How do I view traffic passing through an Amazon Route 53 resolver outbound endpoint?

Last updated: 2021-12-08

I want to view traffic passing through Amazon Route 53 resolver outbound endpoint. How can I do this?

Short description

To view traffic passing through Route 53 resolver endpoints, configure Amazon Virtual Private Cloud (Amazon VPC) Traffic Mirroring.

Resolution

Configure network connectivity

  1. Confirm the target EC2 instance's security group and network access control list (network ACL) allow incoming traffic on UDP port 4789 from the outbound endpoint elastic network interface.
  2. Confirm the target EC2 instance has connectivity to the outbound endpoint's network interface subnet.
  3. Confirm the outbound endpoint network interface subset is configured for outgoing traffic for the EC2 instance on UPD port 4789. The subset configuration includes network ACL, security groups, and routing tables.

Set up Amazon VPC Traffic Mirroring

1.    Create a traffic mirror target using the network interface of the EC2 instance you're using as the target.

2.    Create a mirror filter to identify the DNS traffic from the outbound endpoint network interface to the EC2 mirror target.

Example mirror filter for Route 53

Note: The example values in this table represent the following:

  • VPC A is associated with Route 53 resolve rule to forward *.test.com domain DNS queries to on-premise network
  • On-premise network is hosting domain *.test.com
Value Inbound Rule Outbound Rule
Rule number Rule priority Rule priority
Rule Action Accept Accept
Protocol UDP and TCP UDP and TCP
Source port range 53 1024-65535
Destination port range 1024-65535 53
Source CIDR block On-premise CIDR VPC A CIDR
Destination CIDR block VPC A CIDR On-premise CIDR

3.    Create a mirror session for each outbound endpoint network interface to the mirror EC2 instance. Use the following values:    

        Mirror source: outbound endpoint network interface
        Mirror target: traffic mirror that you created previously
        Session number: 1
        Filter: mirror filter that you created previously

View mirrored traffic

For Linux operating systems

1.    View the captured traffic logs by running the following command:

sudo tcpdump -w <filename>.pcap -i <eth> port 4789

For filename, use the filename where you want to store the captured traffic logs. For eth, use the ethernet port that you want to use on your EC2 instance. 2.    Transfer the file from the EC2 instance to your local computer by running the following command:

scp -i <keypair>.pem ec2-user@<ec2 instance's public/private DNS name or IP address>:<file path>/<filename>.pcap ~/Desktop/

For keypair, use the keypair you used to log into the instance. For filename, use the filename where you want to store the captured traffic logs.

3.    Open the capture file to view the DNS packets.

For windows operating systems

1.    Open the Wireshark tool.

2.    Filter traffic using the IP address of the outbound resolver endpoint.

3.    Open the capture file to view the DNS packets.


Did this article help?


Do you need billing or technical support?