Skip to content

Commit 278471b

Browse files
author
awstools
committed
feat(client-route53resolver): Route 53 Resolver Forwarding Rules can now include a server name indication (SNI) in the target address for rules that use the DNS-over-HTTPS (DoH) protocol. When a DoH-enabled Outbound Resolver Endpoint forwards a request to a DoH server, it will provide the SNI in the TLS handshake.
1 parent 1ec3fb8 commit 278471b

File tree

7 files changed

+39
-4
lines changed

7 files changed

+39
-4
lines changed

clients/client-route53resolver/src/commands/CreateResolverRuleCommand.ts

+2
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,7 @@ export interface CreateResolverRuleCommandOutput extends CreateResolverRuleRespo
4747
* Port: Number("int"),
4848
* Ipv6: "STRING_VALUE",
4949
* Protocol: "DoH" || "Do53" || "DoH-FIPS",
50+
* ServerNameIndication: "STRING_VALUE",
5051
* },
5152
* ],
5253
* ResolverEndpointId: "STRING_VALUE",
@@ -75,6 +76,7 @@ export interface CreateResolverRuleCommandOutput extends CreateResolverRuleRespo
7576
* // Port: Number("int"),
7677
* // Ipv6: "STRING_VALUE",
7778
* // Protocol: "DoH" || "Do53" || "DoH-FIPS",
79+
* // ServerNameIndication: "STRING_VALUE",
7880
* // },
7981
* // ],
8082
* // ResolverEndpointId: "STRING_VALUE",

clients/client-route53resolver/src/commands/DeleteResolverRuleCommand.ts

+1
Original file line numberDiff line numberDiff line change
@@ -58,6 +58,7 @@ export interface DeleteResolverRuleCommandOutput extends DeleteResolverRuleRespo
5858
* // Port: Number("int"),
5959
* // Ipv6: "STRING_VALUE",
6060
* // Protocol: "DoH" || "Do53" || "DoH-FIPS",
61+
* // ServerNameIndication: "STRING_VALUE",
6162
* // },
6263
* // ],
6364
* // ResolverEndpointId: "STRING_VALUE",

clients/client-route53resolver/src/commands/GetResolverRuleCommand.ts

+1
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,7 @@ export interface GetResolverRuleCommandOutput extends GetResolverRuleResponse, _
5757
* // Port: Number("int"),
5858
* // Ipv6: "STRING_VALUE",
5959
* // Protocol: "DoH" || "Do53" || "DoH-FIPS",
60+
* // ServerNameIndication: "STRING_VALUE",
6061
* // },
6162
* // ],
6263
* // ResolverEndpointId: "STRING_VALUE",

clients/client-route53resolver/src/commands/ListResolverRulesCommand.ts

+1
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,7 @@ export interface ListResolverRulesCommandOutput extends ListResolverRulesRespons
6868
* // Port: Number("int"),
6969
* // Ipv6: "STRING_VALUE",
7070
* // Protocol: "DoH" || "Do53" || "DoH-FIPS",
71+
* // ServerNameIndication: "STRING_VALUE",
7172
* // },
7273
* // ],
7374
* // ResolverEndpointId: "STRING_VALUE",

clients/client-route53resolver/src/commands/UpdateResolverRuleCommand.ts

+2
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ export interface UpdateResolverRuleCommandOutput extends UpdateResolverRuleRespo
4646
* Port: Number("int"),
4747
* Ipv6: "STRING_VALUE",
4848
* Protocol: "DoH" || "Do53" || "DoH-FIPS",
49+
* ServerNameIndication: "STRING_VALUE",
4950
* },
5051
* ],
5152
* ResolverEndpointId: "STRING_VALUE",
@@ -69,6 +70,7 @@ export interface UpdateResolverRuleCommandOutput extends UpdateResolverRuleRespo
6970
* // Port: Number("int"),
7071
* // Ipv6: "STRING_VALUE",
7172
* // Protocol: "DoH" || "Do53" || "DoH-FIPS",
73+
* // ServerNameIndication: "STRING_VALUE",
7274
* // },
7375
* // ],
7476
* // ResolverEndpointId: "STRING_VALUE",

clients/client-route53resolver/src/models/models_0.ts

+15-2
Original file line numberDiff line numberDiff line change
@@ -2149,11 +2149,11 @@ export interface CreateResolverQueryLogConfigRequest {
21492149
* <p>
21502150
* <b>S3 bucket</b>: </p>
21512151
* <p>
2152-
* <code>arn:aws:s3:::examplebucket</code>
2152+
* <code>arn:aws:s3:::amzn-s3-demo-bucket</code>
21532153
* </p>
21542154
* <p>You can optionally append a file prefix to the end of the ARN.</p>
21552155
* <p>
2156-
* <code>arn:aws:s3:::examplebucket/development/</code>
2156+
* <code>arn:aws:s3:::amzn-s3-demo-bucket/development/</code>
21572157
* </p>
21582158
* </li>
21592159
* <li>
@@ -2408,6 +2408,15 @@ export interface TargetAddress {
24082408
* @public
24092409
*/
24102410
Protocol?: Protocol;
2411+
2412+
/**
2413+
* <p>
2414+
* The Server Name Indication of the DoH server that you want to forward queries to.
2415+
* This is only used if the Protocol of the <code>TargetAddress</code> is <code>DoH</code>.
2416+
* </p>
2417+
* @public
2418+
*/
2419+
ServerNameIndication?: string;
24112420
}
24122421

