Posted On: Jul 14, 2021
Today, we are announcing the availability of Amazon Route 53 Resolver Query Logging, which lets you log the DNS queries that originate in your Amazon Virtual Private Clouds (VPCs). With query logging enabled, you can see which domain names have been queried, the Amazon Web Services resources from which the queries originated—including source IP and instance ID—and the responses that were received.
Amazon Route 53 Resolver is the Amazon DNS server (also sometimes referred to as “AmazonProvidedDNS” or the “.2 resolver”) that is available by default in all Amazon VPCs. Route 53 Resolver responds to DNS queries from Amazon Web Services resources within a VPC for public DNS records, Amazon VPC-specific DNS names, and Amazon Route 53 private hosted zones. Customers concerned about security, or those under compliance mandates, may need the ability to monitor, debug, search, and archive a record of the DNS lookups originating from inside of their Amazon VPCs. With today’s release, Route 53 Resolver now supports the logging of DNS queries and responses for DNS queries originating from within customer VPCs, whether those queries are answered locally by Route 53 Resolver, resolved over the public internet, or are forwarded to on-premises DNS servers via Resolver Endpoints. The DNS queries forwarded by on-premises DNS servers to VPCs via inbound endpoints are also logged. Even the DNS queries made by your Amazon Lambda functions, Amazon EKS clusters, and Amazon WorkSpaces instances can be logged. With today’s release, you no longer need to manage your own infrastructure in order to log the DNS activity within your VPC.
You can enable and configure query logging for specific VPCs, by using the Route 53 Resolver API or the Route 53 Resolver Console. If you need to log queries across multiple accounts, you can share your query logging configurations by using Amazon Resource Access Manager (RAM). You can choose to send your query logs to Amazon S3, Amazon CloudWatch Logs, or Amazon Kinesis Data Firehose.
There is no additional charge to use query logging, although you may incur usage charges from Amazon S3, Amazon CloudWatch, or Amazon Kinesis Data Firehose. To learn more about query logging or to get started, visit the Route 53 product page or the Route 53 documentation. To learn more about pricing for the different storage options, visit the Amazon CloudWatch Pricing page for S3 and CloudWatch Pricing. For Kinesis Data Firehose, see the Amazon Kinesis Data Firehose pricing page.