Short description

If you configure Amazon Route 53 as the DNS hosting service for your domain, then you can log all of the public DNS queries.

By default, Amazon Virtual Private Cloud (Amazon VPC) uses Amazon Route 53 Resolver to resolve DNS queries that originate from your VPC resources. Route 53 Resolver uses Resolver query logging to log all DNS queries.

Resolution

Public DNS query logging

You must turn on Route 53 public query logging in each public hosted zone. Amazon Route 53 publishes the logs to Amazon CloudWatch Logs. Public query logging records the following information for all DNS queries:

• Log format version
• Query timestamp
• Hosted Zone ID
• Query name
• Query type
• DNS response code
• Layer 4 protocol
• Route53 edge location
• Resolver IP address
• EDNS client subnet

Turn on public DNS query logging

You must turn on public DNS query logging in the AWS account that hosts your DNS. For more information, see Configuring logging for DNS queries.

Resolver query logging

Route 53 Resolver query logging records all DNS queries that your resolver handles. These query logs are useful in troubleshooting the following DNS queries:

• DNS queries generating from your VPCs
• DNS queries that inbound and outbound Resolver endpoints handle
• Route 53 Resolver DNS firewall actions

You can use CloudWatch Logs, an Amazon Simple Storage Service (Amazon S3) bucket, or Amazon Kinesis Data Firehose as your log destination.

Resolver query logs collect the following details for all DNS queries:

• Query log version
• Account ID
• Region
• VPC ID
• Query timestamp
• Query name
• Query type
• Query class
• Response code
• Answer type
• RDATA
• Answer class
• Source address
• Transport layer protocol
• Source IDs
• Instance ID
• Resolver endpoint
• Firewall rule group ID
• Firewall rule action
• Firewall domain list ID

Turn on Resolver query logging

For information on turning on Resolver query logging, see Managing Resolver query logging configurations.

Related information

Monitoring Amazon Route 53