Amazon Route 53 Resolver Query Logs
Location
Route 53 Resolver query logging to CloudWatch Logs, S3, or FirehoseDescription
Resolver query logs for DNS requests originating from AWS VPC resources or connected on-premises systems using Route 53 Resolver endpoints. Captures query names, types, response codes, VPC identifiers, and source-instance context.
Forensic Value
Resolver logs are high-value for exfiltration and C2 investigations because they capture DNS activity from workloads that may never touch an enterprise DNS server. They reveal domain-generation activity, long-subdomain tunneling patterns, beaconing to attacker infrastructure, and cloud workloads resolving external services immediately before suspicious data transfer.
Tools Required
Collection Commands
AWS CLI
aws route53resolver list-resolver-query-log-configs --output json > route53_query_log_configs.json
AWS CLI
aws logs filter-log-events --log-group-name <route53-log-group> --start-time 1709251200000 --end-time 1709856000000 > route53_resolver_queries.json
AWS CLI
aws s3 cp s3://<log-bucket>/AWSLogs/<account-id>/route53resolver/ ./route53-resolver/ --recursive
Collection Constraints
- •Resolver query evidence exists only when Route 53 query logging was configured for the VPCs involved.
- •DNS logs show resolution activity, not the full network session or application-layer transaction that followed.
MITRE ATT&CK Techniques
References
Used in Procedures
Related Blockers
Cloud or Container Logging Coverage Missing
The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.
Evidence Spans Multiple Jurisdictions with Conflicting Laws
Affected systems or data span multiple countries with differing data-protection, breach-notification, and cross-border transfer laws (GDPR, data-residency rules, PIPL, LGPD, state-level US laws). Acquisition and analysis that is lawful in one jurisdiction may be unlawful in another. Engage legal counsel early and plan in-region processing.