24132422
/**
@@ -5711,6 +5720,10 @@ export interface UpdateFirewallRuleRequest {
57115720
* NUMBER can be 1-65334, for
57125721
* example, TYPE28. For more information, see
57135722
* <a href="https://en.wikipedia.org/wiki/List_of_DNS_record_types">List of DNS record types</a>.</p>
5723+
* <note>
5724+
* <p>If you set up a firewall BLOCK rule with action NXDOMAIN on query type equals AAAA,
5725+
* this action will not be applied to synthetic IPv6 addresses generated when DNS64 is enabled. </p>
5726+
* </note>
57145727
* </li>
57155728
* </ul>
57165729
* @public

codegen/sdk-codegen/aws-models/route53resolver.json

+17-2
Original file line numberDiff line numberDiff line change
@@ -1057,7 +1057,7 @@
10571057
"DestinationArn": {
10581058
"target": "com.amazonaws.route53resolver#DestinationArn",
10591059
"traits": {
1060-
"smithy.api#documentation": "<p>The ARN of the resource that you want Resolver to send query logs. You can send query logs to an S3 bucket, a CloudWatch Logs log group, \n\t\t\tor a Kinesis Data Firehose delivery stream. Examples of valid values include the following:</p>\n <ul>\n <li>\n <p>\n <b>S3 bucket</b>: </p>\n <p>\n <code>arn:aws:s3:::examplebucket</code>\n </p>\n <p>You can optionally append a file prefix to the end of the ARN.</p>\n <p>\n <code>arn:aws:s3:::examplebucket/development/</code>\n </p>\n </li>\n <li>\n <p>\n <b>CloudWatch Logs log group</b>: </p>\n <p>\n <code>arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*</code>\n </p>\n </li>\n <li>\n <p>\n <b>Kinesis Data Firehose delivery stream</b>:</p>\n <p>\n <code>arn:aws:kinesis:us-east-2:0123456789:stream/my_stream_name</code>\n </p>\n </li>\n </ul>",
1060+
"smithy.api#documentation": "<p>The ARN of the resource that you want Resolver to send query logs. You can send query logs to an S3 bucket, a CloudWatch Logs log group, \n\t\t\tor a Kinesis Data Firehose delivery stream. Examples of valid values include the following:</p>\n <ul>\n <li>\n <p>\n <b>S3 bucket</b>: </p>\n <p>\n <code>arn:aws:s3:::amzn-s3-demo-bucket</code>\n </p>\n <p>You can optionally append a file prefix to the end of the ARN.</p>\n <p>\n <code>arn:aws:s3:::amzn-s3-demo-bucket/development/</code>\n </p>\n </li>\n <li>\n <p>\n <b>CloudWatch Logs log group</b>: </p>\n <p>\n <code>arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*</code>\n </p>\n </li>\n <li>\n <p>\n <b>Kinesis Data Firehose delivery stream</b>:</p>\n <p>\n <code>arn:aws:kinesis:us-east-2:0123456789:stream/my_stream_name</code>\n </p>\n </li>\n </ul>",
10611061
"smithy.api#required": {}
10621062
}
10631063
},
@@ -7961,6 +7961,15 @@
79617961
"target": "com.amazonaws.route53resolver#ResourceId"
79627962
}
79637963
},
7964+
"com.amazonaws.route53resolver#ServerNameIndication": {
7965+
"type": "string",
7966+
"traits": {
7967+
"smithy.api#length": {
7968+
"min": 0,
7969+
"max": 255
7970+
}
7971+
}
7972+
},
79647973
"com.amazonaws.route53resolver#ServicePrinciple": {
79657974
"type": "string",
79667975
"traits": {
@@ -8206,6 +8215,12 @@
82068215
"traits": {
82078216
"smithy.api#documentation": "<p>\n\t\t\tThe protocols for the Resolver endpoints. DoH-FIPS is applicable for inbound endpoints only.\n\t\t\t\n\t\t</p>\n <p>For an inbound endpoint you can apply the protocols as follows:</p>\n <ul>\n <li>\n <p> Do53 and DoH in combination.</p>\n </li>\n <li>\n <p>Do53 and DoH-FIPS in combination.</p>\n </li>\n <li>\n <p>Do53 alone.</p>\n </li>\n <li>\n <p>DoH alone.</p>\n </li>\n <li>\n <p>DoH-FIPS alone.</p>\n </li>\n <li>\n <p>None, which is treated as Do53.</p>\n </li>\n </ul>\n <p>For an outbound endpoint you can apply the protocols as follows:</p>\n <ul>\n <li>\n <p> Do53 and DoH in combination.</p>\n </li>\n <li>\n <p>Do53 alone.</p>\n </li>\n <li>\n <p>DoH alone.</p>\n </li>\n <li>\n <p>None, which is treated as Do53.</p>\n </li>\n </ul>"
