From 278471b3a1b8889c52d00455aea5cd1ae913fe3a Mon Sep 17 00:00:00 2001
From: awstools
Date: Thu, 10 Oct 2024 18:17:38 +0000
Subject: [PATCH] feat(client-route53resolver): Route 53 Resolver Forwarding
Rules can now include a server name indication (SNI) in the target address
for rules that use the DNS-over-HTTPS (DoH) protocol. When a DoH-enabled
Outbound Resolver Endpoint forwards a request to a DoH server, it will
provide the SNI in the TLS handshake.
---
.../src/commands/CreateResolverRuleCommand.ts | 2 ++
.../src/commands/DeleteResolverRuleCommand.ts | 1 +
.../src/commands/GetResolverRuleCommand.ts | 1 +
.../src/commands/ListResolverRulesCommand.ts | 1 +
.../src/commands/UpdateResolverRuleCommand.ts | 2 ++
.../src/models/models_0.ts | 17 +++++++++++++++--
.../aws-models/route53resolver.json | 19 +++++++++++++++++--
7 files changed, 39 insertions(+), 4 deletions(-)
diff --git a/clients/client-route53resolver/src/commands/CreateResolverRuleCommand.ts b/clients/client-route53resolver/src/commands/CreateResolverRuleCommand.ts
index 6bcb47838d6a..c8b7d097b172 100644
--- a/clients/client-route53resolver/src/commands/CreateResolverRuleCommand.ts
+++ b/clients/client-route53resolver/src/commands/CreateResolverRuleCommand.ts
@@ -47,6 +47,7 @@ export interface CreateResolverRuleCommandOutput extends CreateResolverRuleRespo
* Port: Number("int"),
* Ipv6: "STRING_VALUE",
* Protocol: "DoH" || "Do53" || "DoH-FIPS",
+ * ServerNameIndication: "STRING_VALUE",
* },
* ],
* ResolverEndpointId: "STRING_VALUE",
@@ -75,6 +76,7 @@ export interface CreateResolverRuleCommandOutput extends CreateResolverRuleRespo
* // Port: Number("int"),
* // Ipv6: "STRING_VALUE",
* // Protocol: "DoH" || "Do53" || "DoH-FIPS",
+ * // ServerNameIndication: "STRING_VALUE",
* // },
* // ],
* // ResolverEndpointId: "STRING_VALUE",
diff --git a/clients/client-route53resolver/src/commands/DeleteResolverRuleCommand.ts b/clients/client-route53resolver/src/commands/DeleteResolverRuleCommand.ts
index 3adee0d443ff..01400e69df10 100644
--- a/clients/client-route53resolver/src/commands/DeleteResolverRuleCommand.ts
+++ b/clients/client-route53resolver/src/commands/DeleteResolverRuleCommand.ts
@@ -58,6 +58,7 @@ export interface DeleteResolverRuleCommandOutput extends DeleteResolverRuleRespo
* // Port: Number("int"),
* // Ipv6: "STRING_VALUE",
* // Protocol: "DoH" || "Do53" || "DoH-FIPS",
+ * // ServerNameIndication: "STRING_VALUE",
* // },
* // ],
* // ResolverEndpointId: "STRING_VALUE",
diff --git a/clients/client-route53resolver/src/commands/GetResolverRuleCommand.ts b/clients/client-route53resolver/src/commands/GetResolverRuleCommand.ts
index 26ccd4962873..0e3b0a69c2a9 100644
--- a/clients/client-route53resolver/src/commands/GetResolverRuleCommand.ts
+++ b/clients/client-route53resolver/src/commands/GetResolverRuleCommand.ts
@@ -57,6 +57,7 @@ export interface GetResolverRuleCommandOutput extends GetResolverRuleResponse, _
* // Port: Number("int"),
* // Ipv6: "STRING_VALUE",
* // Protocol: "DoH" || "Do53" || "DoH-FIPS",
+ * // ServerNameIndication: "STRING_VALUE",
* // },
* // ],
* // ResolverEndpointId: "STRING_VALUE",
diff --git a/clients/client-route53resolver/src/commands/ListResolverRulesCommand.ts b/clients/client-route53resolver/src/commands/ListResolverRulesCommand.ts
index 89c3e6ba2f5e..53ad58b14fda 100644
--- a/clients/client-route53resolver/src/commands/ListResolverRulesCommand.ts
+++ b/clients/client-route53resolver/src/commands/ListResolverRulesCommand.ts
@@ -68,6 +68,7 @@ export interface ListResolverRulesCommandOutput extends ListResolverRulesRespons
* // Port: Number("int"),
* // Ipv6: "STRING_VALUE",
* // Protocol: "DoH" || "Do53" || "DoH-FIPS",
+ * // ServerNameIndication: "STRING_VALUE",
* // },
* // ],
