Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Values that appear in Resolver query logs

PDF
RSS
Focus mode
Values that appear in Resolver query logs - Amazon Route 53

Each log file contains one log entry for each DNS query that Amazon Route 53 received from DNS resolvers in the corresponding edge location. Each log entry includes the following values:

version

The version number of the query log format. The current version is 1.1.

The version value is a major and minor version in the form major_version.minor_version. For example, you can have a version value of 1.7, where 1 is the major version, and 7 is the minor version.

Route 53 increments the major version if a change is made to the log structure that is not backward-compatible. This includes removing a JSON field that already exists, or changing how the contents of a field are represented (for example, a date format).

Route 53 increments the minor version if a change adds new fields to the log file. This can occur if new information is available for some or all existing DNS queries within a VPC.

account_id

The ID of the AWS account that created the VPC.

region

The AWS Region that you created the VPC in.

vpc_id

The ID of the VPC that the query originated in.

query_timestamp

The date and time that the query was submitted, in ISO 8601 format and Coordinated Universal Time (UTC), for example, 2017-03-16T19:20:177Z.

For information about ISO 8601 format, see the Wikipedia article ISO 8601. For information about UTC, see the Wikipedia article Coordinated Universal Time.

query_name

The domain name (example.com) or subdomain name (www.example.com) that was specified in the query.

query_type

Either the DNS record type that was specified in the request, or ANY. For information about the types that Route 53 supports, see Supported DNS record types.

query_class

The class of the query.

rcode

The DNS response code that Resolver returned in response to the DNS query. The response code indicates whether the query was valid or not. The most common response code is NOERROR, meaning that the query was valid. If the response is not valid, Resolver returns a response code that explains why not. For a list of possible response codes, see DNS RCODEs on the IANA website.

answer_type

The DNS record type (such as A, MX, or CNAME) of the value that Resolver is returning in response to the query. For information about the types that Route 53 supports, see Supported DNS record types.

rdata

The value that Resolver returned in response to the query. For example, for an A record, this is an IP address in IPv4 format. For a CNAME record, this is the domain name in the CNAME record.

answer_class

The class of the Resolver response to the query.

srcaddr

The IP address of the instance that the query originated from.

srcport

The port on the instance that the query originated from.

transport

The protocol used to submit the DNS query.

srcids

IDs of the instance, resolver_endpoint, and the resolver_network_interface that the DNS query originated from or passed through.

instance

The ID of the instance that the query originated from.

Note

If you see an instance ID in Amazon Route 53 Resolver query logs which is not visible in your account, it might be because the DNS query originated from either AWS CloudShell, AWS Lambda, Amazon EKS, or Fargate console, which was used by you.

resolver_endpoint

The ID of the resolver endpoint that passes the DNS query to on-premises DNS servers.

firewall_rule_group_id

The ID of the DNS Firewall rule group that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.

For more information about the firewall rule groups, see DNS Firewall rule groups and rules.

firewall_rule_action

The action specified by the rule that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.

firewall_domain_list_id

The domain list used by the rule that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.

additional_properties

Additional information of the log delivery events. is_delayed: If there is a delay in delivering the logs.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.