# Managing Resolver query logging configurations
Managing configurations

## Configuring (VPC Resolver query logging)
Configuring (VPC Resolver query logging

You can configure VPC Resolver query logging in two ways:
+ **Direct VPC association** - Associate VPCs directly to a query logging configuration.
+ **Profile association** - Associate a query logging configuration to a Route 53 Profile, which applies the logging to all VPCs associated with that Profile. For more information, see [Associate VPC Resolver query logging configurations to a Route 53 Profile](profile-associate-query-logging.md).

To start logging DNS queries that originate in your VPCs, you perform the following tasks in the Amazon Route 53 console:<a name="resolver-query-logs-configuring-procedure"></a>

**To configure Resolver query logging**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. Expand the Route 53 console menu. In the upper left corner of the console, choose the three horizontal bars (![\[Menu icon\]](http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/images/menu-icon.png)) icon.

1. Within the Resolver menu, choose **Query logging**.

1. In the Region selector, choose the AWS Region where you want to create the query logging configuration. This must be the same Region where you created the VPCs that you want to log DNS queries for. If you have VPCs in multiple Regions, you must create at least one query logging configuration for each Region.

1. Choose **Configure query logging**.

1. Specify the following values:  
**Query logging configuration name**  
Enter a name for your query logging configuration. The name appears in the console in the list of query logging configurations. Enter a name that will help you find this configuration later.  
**Query logs destination**  
Choose the type of AWS resource that you want VPC Resolver to send query logs to. For information about how to choose among the options (CloudWatch Logs log group, S3 bucket, and Firehose delivery stream), see [AWS resources that you can send VPC Resolver query logs to](resolver-query-logs-choosing-target-resource.md).  
After you choose the type of resource, you can either create another resource of that type or choose an existing resource that was created by the current AWS account.  
You can choose only resources that were created in the AWS Region that you chose in step 4, the Region where you're creating the query logging configuration. If you choose to create a new resource, that resource will be created in the same Region.  
**VPCs to log queries for**  
This query logging configuration will log DNS queries that originate in the VPCs that you choose. Check the check box for each VPC in the current Region that you want VPC Resolver to log queries for, then choose **Choose**.  
**Alternative**: Instead of associating VPCs directly, you can associate this query logging configuration to a Route 53 Profile, which will apply logging to all VPCs associated with that Profile. For more information, see [Associate VPC Resolver query logging configurations to a Route 53 Profile](profile-associate-query-logging.md).  
VPC log delivery can be enabled only once for a specific destination type. The logs can't be delivered to multiple destinations of the same type, for example, VPC logs can't be delivered to 2 Amazon S3 destinations.

1. Choose **Configure query logging**.

**Note**  
You should start to see DNS queries made by resources in your VPC in the logs within a few minutes of successfully creating the query logging configuration.

# Values that appear in VPC Resolver query logs
Values that appear in Resolver query logs

Each log file contains one log entry for each DNS query that Amazon Route 53 received from DNS resolvers in the corresponding edge location. Each log entry includes the following values:

**version**  
The version number of the query log format. The current version is `1.1`.  
The version value is a major and minor version in the form **major\$1version.minor\$1version**. For example, you can have a `version` value of `1.7`, where `1 `is the major version, and `7` is the minor version.  
Route 53 increments the major version if a change is made to the log structure that is not backward-compatible. This includes removing a JSON field that already exists, or changing how the contents of a field are represented (for example, a date format).  
 Route 53 increments the minor version if a change adds new fields to the log file. This can occur if new information is available for some or all existing DNS queries within a VPC. 

**account\$1id**  
The ID of the AWS account that created the VPC.

**region**  
The AWS Region that you created the VPC in.

**vpc\$1id**  
The ID of the VPC that the query originated in.

**query\$1timestamp**  
The date and time that the query was submitted, in ISO 8601 format and Coordinated Universal Time (UTC), for example, `2017-03-16T19:20:177Z`.   
For information about ISO 8601 format, see the Wikipedia article [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601). For information about UTC, see the Wikipedia article [Coordinated Universal Time](https://en.wikipedia.org/wiki/Coordinated_Universal_Time).

**query\$1name**  
The domain name (example.com) or subdomain name (www.example.com) that was specified in the query.

**query\$1type**  
Either the DNS record type that was specified in the request, or `ANY`. For information about the types that Route 53 supports, see [Supported DNS record types](ResourceRecordTypes.md).

**query\$1class**  
The class of the query.

**rcode**  
The DNS response code that VPC Resolver returned in response to the DNS query. The response code indicates whether the query was valid or not. The most common response code is `NOERROR`, meaning that the query was valid. If the response is not valid, Resolver returns a response code that explains why not. For a list of possible response codes, see [DNS RCODEs](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6) on the IANA website.

**answer\$1type**  
The DNS record type (such as A, MX, or CNAME) of the value that VPC Resolver is returning in response to the query. For information about the types that Route 53 supports, see [Supported DNS record types](ResourceRecordTypes.md).

**rdata**  
The value that VPC Resolver returned in response to the query. For example, for an A record, this is an IP address in IPv4 format. For a CNAME record, this is the domain name in the CNAME record. 

**answer\$1class**  
The class of the VPC Resolver response to the query.

**srcaddr**  
IP address of the host that originated the query. 

**srcport**  
The port on the instance that the query originated from.

**transport**  
The protocol used to submit the DNS query.

**srcids**  
IDs of the `instance`, `resolver_endpoint`, and the `resolver_network_interface` that the DNS query originated from or passed through.