* // ResolverEndpointId: "STRING_VALUE",
diff --git a/clients/client-route53resolver/src/commands/UpdateResolverRuleCommand.ts b/clients/client-route53resolver/src/commands/UpdateResolverRuleCommand.ts
index 76df294bddd4..55785f651ca3 100644
--- a/clients/client-route53resolver/src/commands/UpdateResolverRuleCommand.ts
+++ b/clients/client-route53resolver/src/commands/UpdateResolverRuleCommand.ts
@@ -46,6 +46,7 @@ export interface UpdateResolverRuleCommandOutput extends UpdateResolverRuleRespo
* Port: Number("int"),
* Ipv6: "STRING_VALUE",
* Protocol: "DoH" || "Do53" || "DoH-FIPS",
+ * ServerNameIndication: "STRING_VALUE",
* },
* ],
* ResolverEndpointId: "STRING_VALUE",
@@ -69,6 +70,7 @@ export interface UpdateResolverRuleCommandOutput extends UpdateResolverRuleRespo
* // Port: Number("int"),
* // Ipv6: "STRING_VALUE",
* // Protocol: "DoH" || "Do53" || "DoH-FIPS",
+ * // ServerNameIndication: "STRING_VALUE",
* // },
* // ],
* // ResolverEndpointId: "STRING_VALUE",
diff --git a/clients/client-route53resolver/src/models/models_0.ts b/clients/client-route53resolver/src/models/models_0.ts
index d44e8eda09f2..3b76906aacc8 100644
--- a/clients/client-route53resolver/src/models/models_0.ts
+++ b/clients/client-route53resolver/src/models/models_0.ts
@@ -2149,11 +2149,11 @@ export interface CreateResolverQueryLogConfigRequest {
*
* S3 bucket:
*
- * arn:aws:s3:::examplebucket
+ * arn:aws:s3:::amzn-s3-demo-bucket
*
* You can optionally append a file prefix to the end of the ARN.
*
- * arn:aws:s3:::examplebucket/development/
+ * arn:aws:s3:::amzn-s3-demo-bucket/development/
*
*
*
@@ -2408,6 +2408,15 @@ export interface TargetAddress {
* @public
*/
Protocol?: Protocol;
+
+ /**
+ *
+ * The Server Name Indication of the DoH server that you want to forward queries to.
+ * This is only used if the Protocol of the TargetAddress
is DoH
.
+ *
+ * @public
+ */
+ ServerNameIndication?: string;
}
/**
@@ -5711,6 +5720,10 @@ export interface UpdateFirewallRuleRequest {
* NUMBER can be 1-65334, for
* example, TYPE28. For more information, see
* List of DNS record types.
+ *
+ * If you set up a firewall BLOCK rule with action NXDOMAIN on query type equals AAAA,
+ * this action will not be applied to synthetic IPv6 addresses generated when DNS64 is enabled.
+ *
*
*
* @public
diff --git a/codegen/sdk-codegen/aws-models/route53resolver.json b/codegen/sdk-codegen/aws-models/route53resolver.json
index 0ca166afdf9f..756403c2d6e2 100644
--- a/codegen/sdk-codegen/aws-models/route53resolver.json
+++ b/codegen/sdk-codegen/aws-models/route53resolver.json
@@ -1057,7 +1057,7 @@
"DestinationArn": {
"target": "com.amazonaws.route53resolver#DestinationArn",
"traits": {
- "smithy.api#documentation": "The ARN of the resource that you want Resolver to send query logs. You can send query logs to an S3 bucket, a CloudWatch Logs log group, \n\t\t\tor a Kinesis Data Firehose delivery stream. Examples of valid values include the following:
\n \n - \n
\n S3 bucket:
\n \n arn:aws:s3:::examplebucket
\n
\n You can optionally append a file prefix to the end of the ARN.
\n \n arn:aws:s3:::examplebucket/development/
\n
\n \n - \n
\n CloudWatch Logs log group:
\n \n arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*
\n
\n \n - \n
\n Kinesis Data Firehose delivery stream:
\n \n arn:aws:kinesis:us-east-2:0123456789:stream/my_stream_name
\n
\n \n
",
+ "smithy.api#documentation": "The ARN of the resource that you want Resolver to send query logs. You can send query logs to an S3 bucket, a CloudWatch Logs log group, \n\t\t\tor a Kinesis Data Firehose delivery stream. Examples of valid values include the following:
\n \n - \n
\n S3 bucket:
\n \n arn:aws:s3:::amzn-s3-demo-bucket
\n
\n You can optionally append a file prefix to the end of the ARN.
