Amazon Route 53 Resolver Now Supports VPC DNS Query Logging
Today, we are announcing the availability of Route 53 Resolver Query Logging, which lets you log the DNS queries that originate in your Amazon Virtual Private Clouds (VPCs). With query logging enabled, you can see which domain names have been queried, the AWS resources from which the queries originated—including source IP and instance ID—and the responses that were received.
Route 53 Resolver is the Amazon DNS server (also sometimes referred to as “AmazonProvidedDNS” or the “.2 resolver”) that is available by default in all Amazon VPCs. Route 53 Resolver responds to DNS queries from AWS resources within a VPC for public DNS records, Amazon VPC-specific DNS names, and Amazon Route 53 private hosted zones. Customers concerned about security, or those under compliance mandates, may need the ability to monitor, debug, search, and archive a record of the DNS lookups originating from inside of their Amazon VPCs. With today’s release, Route 53 Resolver now supports the logging of DNS queries and responses for DNS queries originating from within customer VPCs, whether those queries are answered locally by Route 53 Resolver, resolved over the public internet, or are forwarded to on-premises DNS servers via Resolver Endpoints. The DNS queries forwarded by on-premises DNS servers to VPCs via inbound endpoints are also logged. Even the DNS queries made by your AWS Lambda functions, Amazon EKS clusters, and Amazon WorkSpaces instances can be logged. With today’s release, you no longer need to manage your own infrastructure in order to log the DNS activity within your VPC.
You can enable and configure query logging for specific VPCs, by using the Route 53 Resolver API or the Route 53 Resolver Console. If you need to log queries across multiple accounts, you can share your query logging configurations by using AWS Resource Access Manager (RAM). You can choose to send your query logs to Amazon S3, Amazon CloudWatch Logs, or Amazon Kinesis Data Firehose. If you send logs to CloudWatch, you can configure CloudWatch to process the logs automatically to distill log data into more actionable information. For example, with CloudWatch Contributor Insights you can create rules to generate high cardinality data, such as instances making the most DNS queries over time (“top talkers”) or the most frequently queried domain names.
Route 53 Resolver Query Logging is now available in all commercial AWS regions. There is no additional charge to use query logging, although you may incur usage charges from Amazon S3, Amazon CloudWatch, or Amazon Kinesis Data Firehose. To learn more about query logging or to get started, visit the Route 53 product page or the Route 53 documentation. To learn more about pricing for the different storage options, visit the Amazon CloudWatch Pricing page.