Enable Logging of DNS Queries Using Route 53 Resolver

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the main navigation panel, under Resolver, choose Query logging to access the Route 53 Resolver query logging configurations.

04 On the Query logging page, search for any query logging configurations available within the current AWS region. If there are no configuration entries listed in the Query logging configurations section, and the following message is displayed: "You don't have any configurations", the logging of DNS queries using Amazon Route 53 Resolver is not enabled in the current AWS region.

05 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

01 Run list-resolver-query-log-configs command (OSX/Linux/UNIX) to list the query logging configuration objects created for DNS query logging within the selected AWS cloud region. Each configuration object defines where you want Route 53 Resolver to save DNS query logs and specifies the VPCs that you want to log queries for:

aws route53resolver list-resolver-query-log-configs
  --region us-east-1
  --query 'ResolverQueryLogConfigs'

02 The command output should return the requested configuration information:

[]

03 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 and 2 to perform the Audit process for other regions.

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"CloudWatchLogGroup": {
			"Type": "AWS::Logs::LogGroup",
			"Properties": {
				"LogGroupName": "/aws/route53/domain.com",
				"RetentionInDays": 14
			}
		},
		"CloudWatchLogGroupPolicy": {
			"Type": "AWS::Logs::ResourcePolicy",
			"Properties": {
				"PolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"Service": "route53.amazonaws.com"
							},
							"Action": [
								"logs:CreateLogStream",
								"logs:PutLogEvents"
							],
							"Resource": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/route53/domain.com:*"
						}
					]
				}
			}
		},
		"ResolverQueryLoggingConfig": {
			"Type": "AWS::Route53Resolver::ResolverQueryLoggingConfig",
			"Properties": {
				"Name": "cc-query-logging-config",
				"DestinationArn": {
					"Fn::GetAtt": [
						"CloudWatchLogGroup",
						"Arn"
					]
				}
			}
		},
		"ResolverQueryLogConfigAssociation": {
			"Type": "AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation",
			"Properties": {
				"ResourceId": "vpc-01234abcd1234abcd",
				"ResolverQueryLogConfigId": {
					"Ref": "ResolverQueryLoggingConfig"
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	CloudWatchLogGroup:
		Type: AWS::Logs::LogGroup
		Properties:
		LogGroupName: /aws/route53/domain.com
		RetentionInDays: 14
	CloudWatchLogGroupPolicy:
		Type: AWS::Logs::ResourcePolicy
		Properties:
		PolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Principal:
				Service: route53.amazonaws.com
				Action:
				- logs:CreateLogStream
				- logs:PutLogEvents
				Resource: arn:aws:logs:us-east-1:123456789012:log-group:/aws/route53/domain.com:*
	ResolverQueryLoggingConfig:
		Type: AWS::Route53Resolver::ResolverQueryLoggingConfig
		Properties:
		Name: cc-query-logging-config
		DestinationArn: !GetAtt 'CloudWatchLogGroup.Arn'
	ResolverQueryLogConfigAssociation:
		Type: AWS::Route53Resolver::ResolverQueryLoggingConfigAssociation
		Properties:
		ResourceId: vpc-01234abcd1234abcd
		ResolverQueryLogConfigId: !Ref 'ResolverQueryLoggingConfig'

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

data "aws_caller_identity" "current" {}

resource "aws_cloudwatch_log_group" "cloudwatch-log-group" {
	name              = "/aws/route53/domain.com"
	retention_in_days = 14
}

data "aws_iam_policy_document" "iam-policy-document" {
	statement {
		actions = [
			"logs:CreateLogStream",
			"logs:PutLogEvents"
		]
		resources = ["arn:aws:logs:us-east-1:123456789012:log-group:/aws/route53/domain.com:*"]
		principals {
			identifiers = ["route53.amazonaws.com"]
			type        = "Service"
		}
	}
}

resource "aws_cloudwatch_log_resource_policy" "cloudwatch-log-group-policy" {
	policy_name     = "route53-query-logging-policy"
	policy_document = data.aws_iam_policy_document.iam-policy-document.json
}

resource "aws_route53_resolver_query_log_config" "resolver-query-log-config" {
	name            = "/aws/route53/domain.com"
	destination_arn = aws_cloudwatch_log_group.cloudwatch-log-group.arn
}

resource "aws_route53_resolver_query_log_config_association" "resolver-query-log-config-assoc" {
	resource_id                  = "vpc-01234abcd1234abcd"
	resolver_query_log_config_id = aws_route53_resolver_query_log_config.resolver-query-log-config.id
}

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the main navigation panel, under Resolver, select Query logging.

