Advanced Configuration on AWS

The configuration keys listed below must be set from the AWS Console at Systems Manager -> Parameter Store, or through a RESTful API call to the AmazonSSM.PutParameter endpoint. The parameter name must be specified as /<deployment name>/<configuration key name> . For example, for a deployment named jenkins and the configuration key disable-dns-check , the parameter name will be /jenkins/disable-dns-check .

Configuration Key Default Value Usage Notes
disable-dns-check no

When set to no , destination IP Addresses in TLS connections from clients are checked against a list independently generated by the firewall for the hostname in question to detect spoofing attempts.

When set to yes , IP Address to hostname corroboration is not attempted.

You may encounter some CDN hostnames that change the IP Address presented in a DNS lookup quite aggressively and over a very wide range of addresses. In such cases, setting this configuration key to a truthy value will disable this specific check for all hostnames in the whitelist. A telltale sign of this occurring with a hostname is the log line "DNS lookup IPs did not match" in the firewall's flow log.