Update: was kind enough to get back to me with these comments on Twitter if you are looking for AWS DNS CIDRs:
Will look at better JSON description. In the meantime, all of Route 53 is in 205.251.192.0/19. DNS needs TCP/53 open too for large answers. We'll add more IPs to Route 53 over time too. But unlikely to ever remove.
----
Taking a look at the IP addresses my EC2 instance attempts to connect to for DNS.
Unfortunately Amazon does not publish which IP ranges are specifically for DNS on this IP ranges list which makes it hard to set specific rules for DNS in NACLs or security groups.
https://ip-ranges.amazonaws.com/ip-ranges.json
Looks like my EC2 instance attempted to connect to the following IPs. Since this is a WatchGuard Firebox Cloud some of these IPs could be related to WatchGuard however the names are not resolving to WatchGuard DNS entries. So is this AWS DNS traffic or WatchGuard DNS traffic...can explore this further but is making it a bit complicated to create network rules that only allow my instance to go to the desired DNS server.
205.251.194.62 |
53 |
|
ns-574.awsdns-07.net. |
205.251.195.90 |
53 |
|
ns-858.awsdns-43.net. |
85.115.52.190 |
53 |
|
cluster-a.mailcontrol.com. |
205.251.194.153 |
53 |
|
ns-665.awsdns-19.net. |
205.251.194.153 |
53 |
|
ns-665.awsdns-19.net. |
205.251.197.166 |
53 |
|
ns-1446.awsdns-52.org. |
216.69.185.47 |
53 |
|
ns73.domaincontrol.com. |
64.95.61.5 |
53 |
|
dns3-1.acs.pnap.net. |
103.243.111.211 |
53 |
|
Comtouch?? India?? |
What's the problem? If an instance goes to the incorrect DNS server this could pose a serious security problem. If an instance resolves a DNS name to the wrong IP address it could potentially be connecting to a rogue host due to the incorrectly resolved name. Perhaps non-AWS traffic is related to a WatchGuard service. More inspection is needed.
So what to do...it looks like the addresses with awsdns-xx in the name are in this AWS global IP range:
{
"ip_prefix": "205.251.192.0/19",
"region": "GLOBAL",
"service": "AMAZON"
},
It looks like the service is using UDP (protocol 17).
So for now will allow egress traffic (initiated from my instance to the Internet) on port 53 to the global AWS range above on protocol 17 and ephemeral ports inbound. We'll see what happens...