AWS Security Find: Unmasking Phantom DNS Queries with Route 53 Resolver Query Logging

Ever wonder what your AWS Fargate tasks are really doing? I recently uncovered a hidden world of DNS requests by enabling Route 53 Resolver query logging. What I found wasn't a malicious attack, but an open-source APM agent probing Google Cloud's metadata service from my AWS environment! Learn how you can use Route 53 Resolver query logging to expose hidden network activity and bolster your AWS security.

Why Bother with Route 53 Resolver Query Logging?

Think of DNS query logging as a network security camera, capturing every domain your resources try to reach. Here's why it's a game-changer:

• Complete DNS Visibility: See every query name, source IP, response code, and timestamp. No more blind spots when troubleshooting network problems in AWS.
• Threat Hunting & Security Insights: Identify potential malware or phishing attempts early. Integrate logs with SIEMs for automated alerting and faster incident response.
• Audit & Compliance: Demonstrate continuous network monitoring, a must for regulated workloads like PCI and HIPAA.
• Faster Troubleshooting: Correlate DNS resolution errors with application failures to diagnose issues quickly. Use Route 53 logs to pinpoint the root cause.

Quick Start: AWS DNS Query Logging & Firewall with CloudFormation

Ready to get started? Use this CloudFormation template to enable DNS query logging and set up a basic DNS Firewall in minutes:

• Paste the template into your AWS CloudFormation console.
• Provide your VPC ID.
• Start capturing all DNS queries to CloudWatch Logs!

AWSTemplateFormatVersion: ' 2010-09-09' 
Description: > 
 Route 53 Resolver DNS Firewall with VPC‑level DNS **query logging**. 
 Logs **all** DNS queries for a supplied VPC to CloudWatch Logs. 
Parameters: 
 VpcId: 
 Type: AWS::EC2::VPC::Id 
 Description: VPC ID to protect and monitor. 
 AssociationPriority: 
 Type: Number 
 Default: 150 
 Description: ' Priority (100‑9900) for the VPC firewall association; must be unique within the VPC.' 
 MinValue: 100 
 MaxValue: 9900 
 LogRetentionDays: 
 Type: Number 
 Default: 30 
 Description: Retention (days) for the CloudWatch Logs group. 
Resources: 
 QueryLogGroup: 
 Type: AWS::Logs::LogGroup 
 Properties: 
 RetentionInDays: !Ref LogRetentionDays 
 BlockedDomains: 
 Type: AWS::Route53Resolver::FirewallDomainList 
 Properties: 
 Name: blocked-domains 
 Domains: 
 - badexample.com 
 - malware.example 
 - phishing.test 
 FirewallRuleGroup: 
 Type: AWS::Route53Resolver::FirewallRuleGroup 
 Properties: 
 Name: vpc-dns-firewall-rule-group 
 FirewallRules: 
 - FirewallDomainListId: !Ref BlockedDomains 
 Priority: 10 
 Action: BLOCK 
 BlockResponse: NODATA 
 FirewallAssociation: 
 Type: AWS::Route53Resolver::FirewallRuleGroupAssociation 
 Properties: 
 FirewallRuleGroupId: !Ref FirewallRuleGroup 
 VpcId: !Ref VpcId 
 Priority: !Ref AssociationPriority 
 Name: vpc-dns-firewall-association 
 DNSQueryLogConfig: 
 Type: AWS::Route53Resolver::ResolverQueryLoggingConfig 
 Properties: 
 Name: vpc-dns-query-logs 
 DestinationArn: !GetAtt QueryLogGroup.Arn 
 DNSQueryLogAssociation: 
 Type: AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation 
 Properties: 
 ResolverQueryLogConfigId: !Ref DNSQueryLogConfig 
 ResourceId: !Ref VpcId 
 DNSQueryLogsPolicy: 
 Type: AWS::Logs::ResourcePolicy 
 Properties: 
 PolicyName: route53resolver-query-logs 
 PolicyDocument: !Sub | 
 { 
 "Version": "2012-10-17", 
 "Statement": [ 
 { 
 "Sid": "Route53ResolverQueryLogsToCloudWatch", 
 "Effect": "Allow", 
 "Principal": { "Service": "route53resolver.amazonaws.com" }, 
 "Action": [ 
 "logs:CreateLogStream", 
 "logs:PutLogEvents" 
 ], 
 "Resource": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${QueryLogGroup}:*" 
 } 
 ] 
 } 
Outputs: 
 FirewallRuleGroupId: 
 Description: ID of the DNS Firewall Rule Group 
 Value: !Ref FirewallRuleGroup 
 QueryLogConfigId: 
 Description: ID of the Resolver Query Log Config 
 Value: !Ref DNSQueryLogConfig 
 QueryLogGroupName: 
 Description: CloudWatch Logs group for DNS query logs 
 Value: !Ref QueryLogGroup

