[Last Week in AWS Extras]: Everything You Need to Know about Route 53 Resolver Query Logging

This email isn't, contrary to popular opinion, reaching you late today. Rather, it was embargoed until AWS announced a new feature themselves. It's generally a poor idea to steal their thunder!

Last week I talked about using Route 53 as a database. That was in preparation for this email, in which I talk about how you can now get far better query logs from your misconceived database.

As always, should you wish to link someone else to this post, you can forward it, or else view it on the web.


Trend Micro Cloud One. It’s a security services platform for organizations building in the cloud. It’s also an automated, flexible, all-in-one solution to protect workflows and containers with cloud-native security. But to you... it’s more time to focus on what you do best— building great applications. Learn more Sponsored


Everything You Need to Know about Route 53 Resolver Query Logging

I’ve long been a fan of Amazon’s premier database, Route 53, but its analytics have had something of a flaw. You’ve been able to see query logs for hosted zones for a while, but what about when you access other DNS “databases”? Today, Amazon has released a new query logging functionality that helps you understand your access patterns much better. More prosaically, they let you meet a raft of compliance requirements should you lack imagination and use the service as a mere DNS service instead of a database. Simply put, when enabled for a VPC, you’ll be able to see which resources inside of that VPC have made DNS queries, as well as what the results were. If you’re enabling this for compliance purposes, you’re going to want to block outbound access to the greater internet for both TCP and UDP port 53 from the VPCs or subnets you wish to log queries for. Otherwise, there’s a gaping hole for non-logged queries to pass through.Let’s dive into the mechanics of how this new feature works.

Getting started

It starts with a new option hanging out in the left-hand menu bar, labeled “Query logging.”


[[Enable images to see this image]]


Note that if you haven’t set up Route 53 Resolver, it’ll instead display a first-time wizard that implies you’ll need a pair of endpoints to enable said resolver. This is incorrect; those things cost money, and query logging can be enabled for no additional fees on top of whatever logging service you use. [[Enable images to see this query logging configuration image]]

Configure query logging

From there, you’re prompted to configure query logging, as you’ve presumably been running your database blind until this point. When you click the Glowing Orange AWS Button of Doom, you’re first prompted to give it a “friendly name.” Today, we learn that “friendly names” have no whitespace, special characters, nor may they exceed a particular length—which means that different people interpret friendship very differently.[[Enable images to see this image of query logging configuration - entering a friendly name]]

Where will your logs live?

Next, you’re given three choices as to where you want those logs to reside, with a variety of tradeoffs that aren’t really presented. Let’s address each of these options one by one. [[Enable images to see this image of cloudWatch Logs log group for Query logs destination]]For CloudWatch Logs, you’ll be charged the princely sum of 50¢ per GB ingested, then a much more reasonable 3¢ per GB/month that the data is stored. Note that there’s no great way using this option to record the logs in a different account; this alone may mean this option isn’t on the table for some organizations.[[Enable images to see this image of S3 bucket for Query logs destination]]Our second option is an S3 bucket, AWS’s combination secure data storage/static website/ perpetual data breach root cause service. Easily configured cross-account, this queues any logging until either five minutes have elapsed or 75 MB of data have been gathered—whichever comes first. Then, it writes that data to your target bucket. This pause may or may not work for your various use cases, so you should be aware that it exists. [[Enable images to see this image of Amazon Kinesis Data Firehose for Query logs destination]]The third and most flexible option is via Amazon Kinesis Data Firehose. If you’re looking to have a cross-account story or else integrate into a pre-existing log analysis system, this is your answer. The pricing here is highly variable and murky. In the usual U.S. regions, the pricing is 2.9¢ per GB ingested, an additional 1.8¢ per GB converted via Kinesis’s basic ETL capabilities (Parquet or ORC format output, specifically), then another 1¢ if you’re delivering it cross-AZ or cross-VPC. And then, of course, whatever the destination system (ELK? Splunk? Some monstrosity you’ve decided to EC2-it-yourself?) charges you for its own ingest / storage. [[Enable images to see this image of adding a VPC to log queries]]

Assign the query logging configuration to a VPC

Next, you get to assign the query logging configuration to one or more VPCs. This should be fairly straightforward and require not much in the way of context. If you don’t see the VPC you’re expecting to see, great--you’re either in the wrong account or the wrong region; go back and start over at the very beginning. [[Enable images to see this image]]Once you apply the configuration, you’ll start to see logging show up—both for what was queried as well as what results were returned. I want to highlight a few things here.First, the source account ID, region, and VPC are handy for localizing logs. But what’s really useful, from my perspective, is the source address as well as the source ID. Combined with other logging analytics facilities, this can help isolate query logs to specific instances—even ephemeral instances that may no longer exist. Secondly, this is not bound merely to EC2 instances. Fargate containers and Lambda functions inside of this VPC would also be logged, as would RDS instances that for some godforsaken reason were configured to resolve and then establish outbound connections. (Note: This is actually possible but almost universally condemned.)