\n \n arn:aws:s3:::amzn-s3-demo-bucket/development/
\n
\n \n - \n
\n CloudWatch Logs log group:
\n \n arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*
\n
\n \n - \n
\n Kinesis Data Firehose delivery stream:
\n \n arn:aws:kinesis:us-east-2:0123456789:stream/my_stream_name
\n
\n \n
",
"smithy.api#required": {}
}
},
@@ -7961,6 +7961,15 @@
"target": "com.amazonaws.route53resolver#ResourceId"
}
},
+ "com.amazonaws.route53resolver#ServerNameIndication": {
+ "type": "string",
+ "traits": {
+ "smithy.api#length": {
+ "min": 0,
+ "max": 255
+ }
+ }
+ },
"com.amazonaws.route53resolver#ServicePrinciple": {
"type": "string",
"traits": {
@@ -8206,6 +8215,12 @@
"traits": {
"smithy.api#documentation": "\n\t\t\tThe protocols for the Resolver endpoints. DoH-FIPS is applicable for inbound endpoints only.\n\t\t\t\n\t\t
\n For an inbound endpoint you can apply the protocols as follows:
\n \n - \n
Do53 and DoH in combination.
\n \n - \n
Do53 and DoH-FIPS in combination.
\n \n - \n
Do53 alone.
\n \n - \n
DoH alone.
\n \n - \n
DoH-FIPS alone.
\n \n - \n
None, which is treated as Do53.
\n \n
\n For an outbound endpoint you can apply the protocols as follows:
\n "
}
+ },
+ "ServerNameIndication": {
+ "target": "com.amazonaws.route53resolver#ServerNameIndication",
+ "traits": {
+ "smithy.api#documentation": "\n\t\t\tThe Server Name Indication of the DoH server that you want to forward queries to. \n\t\t\tThis is only used if the Protocol of the TargetAddress
is DoH
.\n\t\t
"
+ }
}
},
"traits": {
@@ -8648,7 +8663,7 @@
"Qtype": {
"target": "com.amazonaws.route53resolver#Qtype",
"traits": {
- "smithy.api#documentation": "\n\t\t\tThe DNS query type you want the rule to evaluate. Allowed values are;\n\t\t
\n \n - \n
\n\t\t\t\tA: Returns an IPv4 address.
\n \n - \n
AAAA: Returns an Ipv6 address.
\n \n - \n
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
\n \n - \n
CNAME: Returns another domain name.
\n \n - \n
DS: Record that identifies the DNSSEC signing key of a delegated zone.
\n \n - \n
MX: Specifies mail servers.
\n \n - \n
NAPTR: Regular-expression-based rewriting of domain names.
\n \n - \n
NS: Authoritative name servers.
\n \n - \n
PTR: Maps an IP address to a domain name.
\n \n - \n
SOA: Start of authority record for the zone.
\n \n - \n
SPF: Lists the servers authorized to send emails from a domain.
\n \n - \n
SRV: Application specific values that identify servers.
\n \n - \n
TXT: Verifies email senders and application-specific values.
\n \n - \n
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be\n\t\t\t\tdefined as TYPENUMBER, where the\n\t\t\t\tNUMBER can be 1-65334, for\n\t\t\t\texample, TYPE28. For more information, see \n\t\t\t\tList of DNS record types.
\n \n
"
+ "smithy.api#documentation": "\n\t\t\tThe DNS query type you want the rule to evaluate. Allowed values are;\n\t\t
\n \n - \n
\n\t\t\t\tA: Returns an IPv4 address.
\n \n - \n
AAAA: Returns an Ipv6 address.
\n \n - \n
CAA: Restricts CAs that can create SSL/TLS certifications for the domain.
\n \n - \n
CNAME: Returns another domain name.
\n \n - \n
DS: Record that identifies the DNSSEC signing key of a delegated zone.
\n \n - \n
MX: Specifies mail servers.
\n \n - \n
NAPTR: Regular-expression-based rewriting of domain names.
\n \n - \n
NS: Authoritative name servers.
\n \n - \n
PTR: Maps an IP address to a domain name.
\n \n - \n
SOA: Start of authority record for the zone.
\n \n - \n
SPF: Lists the servers authorized to send emails from a domain.
\n \n - \n
SRV: Application specific values that identify servers.
\n \n - \n
TXT: Verifies email senders and application-specific values.
\n \n - \n
A query type you define by using the DNS type ID, for example 28 for AAAA. The values must be\n\t\t\t\tdefined as TYPENUMBER, where the\n\t\t\t\tNUMBER can be 1-65334, for\n\t\t\t\texample, TYPE28. For more information, see \n\t\t\t\tList of DNS record types.
\n \n If you set up a firewall BLOCK rule with action NXDOMAIN on query type equals AAAA, \n\t\t\t\t\tthis action will not be applied to synthetic IPv6 addresses generated when DNS64 is enabled.
\n \n \n
"
}
}
},