Uncover Hidden Network Activity: AWS Route 53 Resolver Query Logging and DNS Firewall Guide

Have you ever wondered what your AWS workloads are really doing on the network? Enabling Route 53 Resolver query logging provides unprecedented visibility into DNS activity, allowing you to identify misconfigurations, detect threats, and improve overall security. This guide dives into how to set up query logging, interpret the logs, and use DNS Firewall to protect your environment.

Spotting the Unexpected: Finding Google Cloud DNS Queries in AWS

While debugging network issues in an AWS Fargate task, I enabled Route 53 Resolver query logging. I was surprised to discover repeated lookups for metadata.google.internal—an endpoint specific to Google Cloud VMs. It seemed like a potential security breach. After some digging, it turned out to be an open-source APM agent trying to auto-detect the cloud provider. Without DNS query logging, these "phantom calls" would have remained hidden.

Why Deep Dive into AWS DNS Query Logs?

Route 53 Resolver query logging provides essential insights into your network traffic offering a multitude of benefits:

• Complete DNS Visibility: Capture query names, source IPs, response codes, and timestamps, eliminating blind spots and quickly identifying the source of network issues.
• Security Insights & Threat Hunting: Detect malware and phishing attempts by monitoring domain lookups. Integrate logs with SIEMs for automated alerting and threat response. Employ DNS Firewall to enforce security policies.
• Audit & Compliance: Demonstrate continuous network monitoring for regulated workloads (PCI, HIPAA, etc.) by logging all DNS queries.
• Faster Troubleshooting: Correlate DNS resolution errors with service issues to quickly diagnose application failures.

Get Started Quickly: CloudFormation for Query Logging and DNS Firewall

Deploy query logging and a basic DNS Firewall with this CloudFormation template. In just minutes, you can start capturing all DNS queries to CloudWatch Logs.

To get started, simply copy and paste the following code into your CloudFormation stack, and provide your VPC ID to start capturing all DNS queries:

AWSTemplateFormatVersion: '2010-09-09'
Description: >
  Route 53 Resolver DNS Firewall with VPC-level DNS **query logging**.
  Logs **all** DNS queries for a supplied VPC to CloudWatch Logs.
Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: VPC ID to protect and monitor.
  AssociationPriority:
    Type: Number
    Default: 150
    Description: 'Priority (100-9900) for the VPC firewall association; must be unique within the VPC.'
    MinValue: 100
    MaxValue: 9900
  LogRetentionDays:
    Type: Number
    Default: 30
    Description: Retention (days) for the CloudWatch Logs group.
Resources:
  QueryLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: !Ref LogRetentionDays
  BlockedDomains:
    Type: AWS::Route53Resolver::FirewallDomainList
    Properties:
      Name: blocked-domains
      Domains:
        - badexample.com
        - malware.example
        - phishing.test
  FirewallRuleGroup:
    Type: AWS::Route53Resolver::FirewallRuleGroup
    Properties:
      Name: vpc-dns-firewall-rule-group
      FirewallRules:
        - FirewallDomainListId: !Ref BlockedDomains
          Priority: 10
          Action: BLOCK
          BlockResponse: NODATA
  FirewallAssociation:
    Type: AWS::Route53Resolver::FirewallRuleGroupAssociation
    Properties:
      FirewallRuleGroupId: !Ref FirewallRuleGroup
      VpcId: !Ref VpcId
      Priority: !Ref AssociationPriority
      Name: vpc-dns-firewall-association
  DNSQueryLogConfig:
    Type: AWS::Route53Resolver::ResolverQueryLoggingConfig
    Properties:
      Name: vpc-dns-query-logs
      DestinationArn: !GetAtt QueryLogGroup.Arn
  DNSQueryLogAssociation:
    Type: AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation
    Properties:
      ResolverQueryLogConfigId: !Ref DNSQueryLogConfig
      ResourceId: !Ref VpcId
  DNSQueryLogsPolicy:
    Type: AWS::Logs::ResourcePolicy
    Properties:
      PolicyName: route53resolver-query-logs
      PolicyDocument: !Sub |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "Route53ResolverQueryLogsToCloudWatch",
              "Effect": "Allow",
              "Principal": { "Service": "route53resolver.amazonaws.com" },
              "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
              ],
              "Resource": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${QueryLogGroup}:*"
            }
          ]
        }
Outputs:
  FirewallRuleGroupId:
    Description: ID of the DNS Firewall Rule Group
    Value: !Ref FirewallRuleGroup
  QueryLogConfigId:
    Description: ID of the Resolver Query Log Config
    Value: !Ref DNSQueryLogConfig
  QueryLogGroupName:
    Description: CloudWatch Logs group for DNS query logs
    Value: !Ref QueryLogGroup

