Managing Resolver query logging configurations

Configuring (Resolver query logging)

You can configure Resolver query logging in two ways:

Direct VPC association - Associate VPCs directly to a query logging configuration.
Profile association - Associate a query logging configuration to a Route 53 Profile, which applies the logging to all VPCs associated with that Profile. For more information, see Associate Resolver query logging configurations to a Route 53 Profile.

To start logging DNS queries that originate in your VPCs, you perform the following tasks in the Amazon Route 53 console:

To configure Resolver query logging

Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.
Expand the Route 53 console menu. In the upper left corner of the console, choose the three horizontal bars ( ) icon.
Within the Resolver menu, choose Query logging.
In the Region selector, choose the AWS Region where you want to create the query logging configuration. This must be the same Region where you created the VPCs that you want to log DNS queries for. If you have VPCs in multiple Regions, you must create at least one query logging configuration for each Region.
Choose Configure query logging.
Specify the following values:

Query logging configuration name

Enter a name for your query logging configuration. The name appears in the console in the list of query logging configurations. Enter a name that will help you find this configuration later.

Query logs destination

Choose the type of AWS resource that you want Resolver to send query logs to. For information about how to choose among the options (CloudWatch Logs log group, S3 bucket, and Firehose delivery stream), see AWS resources that you can send Resolver query logs to.

After you choose the type of resource, you can either create another resource of that type or choose an existing resource that was created by the current AWS account.

Note
You can choose only resources that were created in the AWS Region that you chose in step 4, the Region where you're creating the query logging configuration. If you choose to create a new resource, that resource will be created in the same Region.

VPCs to log queries for

This query logging configuration will log DNS queries that originate in the VPCs that you choose. Check the check box for each VPC in the current Region that you want Resolver to log queries for, then choose Choose.

Alternative: Instead of associating VPCs directly, you can associate this query logging configuration to a Route 53 Profile, which will apply logging to all VPCs associated with that Profile. For more information, see Associate Resolver query logging configurations to a Route 53 Profile.

Note
VPC log delivery can be enabled only once for a specific destination type. The logs can't be delivered to multiple destinations of the same type, for example, VPC logs can't be delivered to 2 Amazon S3 destinations.
Choose Configure query logging.

Note

You should start to see DNS queries made by resources in your VPC in the logs within a few minutes of successfully creating the query logging configuration.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Resources that you can send Resolver query logs to

Values that appear in Resolver query logs