# Resolver DNS Firewall domain lists
A *domain list* is a reusable set of domain specifications that you use in a DNS Firewall rule, inside a rule group. When you associate a rule group with a VPC, DNS Firewall compares your DNS queries against the domain lists that are used in the rules. If it finds a match, it handles the DNS query according to the matching rule's action. For more information about rule groups and rules, see [DNS Firewall rule groups and rules](resolver-dns-firewall-rule-groups.md).
Domain lists allow you to separate your explicit domain specifications from the actions that you want to take on them. You can use a single domain list in multiple rules and any updates that you do to the domain list automatically affects all rules that use it.
Domain lists fall into two main categories:
+ Managed domain lists, which AWS creates and maintains for you.
+ Your own domain lists, which you create and maintain.
This section describes the types of managed domain lists that are available to you and provides guidance for creating and managing your own domain lists, if you choose to do so.
# Managed Domain Lists
Managed Domain Lists contain domain names that are associated with malicious activity or other potential threats. AWS maintains these lists to enable Route 53 VPC Resolver customers to check outbound DNS queries against them for free when using DNS Firewall.
Keeping up to date on the constantly changing threat landscape can be time consuming and expensive. Managed Domain Lists can save you time when you implement and use DNS Firewall. AWS automatically updates the lists when new vulnerabilities and threats emerge. AWS is often notified of new vulnerabilities before public disclosure, so DNS Firewall can deploy mitigations for you often before a new threat has become widely known.
Managed domain lists are designed to help protect you from common web threats and they add another layer of security for your applications. The AWS Managed Domain Lists source their data from both internal AWS sources as well as [ RecordedFuture](https://partners.amazonaws.com/partners/001E000001V9CaHIAV/Recorded%20Future), and are continually updated. However, AWS Managed Domain Lists aren't intended as a replacement for other security controls, such as Amazon GuardDuty, which are determined by the AWS resources that you select.
As a best practice, before using a Managed Domain List in production, test it in a non-production environment, with the rule action set to `Alert`. Evaluate the rule using Amazon CloudWatch metrics combined with Resolver DNS Firewall sampled requests or DNS Firewall logs. When you're satisfied that the rule does what you want, change the action setting as needed.
**Available AWS Managed Domain Lists**
This section describes the Managed Domain Lists that are currently available. When you're in a Region where these lists are supported, you see them on the console when you manage domain lists and when you specify the domain list for a rule. In the logs, the domain list is logged within the `firewall_domain_list_id field`.
AWS provides the following Managed Domain Lists, in the Regions they are available, for all users of Resolver DNS Firewall.
+ `AWSManagedDomainsMalwareDomainList` – – Domains associated with sending malware, hosting malware, or distributing malware.
+ `AWSManagedDomainsBotnetCommandandControl` – Domains associated with controlling networks of computers that are infected with spamming malware.
+ `AWSManagedDomainsAggregateThreatList` – Domains associated with multiple DNS threat categories including malware, ransomware, botnet, spyware, and DNS tunneling to help block multiple types of threats. `AWSManagedDomainsAggregateThreatList` includes all the domains in the other AWS Managed Domain Lists listed here.
+ `AWSManagedDomainsAmazonGuardDutyThreatList` – Domains associated with Amazon GuardDuty DNS security findings. The domains are sourced from the GuardDuty's threat intelligence systems only, and do not contain domains sourced from external third-party sources. More specifically, currently this list will only block domains that are internally generated and used for following detections in GuardDuty: Impact:EC2/AbusedDomainRequest.Reputation, Impact:EC2/BitcoinDomainRequest.Reputation, Impact:EC2/MaliciousDomainRequest.Reputation, Impact:Runtime/AbusedDomainRequest.Reputation, Impact:Runtime/BitcoinDomainRequest.Reputation, and Impact:Runtime/MaliciousDomainRequest.Reputation.
For more information see [Finding types](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) in the *Amazon GuardDuty User Guide*.