**instance**  
The ID of the instance that the query originated from.  
 If you see an instance ID in Route 53 VPC Resolver query logs which is not visible in your account, it might be because the DNS query originated from either AWS CloudShell, AWS Lambda, Amazon EKS, or Fargate console, which was used by you.

**resolver\$1endpoint**  
The ID of the resolver endpoint that passes the DNS query to on-premises DNS servers.  
If you have CNAME records that chain across different forwarding rules using different resolver endpoints, query logs show only the ID of the last resolver endpoint used in the chain. To trace the complete resolution path through multiple endpoints, you can correlate logs across different query logging configurations.

**firewall\$1rule\$1group\$1id**  
The ID of the DNS Firewall rule group that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.  
For more information about the firewall rule groups, see [DNS Firewall rule groups and rules](resolver-dns-firewall-rule-groups.md).

**firewall\$1rule\$1action**  
The action specified by the rule that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.

**firewall\$1domain\$1list\$1id**  
The domain list used by the rule that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.

**additional\$1properties**  
Additional information of the log delivery events. **is\$1delayed**: If there is a delay in delivering the logs.

# Route 53 VPC Resolver query log example
Resolver query log example

Here's a resolver query log example:

```
          
      {
        "srcaddr": "4.5.64.102",
        "vpc_id": "vpc-7example",
        "answers": [
            {
                "Rdata": "203.0.113.9",
                "Type": "PTR",
                "Class": "IN"
            }
        ],
        "firewall_rule_group_id": "rslvr-frg-01234567890abcdef",
        "firewall_rule_action": "BLOCK",
        "query_name": "15.3.4.32.in-addr.arpa.",
        "firewall_domain_list_id": "rslvr-fdl-01234567890abcdef",
        "query_class": "IN",
        "srcids": {
            "instance": "i-0d15cd0d3example"
        },
        "rcode": "NOERROR",
        "query_type": "PTR",
        "transport": "UDP",
        "version": "1.100000",
        "account_id": "111122223333",
        "srcport": "56067",
        "query_timestamp": "2021-02-04T17:51:55Z",
        "region": "us-east-1"
    }
```

# Sharing Resolver query logging configurations with other AWS accounts
Sharing Resolver query logging configs with other accounts

You can share the query logging configurations that you created using one AWS account with other AWS accounts. To share configurations, the Route 53 VPC Resolver console integrates with AWS Resource Access Manager. For more information about Resource Access Manager, see the [Resource Access Manager User Guide](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html).

Note the following:

**Associating VPCs with shared query logging configurations**  
If another AWS account has shared one or more configurations with your account, you can associate VPCs with the configuration the same way that you associate VPCs with configurations that you created.

**Deleting or unsharing a configuration**  
If you share a configuration with other accounts and then either delete the configuration or stop sharing it, and if one or more VPCs were associated with the configuration, Route 53 VPC Resolver stops logging DNS queries that originate in those VPCs.

**Maximum number of query logging configurations and VPCs that can be associated with a config**  
When an account creates a configuration and shares it with one or more other accounts, the maximum number of VPCs that can be associated with the configuration are applied per account. For example, if you have 10,000 accounts in your organization, you can create the query logging configuration in the central account and share it via AWS RAM to share it to the organization accounts. The organization accounts will then associate the configuration with their VPCs counting them against their account’s query log configuration VPC associations per AWS Region limit of 100. However, if all the VPCs are in a single account, then the account’s service limits might be needed to increased.  
For current VPC Resolver quotas, see [Quotas on Route 53 VPC Resolver](DNSLimitations.md#limits-api-entities-resolver).

**Permissions**  
To share a rule with another AWS account, you must have permission to use the [PutResolverQueryLogConfigPolicy](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_PutResolverQueryLogConfigPolicy.html) action.

**Restrictions on the AWS account that a rule is shared with**  
The account that a rule is shared with can't change or delete the rule. 

**Tagging**  
Only the account that created a rule can add, delete, or see tags on the rule.

To view the current sharing status of a rule (including the account that shared the rule or the account that a rule is shared with), and to share rules with another account, perform the following procedure.<a name="resolver-rules-managing-sharing-procedure"></a>

**To view sharing status and share query logging configurations with another AWS account**

1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).

1. In the navigation pane, choose **Query Logging**.

1. On the navigation bar, choose the Region where you created the rule.

   The **Sharing status** column shows the current sharing status of rules that were created by the current account or that are shared with the current account:
   + **Not shared**: The current AWS account created the rule, and the rule is not shared with any other accounts.
   + **Shared by me**: The current account created the rule and shared it with one or more accounts.
   + **Shared with me**: Another account created the rule and shared it with the current account.

1. Choose the name of the rule that you want to display sharing information for or that you want to share with another account.

   On the **Rule: *rule name*** page, the value under **Owner** displays ID of the account that created the rule. That's the current account unless the value of **Sharing status** is **Shared with me**. In that case, **Owner** is the account that created the rule and shared it with the current account.

   The sharing status is also displayed.

1. Choose **Share configuration ** to open the AWS RAM console

1. To create a resource share, follow the steps in [Creating a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-create.html) in the *AWS RAM user guide*.
**Note**  
You can't update sharing settings. If you want to change any of the following settings, you must reshare a rule with the new settings and then remove the old sharing settings.