* // Protocol: "DoH" || "Do53" || "DoH-FIPS",
* // ServerNameIndication: "STRING_VALUE",
* // },
* // ],
* // ResolverEndpointId: "STRING_VALUE",
Expand Down
17 changes: 15 additions & 2 deletions clients/client-route53resolver/src/models/models_0.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2149,11 +2149,11 @@ export interface CreateResolverQueryLogConfigRequest {
* <p>
* <b>S3 bucket</b>: </p>
* <p>
* <code>arn:aws:s3:::examplebucket</code>
* <code>arn:aws:s3:::amzn-s3-demo-bucket</code>
* </p>
* <p>You can optionally append a file prefix to the end of the ARN.</p>
* <p>
* <code>arn:aws:s3:::examplebucket/development/</code>
* <code>arn:aws:s3:::amzn-s3-demo-bucket/development/</code>
* </p>
* </li>
* <li>
Expand Down Expand Up @@ -2408,6 +2408,15 @@ export interface TargetAddress {
* @public
*/
Protocol?: Protocol;

/**
* <p>
* The Server Name Indication of the DoH server that you want to forward queries to.
* This is only used if the Protocol of the <code>TargetAddress</code> is <code>DoH</code>.
* </p>
* @public
*/
ServerNameIndication?: string;
}

