DNS Logging and Monitoring – Domain Name Services – ANS-C01 Study Guide

DNS Logging and Monitoring

Amazon Web Services has integrated Route 53 into its management applications for ease of use and insight into its operations. Since all interactions with Route 53 are an API call behind the scenes, these records can be natively sent to CloudTrail for a record of activities and analysis. The CloudWatch monitoring service can be used to collect and graphically view metrics and trigger actions based on rules you configure.

With the growth of artificial intelligence, these DNS records can be scanned, and trends can be tracked for normal and abnormal usage. For example, the Redshift service can be used to analyze Route 53 records stored in S3 using standard SQL queries.

CloudTrail

Route 53 has native integration with CloudTrail for recording API calls from the console, CLI, SDK, and applications directly to Route 53, and exporting the records to CloudTrail. Users, roles, and services of AWS will capture the API calls occurring in Route 53 and record them in CloudTrail. If you create a trail in CloudTrail, then all Route 53 IP records can be stored in an S3 storage bucket for analysis, troubleshooting, and historical archives. This will collect data on who made the request, what the requested domain name was, the IP address, date/time, and more. Since CloudTrail is enabled when you create your AWS account, Route 53 records DNS logs in event history by default. API access information can be globally collected from all AWS regions and stored in a single consolidated CloudTrail S3 bucket.

FIGURE 2.5 DNSSEC key creation

FIGURE 2.6 DNSSEC KSK generation

CloudWatch

CloudWatch is an AWS event monitoring service that can collect Route 53 data in near real time for monitoring and producing insights into your DNS operations. By default, data is sent from Route 53 into CloudWatch in 1-minute intervals and stored for 14 days. CloudWatch can be configured to store the data for a longer periods of time in S3 for historical analysis and data retention if desired.

CloudWatch can monitor the health checking of endpoints by Route 53. Hosted zone metrics include DNS queries for all records in each hosted zone. You set the number of queries Route 53 responds to in time intervals that you specify. These are delivered as either a total or a sample count. Note that Route 53 is a global service and not part of any AWS region; therefore, to collect hosted zone metrics, the U.S. East Northern Virginia region is the central repository region specified. DNSSEC internal failures are reported as either a 1 for a failure or a 0 if there is no failure. DNSSECKeySigningKeysNeedingAction reports if action is needed due to KMS failures. DNSSECKeySigningKeyMaxNeedingActionAge and DNSSECKeySigningKeyAge are also reported to CloudWatch from Route 53. If a resolver is configured to forward DNS queries to and from your network, these metrics can be reported to CloudWatch in 5-minute intervals. There are a large number of metrics that can be collected and analyzed. Refer to the Route 53 documentation for the latest information on what is available.

CloudWatch can monitor Route 53 Resolver DNS firewall rule groups at 5-minute intervals. When a Route 53 Resolver firewall rule group is set up in a VPC, it will filter DNS queries. The DNS firewall will then send the metric to CloudWatch.