Public DNS query logging - Amazon Route 53

Public DNS query logging

You can configure Amazon Route 53 to log information about the public DNS queries that Route 53 receives, such as the following:

  • Domain or subdomain that was requested

  • Date and time of the request

  • DNS record type (such as A or AAAA)

  • Route 53 edge location that responded to the DNS query

  • DNS response code, such as NoError or ServFail

Once you configure query logging, Route 53 will send logs to CloudWatch Logs. You use CloudWatch Logs tools to access the query logs.

Query logs contain only the queries that DNS resolvers forward to Route 53. If a DNS resolver has already cached the response to a query (such as the IP address for a load balancer for example.com), the resolver will continue to return the cached response without forwarding the query to Route 53 until the TTL for the corresponding record expires.

Depending on how many DNS queries are submitted for a domain name (example.com) or subdomain name (www.example.com), which resolvers your users are using, and the TTL for the record, query logs might contain information about only one query out of every several thousand queries that are submitted to DNS resolvers. For more information about how DNS works, see How internet traffic is routed to your website or web application.

If you don't need detailed logging information, you can use Amazon CloudWatch metrics to see the total number of DNS queries that Route 53 responds to for a hosted zone. For more information, see Viewing DNS query metrics for a public hosted zone.

Configuring logging for DNS queries

To start logging DNS queries for a specified hosted zone, you perform the following tasks in the Amazon Route 53 console:

  • Choose the CloudWatch Logs log group that you want Route 53 to publish logs to, or create a new log group.

    Note

    The log group must be in the US East (N. Virginia) Region.

  • Choose Create to finish.

Note

If users are submitting DNS queries for your domain, you should start to see queries in the logs within several minutes after you create the query logging configuration.

To configure logging for DNS queries
  1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.

  2. In the navigation pane, choose Hosted zones.

  3. Choose the hosted zone that you want to configure query logging for.

  4. In the Hosted zone details pane, choose Configure query logging.

  5. Choose an existing log group or create a new log group.

  6. If you receive an alert about permissions (this happens if you haven't configured query logging with the new console before), do one of the following:

    • If you have 10 resource policies already, you can't create any more. Select any of your resource policies, and select Edit . Editing will give Route 53 permissions to write logs to your log groups. Choose Save. The alert goes away and you can continue to the next step.

    • If you have never configured query logging before (or if you haven't created 10 resource policies already), you need to grant permissions to Route 53 to write logs to your CloudWatch Logs groups. Choose Grant permissions. The alert goes away and you can continue to the next step.

  7. Choose Permissions - optional to see a table that shows whether the resource policy matches the CloudWatch log group, and whether the Route 53 has the permission to publish logs to CloudWatch.

  8. Choose Create.

Using Amazon CloudWatch to access DNS query logs

Amazon Route 53 sends query logs directly to CloudWatch Logs; the logs are never accessible through Route 53. Instead, you use CloudWatch Logs to view logs in near real-time, search and filter data, and export logs to Amazon S3.

Route 53 creates one CloudWatch Logs log stream for each Route 53 edge location that responds to DNS queries for the specified hosted zone and sends query logs to the applicable log stream. The format for the name of each log stream is hosted-zone-id/edge-location-ID, for example, Z1D633PJN98FT9/DFW3.

Each edge location is identified by a three-letter code and an arbitrarily assigned number, for example, DFW3. The three-letter code typically corresponds with the International Air Transport Association airport code for an airport near the edge location. (These abbreviations might change in the future.) For a list of edge locations, see "The Route 53 Global Network" on the Route 53 Product Details page.

For more information, see the applicable documentation:

Changing the retention period for logs and exporting logs to Amazon S3

By default, CloudWatch Logs stores query logs indefinitely. You can optionally specify a retention period so that CloudWatch Logs deletes logs that are older than the retention period. For more information, see Change log data retention in CloudWatch Logs in the Amazon CloudWatch User Guide.

If you want to retain log data but you don't need CloudWatch Logs tools to view and analyze the data, you can export logs to Amazon S3, which can reduce your storage costs. For more information, see Exporting log data to Amazon S3.

For information about pricing, see the applicable pricing page:

Note

When you configure Route 53 to log DNS queries, you don't incur any Route 53 charges.

Stopping query logging

If you want Amazon Route 53 to stop sending query logs to CloudWatch Logs, perform the following procedure to delete the query logging configuration.

To delete a query logging configuration
  1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.

  2. In the navigation pane, choose Hosted zones.

  3. Choose the name for the hosted zone that you want to delete the query logging configuration for.

  4. In the Hosted zone details pane, choose Delete query logging configuration.

  5. Choose Delete to confirm.

Values that appear in DNS query logs

Each log file contains one log entry for each DNS query that Amazon Route 53 received from DNS resolvers in the corresponding edge location. Each log entry includes the following values:

Log format version

The version number of this query log. If we add fields to the log or change the format of existing fields, we'll increment this value.

Query timestamp

The date and time that Route 53 responded to the request, in ISO 8601 format and Coordinated Universal Time (UTC), for example, 2017-03-16T19:20:25.177Z.

For information about ISO 8601 format, see the Wikipedia article ISO 8601. For information about UTC, see the Wikipedia article Coordinated Universal Time.

Hosted zone ID

The ID of the hosted zone that is associated with all the DNS queries in this log.

Query name

The domain or subdomain that was specified in the request.

Query type

Either the DNS record type that was specified in the request, or ANY. For information about the types that Route 53 supports, see Supported DNS record types.

Response code

The DNS response code that Route 53 returned in response to the DNS query.

Layer 4 protocol

The protocol that was used to submit the query, either TCP or UDP.

Route 53 edge location

The Route 53 edge location that responded to the query. Each edge location is identified by a three-letter code and an arbitrary number, for example, DFW3. The three-letter code typically corresponds with the International Air Transport Association airport code for an airport near the edge location. (These abbreviations might change in the future.)

For a list of edge locations, see "The Route 53 Global Network" on the Route 53 Product Detail page.

Resolver IP address

The IP address of the DNS resolver that submitted the request to Route 53.

EDNS client subnet

A partial IP address for the client that the request originated from, if available from the DNS resolver.

For more information, see the IETF draft Client Subnet in DNS Requests.

Query log example

Here's an example query log (Region is a placeholder):

1.0 2017-12-13T08:16:02.130Z Z123412341234 example.com A NOERROR UDP Region 192.168.1.1 - 1.0 2017-12-13T08:15:50.235Z Z123412341234 example.com AAAA NOERROR TCP Region 192.168.3.1 192.168.222.0/24 1.0 2017-12-13T08:16:03.983Z Z123412341234 example.com ANY NOERROR UDP Region 2001:db8::1234 2001:db8:abcd::/48 1.0 2017-12-13T08:15:50.342Z Z123412341234 bad.example.com A NXDOMAIN UDP Region 192.168.3.1 192.168.111.0/24 1.0 2017-12-13T08:16:05.744Z Z123412341234 txt.example.com TXT NOERROR UDP Region 192.168.1.2 -