So what?

This concludes the how of configuring Route 53 query logging. But why would someone care? I have two use cases that are relevant.The first and less exciting is troubleshooting strange behaviors. If you’re seeing strange operational issues (particularly with ephemeral resources—and heaven help you if the issues are intermittent!), then being able to see what’s being asked and answered at a DNS level is very helpful. The second, which is far more interesting to most folks, is of course security: better known as “that thing you attest is your number one priority right after it’s been very publicly demonstrated to be an afterthought.” I’ve mentioned above how I abuse DNS as a database. But other folks misuse it as a means of data exfiltration. Without seeing what queries your systems are making and responses they’re receiving, it’s very hard to detect this method of abuse. Fortunately, compared to normal traffic on a constrained application, this type of DNS query traffic tends to stick out rather significantly. In some shops, the lack of query logs has been a blocker to adopting Route 53 resolver. Without a viable and robust query logging capability, the strength of that compliance attestation rests on companies disabling Route 53’s resolution capability and instead running their own—a situation nobody wants.Lastly, it’s great to be able to see exactly what my database queries look like. Now all I need is far more granular timestamp data so I can start doing database query latency analysis in my spare time.


How do you separate observability hype from the functionality your team really needs? Check out our buyer’s guide and learn how to evaluate an observability tool, understand why observability goes beyond the traditional tools you use today, and how Honeycomb is leading the charge.Or sign up today and try Honeycomb for free. Guess less and know more. Sponsored

 
Corey

I’m Corey Quinn

I help companies address their horrifying AWS bills by both reducing the dollars spent and helping them understanding what they’re paying for.

 
 
The Cloud

Screaming in the Cloud & AWS Morning Brief

In addition to this newsletter, I host two podcasts: Screaming in the Cloud, about the business of cloud computing, featuring me talking to folks who are good at things; and AWS Morning Brief, a show about exclusively AWS with my snark at full-tilt.

 
 
The Cloud

Sponsor an Issue

Reach over 19,000 discerning engineers, managers, and enthusiasts who actually care about the state of Amazon's cloud ecosystems.

 



Want to skip these Last Week in AWS Extras? Click here and you won't receive these Wednesday dispatches anymore.

To make sure you keep getting these emails, please add corey@lastweekinaws.com to your address book or otherwise mark me as a permitted sender.

Want out of the loop completely? Click here to tell me to leave you alone.

 

Duckbill Group

1728 Ocean Ave #307, San Francisco, CA 94112

 
                                                           

Older messages

[Last Week in AWS] Issue #176: Comfortably Spit a Rat

Monday, August 24, 2020

Good Morning! Welcome to issue 176 of Last Week in AWS. A relatively uneventful week in AWS releases; they're apparently saving them all up for re:Invent (AWS's own version of Cloud Next) in

[Last Week in AWS Extras]: Cloud Repatriation Isn't a Thing

Wednesday, August 19, 2020

I've seen a few articles lately about "Cloud Repatriation" as if this were a real thing that serious companies actually considered. A cursory search revealed that nobody was talking about

[Last Week in AWS] Issue #175: AWS Observerless Now GA

Monday, August 17, 2020

Good Morning! So, a few things to highlight this week. First, we've heard that re:Invent (AWS's own version of Cloud Next) is going to be an 18-day online monstrosity this year--but what we

[Last Week in AWS Extras]: Multi-Cloud is the Worst Practice

Wednesday, August 12, 2020

One interesting aspect of our work in fixing the horrifying AWS bill is that we inadvertently stumble into the midst of various organizations' disaster recovery plans. "Turn off the DR site

[Last Week in AWS] Issue #174: Don't Hate the Player; Hate the Name

Monday, August 10, 2020

Good Morning! Welcome to issue 174 of Last Week in AWS. Last week featured me on Twitter answering questions about public speaking and sharing ancient sysadmin wisdom from the ancient sysadmin times.

You Might Also Like

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power

The Stanford Grad Who Forgot How To Think

Tuesday, December 24, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 24, 2024? The

The next big HDMI leap is coming

Tuesday, December 24, 2024

Sora side hustles; Casio's tiny watch comes to the US -- ZDNET ZDNET Tech Today - US December 24, 2024 Ecovacs Deebot T30S Combo robot vacuum and mop The next big HDMI leap is coming next month -

⚙️ Robo-suits

Tuesday, December 24, 2024

Plus: The data center energy surge ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks

Tuesday, December 24, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Edge 459: Quantization Plus Distillation

Tuesday, December 24, 2024

Some insights into quantized distillation ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