AWS Managed Domain Lists cannot be downloaded or browsed. To protect intellectual property, you can't view or edit the individual domain specifications within an AWS Managed Domain Lists. This restriction also helps to prevent malicious users from designing threats that specifically circumvent published lists.
**To test the Managed Domain lists**
We provide the following set of domains for testing the Managed Domain Lists:
**AWSManagedDomainsBotnetCommandandControl**
+ controldomain1.botnetlist.firewall.route53resolver.us-east-1.amazonaws.com
+ controldomain2.botnetlist.firewall.route53resolver.us-east-1.amazonaws.com
+ controldomain3.botnetlist.firewall.route53resolver.us-east-1.amazonaws.com
**AWSManagedDomainsMalwareDomainList**
+ controldomain1.malwarelist.firewall.route53resolver.us-east-1.amazonaws.com
+ controldomain2.malwarelist.firewall.route53resolver.us-east-1.amazonaws.com
+ controldomain3.malwarelist.firewall.route53resolver.us-east-1.amazonaws.com
**AWSManagedDomainsAggregateThreatList and AWSManagedDomainsAmazonGuardDutyThreatList**
+ controldomain1.aggregatelist.firewall.route53resolver.us-east-1.amazonaws.com
+ controldomain2.aggregatelist.firewall.route53resolver.us-east-1.amazonaws.com
+ controldomain3.aggregatelist.firewall.route53resolver.us-east-1.amazonaws.com
These domains will resolve to 1.2.3.4 if they aren't blocked. If you're using the Managed Domain Lists in a VPC, querying for these domains will return the response that a block action in the rule is set to (for example NODATA).
For more information about Managed Domain Lists, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The following table lists the Region availability for AWS Managed Domain Lists.
**Managed Domain List Region availability**
| Region | Managed Domain Lists available? |
| --- | --- |
| Africa (Cape Town) | Yes |
| Asia Pacific (Hong Kong) | Yes |
| Asia Pacific (Hyderabad) | Yes |
| Asia Pacific (Jakarta) | Yes |
| Asia Pacific (Malaysia) | Yes |
| Asia Pacific (Melbourne) | Yes |
| Asia Pacific (Mumbai) | Yes |
| Asia Pacific (Osaka) Region | Yes |
| Asia Pacific (Seoul) | Yes |
| Asia Pacific (Singapore) | Yes |
| Asia Pacific (Sydney) | Yes |
| Asia Pacific (Thailand) | Yes |
| Asia Pacific (Tokyo) | Yes |
| Canada (Central) Region | Yes |
| Canada West (Calgary) | Yes |
| Europe (Frankfurt) Region | Yes |
| Europe (Ireland) Region | Yes |
| Europe (London) Region | Yes |
| Europe (Milan) | Yes |
| Europe (Paris) Region | Yes |
| Europe (Spain) | Yes |
| Europe (Stockholm) | Yes |
| Europe (Zurich) | Yes |
| Israel (Tel Aviv) | Yes |
| Middle East (Bahrain) | Yes |
| Middle East (UAE) | Yes |
| South America (São Paulo) | Yes |
| US East (N. Virginia) | Yes |
| US East (Ohio) | Yes |
| US West (N. California) | Yes |
| US West (Oregon) | Yes |
| China (Beijing) | Yes |
| China (Ningxia) | Yes |
| AWS GovCloud (US) | Yes |
**Additional security considerations**
AWS Managed Domain Lists are designed to help protect you from common web threats. When used in accordance with the documentation, these lists add another layer of security for your applications. However, the Managed Domain Lists aren't intended as a replacement for other security controls, which are determined by the AWS resources that you select. To ensure that your resources in AWS are properly protected, see the guidance at [Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/).
**Mitigating false positive scenarios**
If you are encountering false-positive scenarios in rules that use Managed Domain Lists to block queries, perform the following steps:
1. In the VPC Resolver logs, identify the rule group and managed domain list that are causing the false positive. You do this by finding the log for the query that DNS Firewall is blocking, but that you want to allow through. The log record lists the rule group, rule action, and the managed list. For information about the logs, see [Values that appear in VPC Resolver query logs](resolver-query-logs-format.md).