Alternatively, download the template as a prepared YAML file from GitHub.

Once deployed, navigate to CloudWatch Logs to examine the DNS queries originating from your VPC.

Understanding Blocked DNS Queries with DNS Firewall

When you implement a DNS Firewall, blocked lookups become clearly visible in your logs. The action field will indicate that a domain was blocked. Below is an example of how a blocked domain appears in CloudWatch Logs or an S3 log file upon enabling Route 53 DNS Firewall:

{ 
 "version": "1.100000", 
 "account_id": "452954105288", 
 "region": "us-east-1", 
 "vpc_id": "vpc-0b20bb8a5eb28cb99", 
 "query_timestamp": "2025-04-27T04:45:23Z", 
 "query_name": "badexample.com.", 
 "query_type": "A", 
 "query_class": "IN", 
 "rcode": "NOERROR", 
 "answers": [], 
 "srcaddr": "10.0.101.123", 
 "srcport": "46275", 
 "transport": "UDP", 
 "srcids": { 
 "instance": "i-0cf6fbb4f8960f245" 
 }, 
 "firewall_rule_action": "BLOCK", 
 "firewall_rule_group_id": "rslvr-frg-69632fc987684fbd", 
 "firewall_domain_list_id": "rslvr-fdl-de20dd498c14dce" 
}

Level Up: Route 53 DNS Firewall Enhancements

The CloudFormation template gives you a basic DNS Firewall. Enhance it with these features:

• Managed Threat Lists: Automatically block known malicious domains, reducing manual upkeep.
• Custom Allow/Deny Rules: Enforce your organization's approved domain list.
• Real-Time Enforcement: Choose between BLOCK, ALERT, or TRUNCATE responses to specific DNS queries.

Apply these firewall policies at the VPC level for centralized control—no need for per-instance agents!

The Case of the Phantom "metadata.google.internal" DNS Query

My investigation started with debugging flaky outbound calls from an AWS Fargate task. Enabling Route 53 Resolver query logging revealed repeated lookups for metadata.google.internal, a Google Cloud-specific endpoint. This was triggered by an APM agent's auto-detection logic. Because I hadn't explicitly configured the cloud provider in my Elastic APM setup, the agent was attempting to determine the cloud provider by trying the AWS metadata endpoint (which doesn't work on Fargate) and then the Google Cloud endpoint.

Real-World Example: Ubuntu Cloud-Init Probes

Another interesting finding: Ubuntu cloud-init instances querying does-not-exist.example.com to detect DNS interception. While benign, these checks can clutter your logs. This highlights the importance of DNS query logging for understanding and filtering legitimate, but noisy, network behavior.

Best Practices for Route 53 Resolver Query Logging

Here are some tips to maximize the value of your Route 53 setup:

• Automate with IaC: Use CloudFormation or Terraform for consistent, repeatable deployments.
• Centralize Logs: Stream logs to CloudWatch Logs or S3. Integrate with security platforms for automated analysis. Leverage Generative AI to provide automated analysis on aggregated data.
• Tune Policies: Regularly review and whitelist legitimate domains to minimize false positives. Use Git to version control the domain lists.
• Periodic Review: Analyze logs regularly to refine firewall rules and identify new patterns.

Conclusion: Unlock Enhanced AWS Security with DNS Visibility

Route 53 Resolver query logging is a powerful tool for both diagnostics and security. Paired with a DNS Firewall, it gives you the visibility and control needed to prevent unwanted traffic, uncover hidden DNS requests, and strengthen your overall AWS security posture. Turn on logging, explore your logs, and stay secure!