Uncover Hidden Threats & Boost AWS Security: Route 53 Resolver Query Logging

Ever wondered what your AWS workloads are really doing? You might be surprised! This article dives into Route 53 Resolver query logging, showing you how to gain complete DNS visibility, identify potential threats, and strengthen your AWS security posture. Plus, we'll explore a real-world scenario involving a "phantom" DNS query!

Without proper logging, you're missing crucial insights into your network activity. Here's why enabling DNS query logging in AWS is essential:

Complete DNS Visibility: Capture every DNS query, source IP, response code, and timestamp. Know exactly which workloads are making which requests.
Security Insights & Threat Hunting: Detect malware or phishing attempts early. Integrate logs with SIEM systems for automated alerts.
Audit & Compliance: Demonstrate continuous network monitoring for regulated industries (PCI, HIPAA, etc.) using detailed AWS DNS logs.
Faster Troubleshooting: Diagnose application failures by correlating DNS resolution errors with service issues. No more guesswork.

The Case of the Phantom DNS Query: Debugging AWS Fargate

I was troubleshooting some flaky outbound calls from an AWS Fargate task. To get better insight, I turned on Route 53 Resolver query logging for my VPC. Soon after, I spotted something strange: repeated lookups for metadata.google.internal. Why was my AWS workload querying a Google Cloud endpoint?

It turned out an open-source APM agent was trying to auto-detect the cloud provider by testing GCP metadata after failing to find AWS metadata (which isn't exposed in Fargate). Without logging, this "phantom" query would have remained hidden, potentially masking other issues. This highlights the importance of having AWS DNS logs enabled.

Quick Start: CloudFormation for Query Logging & DNS Firewall

Ready to get started? This simple CloudFormation template quickly enables Route 53 Resolver query logging and sets up a basic DNS Firewall.

Paste the following code into your AWS CloudFormation console.
Provide your VPC ID and desired settings.
Start capturing all DNS queries to CloudWatch Logs within minutes!

AWSTemplateFormatVersion: '2010-09-09'
Description: >
  Route 53 Resolver DNS Firewall with VPC-level DNS **query logging**.
  Logs **all** DNS queries for a supplied VPC to CloudWatch Logs.
Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: VPC ID to protect and monitor.
  AssociationPriority:
    Type: Number
    Default: 150
    Description: ' Priority (100-9900) for the VPC firewall association; must be unique within the VPC.'
    MinValue: 100
    MaxValue: 9900
  LogRetentionDays:
    Type: Number
    Default: 30
    Description: Retention (days) for the CloudWatch Logs group.
Resources:
  QueryLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      RetentionInDays: !Ref LogRetentionDays
  BlockedDomains:
    Type: AWS::Route53Resolver::FirewallDomainList
    Properties:
      Name: blocked-domains
      Domains:
        - badexample.com
        - malware.example
        - phishing.test
  FirewallRuleGroup:
    Type: AWS::Route53Resolver::FirewallRuleGroup
    Properties:
      Name: vpc-dns-firewall-rule-group
      FirewallRules:
        - FirewallDomainListId: !Ref BlockedDomains
          Priority: 10
          Action: BLOCK
          BlockResponse: NODATA
  FirewallAssociation:
    Type: AWS::Route53Resolver::FirewallRuleGroupAssociation
    Properties:
      FirewallRuleGroupId: !Ref FirewallRuleGroup
      VpcId: !Ref VpcId
      Priority: !Ref AssociationPriority
      Name: vpc-dns-firewall-association
  DNSQueryLogConfig:
    Type: AWS::Route53Resolver::ResolverQueryLoggingConfig
    Properties:
      Name: vpc-dns-query-logs
      DestinationArn: !GetAtt QueryLogGroup.Arn
  DNSQueryLogAssociation:
    Type: AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation
    Properties:
      ResolverQueryLogConfigId: !Ref DNSQueryLogConfig
      ResourceId: !Ref VpcId
  DNSQueryLogsPolicy:
    Type: AWS::Logs::ResourcePolicy
    Properties:
      PolicyName: route53resolver-query-logs
      PolicyDocument: !Sub |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "Route53ResolverQueryLogsToCloudWatch",
              "Effect": "Allow",
              "Principal": { "Service": "route53resolver.amazonaws.com" },
              "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
              ],
              "Resource": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:${QueryLogGroup}:*"
            }
          ]
        }
Outputs:
  FirewallRuleGroupId:
    Description: ID of the DNS Firewall Rule Group
    Value: !Ref FirewallRuleGroup
  QueryLogConfigId:
    Description: ID of the Resolver Query Log Config
    Value: !Ref DNSQueryLogConfig
  QueryLogGroupName:
    Description: CloudWatch Logs group for DNS query logs
    Value: !Ref QueryLogGroup

You can also download it from GitHub: https://github.com/gabrielkoo/aws-route53-dns-firewall-logging-cfn. After deployment, check CloudWatch Logs to inspect DNS queries.

Understanding Blocked DNS Queries with DNS Firewall

When you implement a DNS Firewall, blocked lookups have a visible "action" field. Here's an example of how a blocked domain appears in CloudWatch Logs:

{
  "version": "1.100000",
  "account_id": "452954105288",
  "region": "us-east-1",
  "vpc_id": "vpc-0b20bb8a5eb28cb99",
  "query_timestamp": "2025-04-27T04:45:23Z",
  "query_name": "badexample.com.",
  "query_type": "A",
  "query_class": "IN",
  "rcode": "NOERROR",
  "answers": [],
  "srcaddr": "10.0.101.123",
  "srcport": "46275",
  "transport": "UDP",
  "srcids": {
    "instance": "i-0cf6fbb4f8960f245"
  },
  "firewall_rule_action": "BLOCK",
  "firewall_rule_group_id": "rslvr-frg-69632fc987684fbd",
  "firewall_domain_list_id": "rslvr-fdl-de20dd498c14dce"
}

Enhance Your Security with Route 53 DNS Firewall

The CloudFormation template provides a basic DNS Firewall. You can improve it with:

Managed Threat Lists: Automatically block known malicious domains, reducing manual effort.
Custom Allow/Deny Rules: Enforce approved domain lists for tighter control.
Real-Time Enforcement: Choose between BLOCK, ALERT, or TRUNCATE responses to DNS queries.

Apply firewall policies at the VPC level, simplifying management without per-instance agents.

Another Real-World Example: Ubuntu Cloud-Init & False Positives

On Ubuntu cloud servers, cloud-init may query does-not-exist.example.com to detect DNS interception. These benign checks can clutter your logs, emphasizing the need to filter and tune your monitoring. This shows how essential it is to keep DNS query logging on AWS.

Route 53 Resolver Query Logging Best Practices

Here's how to get the most out of Route 53 Resolver query logging:

Automate with IaC: Use CloudFormation or Terraform to ensure consistent setup across all environments.
Centralize Logs: Stream logs to CloudWatch Logs or S3 and integrate with security platforms for analysis.
Tune Policies: Review and whitelist legitimate domains to minimize false positives. Use Git to version control your domain lists.
Periodic Review: Regularly analyze logs to refine firewall rules and detect emerging threats.

Conclusion: Gain Control & Protect Your AWS Environment

Enabling Route 53 Resolver query logging on AWS transforms DNS data into a vital diagnostic and security resource. Combined with DNS Firewall, you gain visibility and control, preventing unwanted traffic and strengthening your overall AWS network security posture. Don't wait – start logging today!