04 Choose Configure query logging to initiate the setup process.

05 On the Configure query logging page, perform the following operations:

1. For Name, provide a friendly name for your new query logging configuration.
2. For Destination for query logs, choose one of the following options:
   • Select CloudWatch Logs log group if you want Amazon Route 53 Resolver to publish DNS query logs to a log group. With CloudWatch Logs, you can analyze query logs with Logs Insights and create metrics and alarms. Click inside the CloudWatch Logs log groups configuration box and choose an existing log group from the dropdown list. If you want to create a new log group for your query logging configuration, chooseCreate log group and provide a name for the new CloudWatch Logs log group in the New log group name box. AWS recommends naming your log group such as /aws/route53/<domain-name>, where <domain-name> is the name of your Route 53 domain.
   • Select S3 bucket if you want Amazon Route 53 Resolver to send DNS query logs to an S3 bucket. Choose Browse S3 under Amazon S3 bucket, select an existing S3 bucket, then select Choose for confirmation. If you want to create a new bucket for your query logging configuration, choose Create new S3 destination and follow the steps provided by Amazon S3 console to create and configure a new S3 bucket.
   • Select Kinesis Data Firehose delivery stream if you want Amazon Route 53 Resolver to publish DNS query logs to a Firehose delivery stream. With Kinesis Data Firehose, you can stream query logs in real time to ElasticSearch, Redshift, or other applications. Choose Browse streams under Kinesis Data Firehose delivery stream, select an existing delivery stream, then select Choose stream for confirmation. If you want to create a new delivery stream for your query logging configuration, chooseCreate new Kinesis delivery stream and follow the steps provided by Amazon Kinesis console create and configure a new Kinesis Data Firehose delivery stream.
3. (Optional) For VPCs to log queries for – optional, choose Add VPC and select the Virtual Private Cloud (VPC) that you need to log queries for. Use Add VPC button to add as many VPCs as needed. Any resources that sits inside the selected VPCs will have their DNS queries logged.
4. (Optional) For Tags – optional, choose Add tag to add tag sets to your query logging configuration.
5. Choose Configure query logging to create your new Amazon Route 53 Resolver query logging configuration. To view the published query logs, go to the query logs destination configured earlier in the setup process.

06 Change the AWS cloud region from the navigation bar and repeat steps no. 4 and 5 to create Amazon Route 53 Resolver query logging configurations for other cloud regions.

01 To create and configure a destination for your DNS query logs, choose one of the following options:

1. If you want Amazon Route 53 Resolver to publish DNS query logs to a CloudWatch Logs log group, perform the following:
   • Run create-log-group command (OSX/Linux/UNIX) to create the CloudWatch Logs log group where Route 53 Resolver will publish your DNS query logs. AWS recommends naming your log group as a path such as /aws/route53/<domain-name>, where <domain-name> is the name of your Amazon Route 53 domain (the command does not produce an output):
     aws logs create-log-group
       --region us-east-1
       --log-group-name /aws/route53/cloudconformity.com
     

   • Run describe-log-groups command (OSX/Linux/UNIX) using the name of the newly created CloudWatch Logs log group and custom query filters to describe the log group resource ARN:
     aws logs describe-log-groups
       --region us-east-1
       --log-group-name /aws/route53/cloudconformity.com
       --query 'logGroups[*].arn'
     

   • The command output should return the requested Amazon Resource Name (ARN):
     [
     	"arn:aws:logs:us-east-1:123456789012:log-group:/aws/route53/cloudconformity.com:*"
     ]
     

2. If you want Amazon Route 53 Resolver to send DNS query logs to an S3 bucket, perform the following commands:
   • Run create-bucket command (OSX/Linux/UNIX) to create a new Amazon S3 bucket for your query logging configuration:
     aws s3api create-bucket
       --region us-east-1
       --bucket cloud-conformity-query-logs
       --acl private
     

   • The command output should return the name of the newly created S3 bucket:
     {
     	"Location": "/cloud-conformity-query-logs"
     }
     

   • Run put-public-access-block command (OSX/Linux/UNIX) to enable the S3 Public Access Block feature for the new Amazon S3 bucket (the command should not produce an output):
     aws s3api put-public-access-block
       --region us-east-1
       --bucket cloud-conformity-query-logs
       --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
     

3. If you want Amazon Route 53 Resolver to publish DNS query logs to a Firehose delivery stream, perform the following:
   • Run create-delivery-stream command (OSX/Linux/UNIX) to create an Amazon Kinesis Data Firehose delivery stream for your query logging configuration:
     aws firehose create-delivery-stream
       --region us-east-1
       --delivery-stream-name cloud-conformity-query-logs-stream
       --delivery-stream-type DirectPut
       --extended-s3-destination-configuration '{"RoleARN": "arn:aws:iam::123456789012:role/service-role/KinesisFirehoseServiceRole-query-logs--us-east-1-1612184128082", "BucketARN": "arn:aws:s3:::dns-query-logs-bucket"}'
     

   • The command output should return the ARN of the newly created delivery stream:
     {
     	"DeliveryStreamARN": "arn:aws:firehose:us-east-1:123456789012:deliverystream/cloud-conformity-query-logs-stream"
     }
     

02 Run create-resolver-query-log-config command (OSX/Linux/UNIX) using the ARN of the new log group/S3 bucket/Firehose delivery stream as value for the --destination-arn configuration parameter, to create a new query logging configuration which defines where you want Amazon Route 53 Resolver to save DNS query logs that originate in your VPCs. Amazon Route 53 Resolver can log DNS queries only for VPCs that are in the same AWS region as the new query logging configuration. Replace <destination-resource-arn> with the ARN of your log group/S3 bucket/Firehose delivery stream:

aws route53resolver create-resolver-query-log-config
  --region us-east-1
  --name cc-query-logging-config
  --destination-arn <destination-resource-arn>

03 The command output should return the metadata for the new query logging configuration:

{
	"ResolverQueryLogConfig": {
		"Status": "CREATING",
		"AssociationCount": 0,
		"Name": "cc-query-logging-config",
		"CreationTime": "2021-10-09T10:10:10.000Z",
		"DestinationArn": "<destination-resource-arn>",
		"ShareStatus": "NOT_SHARED",
		"OwnerId": "123456789012",
		"Id": "rqlc-abcdabcdabcdabcd",
		"Arn": "arn:aws:route53resolver:us-east-1:123456789012:resolver-query-log-config/rqlc-abcdabcdabcdabcd"
	}
}

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 3 to create Amazon Route 53 Resolver query logging configurations for other cloud regions.