/**
Expand Down Expand Up @@ -5711,6 +5720,10 @@ export interface UpdateFirewallRuleRequest {
* NUMBER can be 1-65334, for
* example, TYPE28. For more information, see
* <a href="https://en.wikipedia.org/wiki/List_of_DNS_record_types">List of DNS record types</a>.</p>
* <note>
* <p>If you set up a firewall BLOCK rule with action NXDOMAIN on query type equals AAAA,
* this action will not be applied to synthetic IPv6 addresses generated when DNS64 is enabled. </p>
* </note>
* </li>
* </ul>
* @public
Expand Down
19 changes: 17 additions & 2 deletions codegen/sdk-codegen/aws-models/route53resolver.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1057,7 +1057,7 @@
"DestinationArn": {
"target": "com.amazonaws.route53resolver#DestinationArn",
"traits": {
"smithy.api#documentation": "<p>The ARN of the resource that you want Resolver to send query logs. You can send query logs to an S3 bucket, a CloudWatch Logs log group, \n\t\t\tor a Kinesis Data Firehose delivery stream. Examples of valid values include the following:</p>\n <ul>\n <li>\n <p>\n <b>S3 bucket</b>: </p>\n <p>\n <code>arn:aws:s3:::examplebucket</code>\n </p>\n <p>You can optionally append a file prefix to the end of the ARN.</p>\n <p>\n <code>arn:aws:s3:::examplebucket/development/</code>\n </p>\n </li>\n <li>\n <p>\n <b>CloudWatch Logs log group</b>: </p>\n <p>\n <code>arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*</code>\n </p>\n </li>\n <li>\n <p>\n <b>Kinesis Data Firehose delivery stream</b>:</p>\n <p>\n <code>arn:aws:kinesis:us-east-2:0123456789:stream/my_stream_name</code>\n </p>\n </li>\n </ul>",
"smithy.api#documentation": "<p>The ARN of the resource that you want Resolver to send query logs. You can send query logs to an S3 bucket, a CloudWatch Logs log group, \n\t\t\tor a Kinesis Data Firehose delivery stream. Examples of valid values include the following:</p>\n <ul>\n <li>\n <p>\n <b>S3 bucket</b>: </p>\n <p>\n <code>arn:aws:s3:::amzn-s3-demo-bucket</code>\n </p>\n <p>You can optionally append a file prefix to the end of the ARN.</p>\n <p>\n <code>arn:aws:s3:::amzn-s3-demo-bucket/development/</code>\n </p>\n </li>\n <li>\n <p>\n <b>CloudWatch Logs log group</b>: </p>\n <p>\n <code>arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*</code>\n </p>\n </li>\n <li>\n <p>\n <b>Kinesis Data Firehose delivery stream</b>:</p>\n <p>\n <code>arn:aws:kinesis:us-east-2:0123456789:stream/my_stream_name</code>\n </p>\n </li>\n </ul>",
"smithy.api#required": {}
}
},
Expand Down Expand Up @@ -7961,6 +7961,15 @@
"target": "com.amazonaws.route53resolver#ResourceId"
}
},
"com.amazonaws.route53resolver#ServerNameIndication": {
"type": "string",
"traits": {
"smithy.api#length": {
"min": 0,
"max": 255
}
}
},
"com.amazonaws.route53resolver#ServicePrinciple": {
"type": "string",
"traits": {
Expand Down Expand Up @@ -8206,6 +8215,12 @@
"traits": {
"smithy.api#documentation": "<p>\n\t\t\tThe protocols for the Resolver endpoints. DoH-FIPS is applicable for inbound endpoints only.\n\t\t\t\n\t\t</p>\n <p>For an inbound endpoint you can apply the protocols as follows:</p>\n <ul>\n <li>\n <p> Do53 and DoH in combination.</p>\n </li>\n <li>\n <p>Do53 and DoH-FIPS in combination.</p>\n </li>\n <li>\n <p>Do53 alone.</p>\n </li>\n <li>\n <p>DoH alone.</p>\n </li>\n <li>\n <p>DoH-FIPS alone.</p>\n </li>\n <li>\n <p>None, which is treated as Do53.</p>\n </li>\n </ul>\n <p>For an outbound endpoint you can apply the protocols as follows:</p>\n <ul>\n <li>\n <p> Do53 and DoH in combination.</p>\n </li>\n <li>\n <p>Do53 alone.</p>\n </li>\n <li>\n <p>DoH alone.</p>\n </li>\n <li>\n <p>None, which is treated as Do53.</p>\n </li>\n </ul>"
}
},
"ServerNameIndication": {
"target": "com.amazonaws.route53resolver#ServerNameIndication",
"traits": {
"smithy.api#documentation": "<p>\n\t\t\tThe Server Name Indication of the DoH server that you want to forward queries to. \n\t\t\tThis is only used if the Protocol of the <code>TargetAddress</code> is <code>DoH</code>.\n\t\t</p>"
}
}
},
"traits": {
Expand Down Expand Up @@ -8648,7 +8663,7 @@
"Qtype": {
"target": "com.amazonaws.route53resolver#Qtype",
"traits": {
"smithy.api#documentation": "<p>\n\t\t\tThe DNS query type you want the rule to evaluate. Allowed values are;\n\t\t</p>\n <ul>\n <li>\n <p>\n\t\t\t\tA: Returns an IPv4 address.</p>\n </li>\n <li>\n <p>AAAA: Returns an Ipv6 address.</p>\n </li>\n <li>\n <p>CAA: Restricts CAs that can create SSL/TLS certifications for the domain.</p>\n </li>\n <li>\n <p>CNAME: Returns another domain name.</p>\n </li>\n <li>\n <p>DS: Record that identifies the DNSSEC signing key of a delegated zone.</p>\n </li>\n <li>\n <p>MX: Specifies mail servers.</p>\n </li>\n <li>\n <p>NAPTR: Regular-expression-based rewriting of domain names.</p>\n </li>\n <li>\n <p>NS: Authoritative name servers.</p>\n </li>\n <li>\n <p>PTR: Maps an IP address to a domain name.</p>\n </li>\n <li>\n <p>SOA: Start of authority record for the zone.</p>\n </li>\n <li>\n <p>SPF: Lists the servers authorized to send emails from a domain.</p>\n </li>\n <li>\n <p>SRV: Application specific values that identify servers.</p>\n </li>\n <li>\n <p>TXT: Verifies email senders and application-specific values.</p>\n </li>\n <li>\n <p>A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be\n\t\t\t\tdefined as TYPENUMBER, where the\n\t\t\t\tNUMBER can be 1-65334, for\n\t\t\t\texample, TYPE28. For more information, see \n\t\t\t\t<a href=\"https://en.wikipedia.org/wiki/List_of_DNS_record_types\">List of DNS record types</a>.</p>\n </li>\n </ul>"
"smithy.api#documentation": "<p>\n\t\t\tThe DNS query type you want the rule to evaluate. Allowed values are;\n\t\t</p>\n <ul>\n <li>\n <p>\n\t\t\t\tA: Returns an IPv4 address.</p>\n </li>\n <li>\n <p>AAAA: Returns an Ipv6 address.</p>\n </li>\n <li>\n <p>CAA: Restricts CAs that can create SSL/TLS certifications for the domain.</p>\n </li>\n <li>\n <p>CNAME: Returns another domain name.</p>\n </li>\n <li>\n <p>DS: Record that identifies the DNSSEC signing key of a delegated zone.</p>\n </li>\n <li>\n <p>MX: Specifies mail servers.</p>\n </li>\n <li>\n <p>NAPTR: Regular-expression-based rewriting of domain names.</p>\n </li>\n <li>\n <p>NS: Authoritative name servers.</p>\n </li>\n <li>\n <p>PTR: Maps an IP address to a domain name.</p>\n </li>\n <li>\n <p>SOA: Start of authority record for the zone.</p>\n </li>\n <li>\n <p>SPF: Lists the servers authorized to send emails from a domain.</p>\n </li>\n <li>\n <p>SRV: Application specific values that identify servers.</p>\n </li>\n <li>\n <p>TXT: Verifies email senders and application-specific values.</p>\n </li>\n <li>\n <p>A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be\n\t\t\t\tdefined as TYPENUMBER, where the\n\t\t\t\tNUMBER can be 1-65334, for\n\t\t\t\texample, TYPE28. For more information, see \n\t\t\t\t<a href=\"https://en.wikipedia.org/wiki/List_of_DNS_record_types\">List of DNS record types</a>.</p>\n <note>\n <p>If you set up a firewall BLOCK rule with action NXDOMAIN on query type equals AAAA, \n\t\t\t\t\tthis action will not be applied to synthetic IPv6 addresses generated when DNS64 is enabled. </p>\n </note>\n </li>\n </ul>"
}
}
},
Expand Down

0 comments on commit 278471b

Please sign in to comment.