82088217
}
8218+
},
8219+
"ServerNameIndication": {
8220+
"target": "com.amazonaws.route53resolver#ServerNameIndication",
8221+
"traits": {
8222+
"smithy.api#documentation": "<p>\n\t\t\tThe Server Name Indication of the DoH server that you want to forward queries to. \n\t\t\tThis is only used if the Protocol of the <code>TargetAddress</code> is <code>DoH</code>.\n\t\t</p>"
8223+
}
82098224
}
82108225
},
82118226
"traits": {
@@ -8648,7 +8663,7 @@
86488663
"Qtype": {
86498664
"target": "com.amazonaws.route53resolver#Qtype",
86508665
"traits": {
8651-
"smithy.api#documentation": "<p>\n\t\t\tThe DNS query type you want the rule to evaluate. Allowed values are;\n\t\t</p>\n <ul>\n <li>\n <p>\n\t\t\t\tA: Returns an IPv4 address.</p>\n </li>\n <li>\n <p>AAAA: Returns an Ipv6 address.</p>\n </li>\n <li>\n <p>CAA: Restricts CAs that can create SSL/TLS certifications for the domain.</p>\n </li>\n <li>\n <p>CNAME: Returns another domain name.</p>\n </li>\n <li>\n <p>DS: Record that identifies the DNSSEC signing key of a delegated zone.</p>\n </li>\n <li>\n <p>MX: Specifies mail servers.</p>\n </li>\n <li>\n <p>NAPTR: Regular-expression-based rewriting of domain names.</p>\n </li>\n <li>\n <p>NS: Authoritative name servers.</p>\n </li>\n <li>\n <p>PTR: Maps an IP address to a domain name.</p>\n </li>\n <li>\n <p>SOA: Start of authority record for the zone.</p>\n </li>\n <li>\n <p>SPF: Lists the servers authorized to send emails from a domain.</p>\n </li>\n <li>\n <p>SRV: Application specific values that identify servers.</p>\n </li>\n <li>\n <p>TXT: Verifies email senders and application-specific values.</p>\n </li>\n <li>\n <p>A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be\n\t\t\t\tdefined as TYPENUMBER, where the\n\t\t\t\tNUMBER can be 1-65334, for\n\t\t\t\texample, TYPE28. For more information, see \n\t\t\t\t<a href=\"https://en.wikipedia.org/wiki/List_of_DNS_record_types\">List of DNS record types</a>.</p>\n </li>\n </ul>"
8666+
"smithy.api#documentation": "<p>\n\t\t\tThe DNS query type you want the rule to evaluate. Allowed values are;\n\t\t</p>\n <ul>\n <li>\n <p>\n\t\t\t\tA: Returns an IPv4 address.</p>\n </li>\n <li>\n <p>AAAA: Returns an Ipv6 address.</p>\n </li>\n <li>\n <p>CAA: Restricts CAs that can create SSL/TLS certifications for the domain.</p>\n </li>\n <li>\n <p>CNAME: Returns another domain name.</p>\n </li>\n <li>\n <p>DS: Record that identifies the DNSSEC signing key of a delegated zone.</p>\n </li>\n <li>\n <p>MX: Specifies mail servers.</p>\n </li>\n <li>\n <p>NAPTR: Regular-expression-based rewriting of domain names.</p>\n </li>\n <li>\n <p>NS: Authoritative name servers.</p>\n </li>\n <li>\n <p>PTR: Maps an IP address to a domain name.</p>\n </li>\n <li>\n <p>SOA: Start of authority record for the zone.</p>\n </li>\n <li>\n <p>SPF: Lists the servers authorized to send emails from a domain.</p>\n </li>\n <li>\n <p>SRV: Application specific values that identify servers.</p>\n </li>\n <li>\n <p>TXT: Verifies email senders and application-specific values.</p>\n </li>\n <li>\n <p>A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be\n\t\t\t\tdefined as TYPENUMBER, where the\n\t\t\t\tNUMBER can be 1-65334, for\n\t\t\t\texample, TYPE28. For more information, see \n\t\t\t\t<a href=\"https://en.wikipedia.org/wiki/List_of_DNS_record_types\">List of DNS record types</a>.</p>\n <note>\n <p>If you set up a firewall BLOCK rule with action NXDOMAIN on query type equals AAAA, \n\t\t\t\t\tthis action will not be applied to synthetic IPv6 addresses generated when DNS64 is enabled. </p>\n </note>\n </li>\n </ul>"
86528667
}
86538668
}
86548669
},

0 commit comments

Comments
 (0)