How do I view traffic passing through an Amazon Route 53 resolver outbound endpoint?

3 minute read
0

I want to view traffic passing through Amazon Route 53 resolver outbound endpoint. How can I do this?

Short description

To view traffic passing through Route 53 resolver endpoints, configure Amazon Virtual Private Cloud (Amazon VPC) Traffic Mirroring.

Resolution

Configure network connectivity

  1. Confirm the target EC2 instance's security group and network access control list (network ACL) allow incoming traffic on UDP port 4789 from the outbound endpoint elastic network interface.
  2. Confirm the target EC2 instance has connectivity to the outbound endpoint's network interface subnet.
  3. Confirm the outbound endpoint network interface subset is configured for outgoing traffic for the EC2 instance on UPD port 4789. The subset configuration includes network ACL, security groups, and routing tables.

Set up Amazon VPC Traffic Mirroring

1.    Create a traffic mirror target using the network interface of the EC2 instance you're using as the target.

2.    Create a mirror filter to identify the DNS traffic from the outbound endpoint network interface to the EC2 mirror target.

Example mirror filter for Route 53

Note: The example values in this table represent the following:

  • VPC A is associated with Route 53 resolve rule to forward *.test.com domain DNS queries to on-premise network
  • On-premise network is hosting domain *.test.com
ValueInbound RuleOutbound Rule
Rule numberRule priorityRule priority
Rule ActionAcceptAccept
ProtocolUDP and TCPUDP and TCP
Source port range531024-65535
Destination port range1024-6553553
Source CIDR blockOn-premise CIDRVPC A CIDR
Destination CIDR blockVPC A CIDROn-premise CIDR

3.    Create a mirror session for each outbound endpoint network interface to the mirror EC2 instance. Use the following values:    

        Mirror source: outbound endpoint network interface
Mirror target: traffic mirror that you created previously
Session number: 1
Filter: mirror filter that you created previously

View mirrored traffic

For Linux operating systems

1.    View the captured traffic logs by running the following command:

sudo tcpdump -w <filename>.pcap -i <eth> port 4789

For filename, use the filename where you want to store the captured traffic logs. For eth, use the ethernet port that you want to use on your EC2 instance. 2.    Transfer the file from the EC2 instance to your local computer by running the following command:

scp -i <keypair>.pem ec2-user@<ec2 instance's public/private DNS name or IP address>:<file path>/<filename>.pcap ~/Desktop/

For keypair, use the keypair you used to log into the instance. For filename, use the filename where you want to store the captured traffic logs.

3.    Open the capture file to view the DNS packets.

For windows operating systems

1.    Open the Wireshark tool.

2.    Filter traffic using the IP address of the outbound resolver endpoint.

3.    Open the capture file to view the DNS packets.


Related information

Resolving Domain Name System (DNS) queries between VPCs and your network

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago