# Resolver query logging
You can log the following DNS queries:
+ Queries that originate in Amazon Virtual Private Cloud VPCs that you specify, as well as the responses to those DNS queries.
+ Queries from on-premises resources that use an inbound Resolver endpoint.
+ Queries that use an outbound Resolver endpoint for recursive DNS resolution.
+ Queries that use Resolver DNS Firewall rules to block, allow, or monitor domain lists.
VPC Resolver query logs include values such as the following:
+ The AWS Region where the VPC was created
+ The ID of the VPC that the query originated from
+ The IP address of the instance that the query originated from
+ The instance ID of the resource that the query originated from
+ The date and time that the query was first made
+ The DNS name requested (such as prod.example.com)
+ The DNS record type (such as A or AAAA)
+ The DNS response code, such as `NoError` or `ServFail`
+ The DNS response data, such as the IP address that is returned in response to the DNS query
+ A response to a DNS Firewall rule action
For a detailed list of all of the values logged and an example, see [Values that appear in VPC Resolver query logs](resolver-query-logs-format.md).
**Note**
As is standard for DNS resolvers, resolvers cache DNS queries for a length of time determined by the time-to-live (TTL) for the resolver. The Route 53 VPC Resolver caches queries that originate in your VPCs, and responds from the cache whenever possible to speed up responses. VPC Resolver query logging logs only unique queries, not queries that VPC Resolver is able to respond to from the cache.
For example, suppose that an EC2 instance in one of the VPCs that a query logging configuration is logging queries for, submits a request for accounting.example.com. VPC Resolver caches the response to that query, and logs the query. If the same instance’s elastic network interface makes a query for accounting.example.com within the TTL of the VPC Resolver’s cache, VPC Resolver responds to the query from the cache. The second query is not logged.
You can send the logs to one of the following AWS resources:
+ Amazon CloudWatch Logs (CloudWatch Logs) log group
+ Amazon S3 (S3) bucket
+ Firehose delivery stream
For more information, see [AWS resources that you can send VPC Resolver query logs to](resolver-query-logs-choosing-target-resource.md).
**Topics**
+ [
# AWS resources that you can send VPC Resolver query logs to
](resolver-query-logs-choosing-target-resource.md)
+ [
# Managing Resolver query logging configurations
](resolver-query-logging-configurations-managing.md)
# AWS resources that you can send VPC Resolver query logs to
**Note**
If you expect to log queries for workloads with high queries per second (QPS), you should use Amazon S3 to ensure your query logs are not throttled when written to your destination. If you use Amazon CloudWatch, you can increase your requests per second limit for the `PutLogEvents` operation. To learn more about increasing your CloudWatch limits, see [CloudWatch Logs quotas](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/cloudwatch_limits_cwl.html) in the *Amazon CloudWatch User Guide*.
You can send VPC Resolver query logs to the following AWS resources:
**Amazon CloudWatch Logs (Amazon CloudWatch Logs) log group**
You can analyze logs with Logs Insights and create metrics and alarms.
For more information, see the [Amazon CloudWatch Logs User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/).
**Amazon S3 (S3) bucket**
An S3 bucket is economical for long-term log archiving. Latency is typically higher.
All S3 server-side encryption options are supported. For more information, see [Protecting data with server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html) in the *Amazon S3 User Guide*.
If you choose Server-Side Encryption with AWS KMS Keys (SSE-KMS), you must update the key policy for your customer managed key so that the log delivery account can write to your Amazon S3 bucket. For more information about the required key policy for use with SSE-KMS, see [Amazon S3 bucket server-side encryption](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-S3.html#AWS-logs-SSE-KMS-S3-V2) in the *Amazon CloudWatch User Guide*.
If the S3 bucket is in an account that you own, the required permissions are automatically added to your bucket policy. If you want to send logs to an S3 bucket in an account that you don't own, the owner of the S3 bucket must add permissions for your account in their bucket policy. For example:
****
```
{
"Version":"2012-10-17",
"Id": "CrossAccountAccess",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::your_bucket_name/AWSLogs/your_caller_account/*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::your_bucket_name"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "iam_user_arn_or_account_number_for_root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::your_bucket_name"
}
]
}
```
If you want to store logs in a central S3 bucket for your organization, we recommend that you set up your query logging configuration from a centralized account (with the necessary permissions to write to a central bucket) and use [RAM](query-logging-configurations-managing-sharing.md) to share the configuration across accounts.
For more information, see the [Amazon Simple Storage Service User Guide](https://docs.aws.amazon.com/AmazonS3/latest/userguide/).
**Firehose delivery stream**
You can stream logs in real time to Amazon OpenSearch Service, Amazon Redshift, or other applications.
For more information, see the [Amazon Data Firehose Developer Guide](https://docs.aws.amazon.com/firehose/latest/dev/).
For information about the pricing for Resolver query logging, see [Amazon CloudWatch pricing](https://aws.amazon.com/cloudwatch/pricing/).
CloudWatch Vended Logs charges apply when using VPC Resolver logs, even when logs are published directly to Amazon S3. For more information, see [*Logs pricing* at Amazon CloudWatch pricing](https://aws.amazon.com//cloudwatch/pricing/#Vended_Logs).
# Managing Resolver query logging configurations
## Configuring (VPC Resolver query logging)
You can configure VPC Resolver query logging in two ways:
+ **Direct VPC association** - Associate VPCs directly to a query logging configuration.
+ **Profile association** - Associate a query logging configuration to a Route 53 Profile, which applies the logging to all VPCs associated with that Profile. For more information, see [Associate VPC Resolver query logging configurations to a Route 53 Profile](profile-associate-query-logging.md).
To start logging DNS queries that originate in your VPCs, you perform the following tasks in the Amazon Route 53 console:
**To configure Resolver query logging**
1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).
1. Expand the Route 53 console menu. In the upper left corner of the console, choose the three horizontal bars (![\[Menu icon\]](http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/images/menu-icon.png)) icon.
1. Within the Resolver menu, choose **Query logging**.
1. In the Region selector, choose the AWS Region where you want to create the query logging configuration. This must be the same Region where you created the VPCs that you want to log DNS queries for. If you have VPCs in multiple Regions, you must create at least one query logging configuration for each Region.
1. Choose **Configure query logging**.
1. Specify the following values:
**Query logging configuration name**
Enter a name for your query logging configuration. The name appears in the console in the list of query logging configurations. Enter a name that will help you find this configuration later.
**Query logs destination**
Choose the type of AWS resource that you want VPC Resolver to send query logs to. For information about how to choose among the options (CloudWatch Logs log group, S3 bucket, and Firehose delivery stream), see [AWS resources that you can send VPC Resolver query logs to](resolver-query-logs-choosing-target-resource.md).
After you choose the type of resource, you can either create another resource of that type or choose an existing resource that was created by the current AWS account.
You can choose only resources that were created in the AWS Region that you chose in step 4, the Region where you're creating the query logging configuration. If you choose to create a new resource, that resource will be created in the same Region.
**VPCs to log queries for**
This query logging configuration will log DNS queries that originate in the VPCs that you choose. Check the check box for each VPC in the current Region that you want VPC Resolver to log queries for, then choose **Choose**.
**Alternative**: Instead of associating VPCs directly, you can associate this query logging configuration to a Route 53 Profile, which will apply logging to all VPCs associated with that Profile. For more information, see [Associate VPC Resolver query logging configurations to a Route 53 Profile](profile-associate-query-logging.md).
VPC log delivery can be enabled only once for a specific destination type. The logs can't be delivered to multiple destinations of the same type, for example, VPC logs can't be delivered to 2 Amazon S3 destinations.
1. Choose **Configure query logging**.
**Note**
You should start to see DNS queries made by resources in your VPC in the logs within a few minutes of successfully creating the query logging configuration.
# Values that appear in VPC Resolver query logs
Each log file contains one log entry for each DNS query that Amazon Route 53 received from DNS resolvers in the corresponding edge location. Each log entry includes the following values:
**version**
The version number of the query log format. The current version is `1.1`.
The version value is a major and minor version in the form **major\$1version.minor\$1version**. For example, you can have a `version` value of `1.7`, where `1 `is the major version, and `7` is the minor version.
Route 53 increments the major version if a change is made to the log structure that is not backward-compatible. This includes removing a JSON field that already exists, or changing how the contents of a field are represented (for example, a date format).
Route 53 increments the minor version if a change adds new fields to the log file. This can occur if new information is available for some or all existing DNS queries within a VPC.
**account\$1id**
The ID of the AWS account that created the VPC.
**region**
The AWS Region that you created the VPC in.
**vpc\$1id**
The ID of the VPC that the query originated in.
**query\$1timestamp**
The date and time that the query was submitted, in ISO 8601 format and Coordinated Universal Time (UTC), for example, `2017-03-16T19:20:177Z`.
For information about ISO 8601 format, see the Wikipedia article [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601). For information about UTC, see the Wikipedia article [Coordinated Universal Time](https://en.wikipedia.org/wiki/Coordinated_Universal_Time).
**query\$1name**
The domain name (example.com) or subdomain name (www.example.com) that was specified in the query.
**query\$1type**
Either the DNS record type that was specified in the request, or `ANY`. For information about the types that Route 53 supports, see [Supported DNS record types](ResourceRecordTypes.md).
**query\$1class**
The class of the query.
**rcode**
The DNS response code that VPC Resolver returned in response to the DNS query. The response code indicates whether the query was valid or not. The most common response code is `NOERROR`, meaning that the query was valid. If the response is not valid, Resolver returns a response code that explains why not. For a list of possible response codes, see [DNS RCODEs](https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6) on the IANA website.
**answer\$1type**
The DNS record type (such as A, MX, or CNAME) of the value that VPC Resolver is returning in response to the query. For information about the types that Route 53 supports, see [Supported DNS record types](ResourceRecordTypes.md).
**rdata**
The value that VPC Resolver returned in response to the query. For example, for an A record, this is an IP address in IPv4 format. For a CNAME record, this is the domain name in the CNAME record.
**answer\$1class**
The class of the VPC Resolver response to the query.
**srcaddr**
IP address of the host that originated the query.
**srcport**
The port on the instance that the query originated from.
**transport**
The protocol used to submit the DNS query.
**srcids**
IDs of the `instance`, `resolver_endpoint`, and the `resolver_network_interface` that the DNS query originated from or passed through.
**instance**
The ID of the instance that the query originated from.
If you see an instance ID in Route 53 VPC Resolver query logs which is not visible in your account, it might be because the DNS query originated from either AWS CloudShell, AWS Lambda, Amazon EKS, or Fargate console, which was used by you.
**resolver\$1endpoint**
The ID of the resolver endpoint that passes the DNS query to on-premises DNS servers.
If you have CNAME records that chain across different forwarding rules using different resolver endpoints, query logs show only the ID of the last resolver endpoint used in the chain. To trace the complete resolution path through multiple endpoints, you can correlate logs across different query logging configurations.
**firewall\$1rule\$1group\$1id**
The ID of the DNS Firewall rule group that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.
For more information about the firewall rule groups, see [DNS Firewall rule groups and rules](resolver-dns-firewall-rule-groups.md).
**firewall\$1rule\$1action**
The action specified by the rule that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.
**firewall\$1domain\$1list\$1id**
The domain list used by the rule that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.
**additional\$1properties**
Additional information of the log delivery events. **is\$1delayed**: If there is a delay in delivering the logs.
# Route 53 VPC Resolver query log example
Here's a resolver query log example:
```
{
"srcaddr": "4.5.64.102",
"vpc_id": "vpc-7example",
"answers": [
{
"Rdata": "203.0.113.9",
"Type": "PTR",
"Class": "IN"
}
],
"firewall_rule_group_id": "rslvr-frg-01234567890abcdef",
"firewall_rule_action": "BLOCK",
"query_name": "15.3.4.32.in-addr.arpa.",
"firewall_domain_list_id": "rslvr-fdl-01234567890abcdef",
"query_class": "IN",
"srcids": {
"instance": "i-0d15cd0d3example"
},
"rcode": "NOERROR",
"query_type": "PTR",
"transport": "UDP",
"version": "1.100000",
"account_id": "111122223333",
"srcport": "56067",
"query_timestamp": "2021-02-04T17:51:55Z",
"region": "us-east-1"
}
```
# Sharing Resolver query logging configurations with other AWS accounts
You can share the query logging configurations that you created using one AWS account with other AWS accounts. To share configurations, the Route 53 VPC Resolver console integrates with AWS Resource Access Manager. For more information about Resource Access Manager, see the [Resource Access Manager User Guide](https://docs.aws.amazon.com/ram/latest/userguide/what-is.html).
Note the following:
**Associating VPCs with shared query logging configurations**
If another AWS account has shared one or more configurations with your account, you can associate VPCs with the configuration the same way that you associate VPCs with configurations that you created.
**Deleting or unsharing a configuration**
If you share a configuration with other accounts and then either delete the configuration or stop sharing it, and if one or more VPCs were associated with the configuration, Route 53 VPC Resolver stops logging DNS queries that originate in those VPCs.
**Maximum number of query logging configurations and VPCs that can be associated with a config**
When an account creates a configuration and shares it with one or more other accounts, the maximum number of VPCs that can be associated with the configuration are applied per account. For example, if you have 10,000 accounts in your organization, you can create the query logging configuration in the central account and share it via AWS RAM to share it to the organization accounts. The organization accounts will then associate the configuration with their VPCs counting them against their account’s query log configuration VPC associations per AWS Region limit of 100. However, if all the VPCs are in a single account, then the account’s service limits might be needed to increased.
For current VPC Resolver quotas, see [Quotas on Route 53 VPC Resolver](DNSLimitations.md#limits-api-entities-resolver).
**Permissions**
To share a rule with another AWS account, you must have permission to use the [PutResolverQueryLogConfigPolicy](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_PutResolverQueryLogConfigPolicy.html) action.
**Restrictions on the AWS account that a rule is shared with**
The account that a rule is shared with can't change or delete the rule.
**Tagging**
Only the account that created a rule can add, delete, or see tags on the rule.
To view the current sharing status of a rule (including the account that shared the rule or the account that a rule is shared with), and to share rules with another account, perform the following procedure.
**To view sharing status and share query logging configurations with another AWS account**
1. Sign in to the AWS Management Console and open the Route 53 console at [https://console.aws.amazon.com/route53/](https://console.aws.amazon.com/route53/).
1. In the navigation pane, choose **Query Logging**.
1. On the navigation bar, choose the Region where you created the rule.
The **Sharing status** column shows the current sharing status of rules that were created by the current account or that are shared with the current account:
+ **Not shared**: The current AWS account created the rule, and the rule is not shared with any other accounts.
+ **Shared by me**: The current account created the rule and shared it with one or more accounts.
+ **Shared with me**: Another account created the rule and shared it with the current account.
1. Choose the name of the rule that you want to display sharing information for or that you want to share with another account.
On the **Rule: *rule name*** page, the value under **Owner** displays ID of the account that created the rule. That's the current account unless the value of **Sharing status** is **Shared with me**. In that case, **Owner** is the account that created the rule and shared it with the current account.
The sharing status is also displayed.
1. Choose **Share configuration ** to open the AWS RAM console
1. To create a resource share, follow the steps in [Creating a resource share in AWS RAM](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-create.html) in the *AWS RAM user guide*.
**Note**
You can't update sharing settings. If you want to change any of the following settings, you must reshare a rule with the new settings and then remove the old sharing settings.