Amazon Route 53 Resolver Query Logs
Cloud & SaaSDNS AnalysisAWSRoute 53 DNSCloud Control PlaneSIEM / Log Aggregator
Location
Route 53 Resolver query logging to CloudWatch Logs, S3, or FirehoseDescription
Resolver query logs for DNS requests originating from AWS VPC resources or connected on-premises systems using Route 53 Resolver endpoints. Captures query names, types, response codes, VPC identifiers, and source-instance context.
Forensic Value
Resolver logs are high-value for exfiltration and C2 investigations because they capture DNS activity from workloads that may never touch an enterprise DNS server. They reveal domain-generation activity, long-subdomain tunneling patterns, beaconing to attacker infrastructure, and cloud workloads resolving external services immediately before suspicious data transfer.
Tools Required
AWS ConsoleAWS CLIAthenaCloudWatch Logs InsightsSIEM
Collection Commands
AWS CLI
aws route53resolver list-resolver-query-log-configs --output json > route53_query_log_configs.json
AWS CLI
aws logs filter-log-events --log-group-name <route53-log-group> --start-time 1709251200000 --end-time 1709856000000 > route53_resolver_queries.json
AWS CLI
aws s3 cp s3://<log-bucket>/AWSLogs/<account-id>/route53resolver/ ./route53-resolver/ --recursive
Collection Constraints
- •Resolver query evidence exists only when Route 53 query logging was configured for the VPCs involved.
- •DNS logs show resolution activity, not the full network session or application-layer transaction that followed.
MITRE ATT&CK Techniques
T1071.004T1048.003T1568