Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logs Insights Example Query - Route 53 Resolver Query Logs #14

Open
capita07 opened this issue Feb 8, 2023 · 0 comments
Open

Logs Insights Example Query - Route 53 Resolver Query Logs #14

capita07 opened this issue Feb 8, 2023 · 0 comments
Assignees
@lewinkedrs

Comments

@capita07
Copy link

capita07 commented Feb 8, 2023

NOTE: this is for [R53 Resolver Query Logs](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs.html), not for [Public DNS Query Logging](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/query-logs.html)

Top 10 DNS names queried

stats count(*) as numRequests by query_name
| sort numRequests desc
| limit 10

What is the purpose of this query?

Pulls the amount of DNS queries per domain on Resolver Query Logging configuration and lists the top 10 in descendant order

How do I use this query?

Use this query to know what are the most resolved domains on the selected Route 53 Resolver Query Logging Log Group. Each Query Logging configuration could cover a single or multiple VPCs in a region.

Top 10 talkers

stats count(*) as numRequests by srcaddr
| sort numRequests desc
| limit 10

What is the purpose of this query?

Pulls the top generators of DNS queries on Route 53 Resolver and lists the top 10 in descendant order.

How do I use this query?

Use this query to know what are the top talkers (the clients doing the most queries) on Route 53 Resolver. Each Query Logging configuration could cover a single or multiple VPCs in a region.

Top queried DNS names per source IP

stats count(*) as numRequests by query_name, srcaddr
| sort numRequests desc
| limit 10

What is the purpose of this query?

Pulls the top queried DNS names and groups them by source IP, listing the top 10 in descendant order.

How do I use this query?

Use this query to know what are the top talkers (the clients doing the most queries) for the top queried domains on Route 53 Resolver. Can be useful to get an idea of which hosts are generating the most queries for the top-queried domains. Each Query Logging configuration could cover a single or multiple VPCs in a region.

Top queried DNS names per source IP

stats count(*) as numRequests by query_name, srcaddr
| sort numRequests desc
| filter firewall_rule_action = "ALERT"
| limit 10

What is the purpose of this query?

Pulls the top queried DNS names and groups them by source IP, but only for those domains being flagged as ALERT by the Route 53 DNS Firewall, listing the top 10 in descendant order.

How do I use this query?

Use this query to know what are the top talkers (the clients doing the most queries) for the top queried ALERT-flagged domains on Route 53 Resolver. Can be useful to get an idea of which hosts are generating the most queries for those domains being flagged as ALERT by the DNS Firewall. Each Query Logging configuration could cover a single or multiple VPCs in a region.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lewinkedrs lewinkedrs

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lewinkedrs @capita07