1. Create a new rule in the rule group that explicitly allows the blocked query through. When you create the rule, you can define your own domain list with just the domain specification that you want to allow. Follow the guidance for rule group and rule management at [Creating a rule group and rules](resolver-dns-firewall-rule-group-adding.md).
1. Prioritize the new rule inside the rule group so that it runs before the rule that's using the managed list. To do this, give the new rule a lower numeric priority setting.
When you have updated your rule group, the new rule will explicitly allow the domain name that you want to allow before the blocking rule runs.
# Managing your own domain lists
You can create your own domain lists to specify domain categories that you either don't find in the managed domain list offerings or that you prefer to handle on your own.
In addition to the procedures described in this section, in the console, you can create a domain list in the context of Resolver DNS Firewall rule management, when you create or update a rule.
Each domain specification in your domain list must satisfy the following requirements:
+ It can optionally start with `*` (asterisk).
+ With the exception of the optional starting asterisk and a period, as a delimiter between labels, it must only contain the following characters: `A-Z` , `a-z`, `0-9`, `-` (hyphen).
+ It must be from 1-255 characters in length.
When you make changes to DNS Firewall entities, like rules and domain lists, DNS Firewall propagates the changes everywhere that the entities are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you add a domain to a domain list that's referenced by a blocking rule, the new domain might briefly be blocked in one area of your VPC while still allowed in another. This temporary inconsistency can occur when you first configure your rule group and VPC associations and when you change existing settings. Generally, any inconsistencies of this type last only a few seconds.
**Test your domain list before using it in production**
As a best practice, before using a domain list in production, test it in a non-production environment, with the rule action set to `Alert`. Evaluate the rule using Amazon CloudWatch metrics and the VPC Resolver logs. The logs provide the domain list name for all alerts and blocking actions. When you're satisfied that the domain list is matching your DNS queries the way you want it to, change the rule action setting as needed. For information about CloudWatch metrics and the query logs, see [Monitoring Resolver DNS Firewall rule groups with Amazon CloudWatch](monitoring-resolver-dns-firewall-with-cloudwatch.md), [Values that appear in VPC Resolver query logs](resolver-query-logs-format.md), and [Managing Resolver query logging configurations](resolver-query-logging-configurations-managing.md).
**To add a domain list**
1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).
Choose **DNS Firewall** in the navigation pane to open the DNS Firewall **Rule groups** page on the Amazon VPC console. Continue to step 2.
- OR -
Sign in to the AWS Management Console and open the
the Amazon VPC console under [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **DNS Firewall**, choose **Domain lists**. In the **Domain lists** page, you can select and edit existing domain lists and you can add your own.
1. To add a domain list, choose **Add domain list**.
1. Provide a name for your domain list, and then enter your domain specifications in the text box, one per line.
If you slide **Switch to bulk upload** to **on**, enter the URI of the Amazon S3 bucket where you created a domain list. This domain list should have one domain name per line.
**Note**
Duplicate domain names will cause the bulk import to fail.
1. Choose **Add domain list**. The **Domain lists** page lists your new domain list.
After you create the domain list, you can reference it by name from your DNS Firewall rules.
**Deleting DNS Firewall entities**
When you delete an entity that you can use in DNS Firewall, like a domain list that might be in use in a rule group, or a rule group that might be associated with a VPC, DNS Firewall checks to see if the entity is currently being used. If it finds that it is in use, DNS Firewall warns you. DNS Firewall is almost always able to determine if an entity is in use. However, in rare cases it might not be able to do so. If you need to be sure that nothing is currently using the entity, check for it in your DNS Firewall configurations before deleting it. If the entity is a referenced domain list, check that no rule groups are using it. If the entity is a rule group, check that it is not associated with any VPCs.
**To delete a domain list**
1. In the navigation pane, choose **Domain lists**.
1. On the navigation bar, choose the Region for the domain list.
1. Select the domain list that you want to delete, then choose ** Delete**, and confirm the deletion.