Alternatively, download the template from GitHub.

Once deployed, examine DNS queries in CloudWatch Logs.

Reading the Logs: What a Blocked DNS Query Looks Like

When using DNS Firewall, blocked lookups appear with an "action" field. Here's an example of a blocked domain in CloudWatch Logs/S3:

{
  "version": "1.100000",
  "account_id": "452954105288",
  "region": "us-east-1",
  "vpc_id": "vpc-0b20bb8a5eb28cb99",
  "query_timestamp": "2025-04-27T04:45:23Z",
  "query_name": "badexample.com.",
  "query_type": "A",
  "query_class": "IN",
  "rcode": "NOERROR",
  "answers": [],
  "srcaddr": "10.0.101.123",
  "srcport": "46275",
  "transport": "UDP",
  "srcids": {
    "instance": "i-0cf6fbb4f8960f245"
  },
  "firewall_rule_action": "BLOCK",
  "firewall_rule_group_id": "rslvr-frg-69632fc987684fbd",
  "firewall_domain_list_id": "rslvr-fdl-de20dd498c14dce"
}

Strengthen Your Defenses: Layering on Route 53 DNS Firewall

The CloudFormation template sets up a basic firewall. Enhance it further with:

• Managed Threat Lists: Block known malicious domains, automatically updated.
• Custom Allow/Deny Rules: Enforce your organization's approved domains and block unauthorized ones.
• Real-Time Enforcement: Choose between BLOCK, ALERT, or TRUNCATE responses to tailor your security posture.

Firewall policies are applied at the VPC level, eliminating the need for per-instance agents and simplifying management.

Peeking Behind the Curtain: Why the Google Metadata Query?

The unexpected metadata.google.internal DNS query stemmed from a Python Flask app with Elastic APM installed on AWS Fargate. The APM agent attempts to auto-detect the cloud provider which first checks AWS metadata. When that fails (as it does on Fargate), it tries Google Cloud's metadata endpoint. The AWS and Azure metadata checks use IP addresses, so do not show up in the DNS query logs.

More Unexpected Network Checks: Ubuntu Cloud-Init

Another common finding is Ubuntu's cloud-init using does-not-exist.example.com to detect DNS interception. These benign checks can clutter logs, highlighting the importance of filtering and analysis.

AWS Route 53 DNS Query Logging: Best Practices

To effectively leverage Route 53 Resolver with query logging, consider these best practices:

• Automate with Infrastructure as Code (IaC): Use CloudFormation or Terraform to ensure consistent setup across all environments.
• Centralize Logs: Stream logs to CloudWatch Logs or S3. Integrate with security platforms or use automated analysis with Generative AI tools.
• Tune Policies: Regularly review and whitelist legitimate domains to minimize false positives. Manage domain lists using version control.
• Periodic Review: Regularly analyze logs to refine firewall rules and identify new threat patterns for proactive security.

Conclusion: Gain Visibility and Control of your AWS Network

Enabling Route 53 Resolver query logging transforms DNS into a valuable security and diagnostic tool. Paired with DNS Firewall, you gain both visibility and control, prevent unwanted traffic, uncover hidden queries, and strengthen your AWS network security. Start exploring today.