Thanks Jon. At which point, the basic DNS filtering solution you’ve described can be built using just AWS Route53 DNS Firewall and the allow / deny listing it supports. No need to use AWS Network Firewall to do the same.

We’re grappling with how to implement a strict egress control solution that only allows outbound connections ‘if’ it has been resolved by the approved DNS resolution provider.

Looking at Adamnet.works as an option, but wondering how to cobble the logic using a combination of AWS Network Firewall and AWS Route 53 DNS Firewall :)