AWS - Monitoring outgoing DNS queries on VPC

Question

I would like to monitor all outgoing DNS queries originating from resources within my VPC. For example, i would like to log all DNS queries originating from a specific EC2 instance. Is this possible? I have looked into Route53 (early beginner to AWS), and from what i understand - using this i can only monitor my private domains, for incoming queries. Is it possible to monitor outgoing queries?

Answer 1

As far as I know, AWS doesn't have this as a feature right now. One solution that I've worked with before is having dnsmasq (a lightweight DNS cache/proxy) installed on every instance, configuring the machine to forward requests to dnsmasq first, and then consolidating your machines' dnsmasq logs in one place.

Answer 2

Currently there isn't any way. .2 VPC DNS server queries don't log into VPC flow logs so you can't see there anything.

Answer 3

From AWS annoucement on 27th of August, 2020 https://aws.amazon.com/blogs/aws/log-your-vpc-dns-queries-with-route-53-resolver-query-logs/

"The Amazon Route 53 team has just launched a new feature called Route 53 Resolver Query Logs, which will let you log all DNS queries made by resources within your Amazon Virtual Private Cloud (VPC). Whether it's an Amazon Elastic Compute Cloud (Amazon EC2) instance, an AWS Lambda function, or a container, if it lives in your Virtual Private Cloud and makes a DNS query, then this feature will log it; you are then able to explore and better understand how your applications are operating."

Therefore, if you use AmazonProvidedDNS (Amazon Route 53 Resolver) for DNS, then now you can use above option. The log contains a "srcaddr" field to find the source (eg EC2) of DNS lookup.