AWS Certified Advanced Networking Specialty Practice Exam

What solution should be implemented to protect against DNS exfiltration while ensuring high availability for an Amazon EC2 application behind an Application Load Balancer?

• A. Implement a NAT gateway
• B. Use Amazon Route 53 Resolver DNS Firewall
• C. Enable security groups in the VPC
• D. Utilize AWS Shield

The correct answer is: Use Amazon Route 53 Resolver DNS Firewall

Using Amazon Route 53 Resolver DNS Firewall is an effective solution for protecting against DNS exfiltration while ensuring high availability for an EC2 application behind an Application Load Balancer. This service allows you to create DNS filtering rules that can allow or block DNS queries based on domain name or IP address. By intercepting and filtering DNS requests, you can prevent unauthorized DNS requests from reaching potentially malicious external servers which could be used for data exfiltration. Route 53 Resolver DNS Firewall integrates seamlessly into your existing AWS infrastructure and is designed specifically to enhance your security posture related to DNS queries. This allows your application to continue operating as intended, maintaining high availability while simultaneously enhancing security against potential data leaks via DNS. In contrast, while a NAT gateway could facilitate connectivity for resources requiring internet access, it doesn’t specifically address DNS queries or exfiltration, which is the primary concern here. Enabling security groups in the VPC is a basic step in securing instances but would not specifically mitigate DNS exfiltration attacks either. AWS Shield provides DDoS protection that is critical for ensuring availability but does not offer any specialized capabilities for protecting against DNS-related threats. Therefore, Route 53 Resolver DNS Firewall is clearly the most appropriate solution in this context.