AWS Certified Security – Specialty — Question 506

A company has deployed a custom DNS server in AWS. The Security Engineer wants to ensure that Amazon EC2 instances cannot use the Amazon-provided
DNS.
How can the Security Engineer block access to the Amazon-provided DNS in the VPC?

Answer options

• A. Deny access to the Amazon DNS IP within all security groups.
• B. Add a rule to all network access control lists that deny access to the Amazon DNS IP.
• C. Add a route to all route tables that black holes traffic to the Amazon DNS IP.
• D. Disable DNS resolution within the VPC configuration.

Correct answer: D

Explanation

Disabling DNS resolution (specifically the enableDnsSupport attribute) within the VPC configuration prevents Amazon EC2 instances from using the Amazon-provided DNS (Route 53 Resolver) at the reserved IP address. Security groups and network ACLs cannot filter traffic destined for the Amazon-provided DNS because it is a link-local service that operates outside standard VPC routing and security filters. Similarly, routing tables cannot be used to blackhole this specific link-local IP address.