Description:

Amazon Route 53 is a highly available and scalable cloud Domain Name Service(DNS) web service. It is a cost-effective and reliable way to route end users to Internet applications by translating names like http://www.example.com  into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other. You can use Route 53 to perform domain registration and health checking too.


Rationale:

You can configure Amazon Route 53 to log information about the public DNS queries that Route 53 receives, such as Domain or subdomain that was requested, Date and time of the request, DNS record type (such as A or AAAA), Route 53 edge locations that responded to the DNS query and DNS response codes.


Impact:

Since the logs are not accessible through Route 53, you use CloudWatch Logs to view logs in near real-time, search and filter data, etc to spot security threats, and also troubleshoot application issues related to DNS all while being compliant with the regulations.


Default Value:

Route53 queries are not logged automatically anywhere. To enable logging, a user must go in, create and configure either a CloudTrail or CloudWatch log.


Audit:

  • via Management Console

  1. Sign in to the management console https://console.aws.amazon.com/route53/

  2. Navigate to Hosted Zones in the Route53 dashboard.

  3. Choose on the Hosted zone for which you need to verify if logging is enabled.

  4. Expand the Hosted zone details

  5. Look for the Query log attribute.

  6. If it is empty, that specific hosted zone is not configured to log queries to CloudWatch logs.


via CLI

aws route53 list-query-logging-configs
  --hosted-zone-id <value>
  [--cli-input-json <value>]
  [--starting-token <value>]
  [--page-size <value>]
  [--max-items <value>]
  [--generate-cli-skeleton <value>]

This lists the configurations for DNS query logging that are associated with the current Amazon Web Services account or the configuration that is associated with a specified hosted zone.


Remediation:

Pre-Requisite:

  • Ensure that Route53 service is used for hosting the website or application.

  • If you have never configured query logging before (or if you haven't created 10 resource policies already), you need to grant permissions to Route 53 to write logs to your CloudWatch Logs groups. 

  • If you have 10 resource policies already, you can't create any more. Select any of your resource policies, and select Edit . Editing will give Route 53 permissions to write logs to your log groups. Choose Save


 Implementation steps:

  • via Management Console

  1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.

  2. In the navigation pane, choose Hosted zones.

  3. Choose the hosted zone that you want to configure query logging for.

  4. In the Hosted zone details pane, choose Configure query logging.

  5. Choose an existing log group or create a new log group.

  6. Choose Permissions - optional to see a table that shows whether the resource policy matches the CloudWatch log group, and whether the Route 53 has the permission to publish logs to CloudWatch.

  7. Choose Create.
     NoteIf users are submitting DNS queries for your domain, you should start to see queries in the logs within a few minutes after you create the query logging configuration.

       


via CLI

aws route53 create-query-logging-config
  --hosted-zone-id <value>
  --cloud-watch-logs-log-group-arn <value>
  [--cli-input-json <value>]
  [--generate-cli-skeleton <value>]


Backout Plan:

  • via Management Console

  1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.

  2. In the navigation pane, choose Hosted zones.

  3. Choose the name for the hosted zone that you want to delete the query logging configuration for.

  4. In the Hosted zone details pane, choose Delete query logging configuration.

  5. Choose Delete to confirm.


via CLI:

aws route53 delete-query-logging-config
  --id <value>
  [--cli-input-json <value>]
  [--generate-cli-skeleton <value>]

Here --id is the ID of the configuration that you want to delete.


Note:

  • By default, log data is stored in CloudWatch Logs indefinitely.

  • Route 53 doesn't delete any logs that are already in CloudWatch Logs.

  • Route 53 Resolver Query Logs can be used to log all DNS queries made by resources within your Amazon Virtual Private Cloud(VPC). Whether it’s an Amazon Elastic Compute Cloud(EC2) instance,  an AWS Lambda function, or a container, if it lives in your VPC and makes a DNS query, then this feature will log it; you are then able to explore and better understand how your applications are operating.


Reference:

Public DNS query logging - Amazon Route 53 

CreateQueryLoggingConfig - Amazon Route 53 

list-query-logging-configs — AWS CLI 1.20.56 Command Reference