How do I view traffic that passes through a Route 53 resolver outbound endpoint?

3 minute read
0

I want to view the traffic that passes through an Amazon Route 53 resolver outbound endpoint.

Resolution

Configure network connectivity

Complete the following steps:

  1. Confirm that the outbound endpoint network interface subset is configured for outgoing traffic for the Amazon Elastic Cloud Compute (Amazon EC2) instance on UDP port 4789. The subset configuration includes network access control list (network ACL), security groups, and routing tables.
  2. Confirm the target EC2 instance's security group and network ACL allow incoming traffic on UDP port 4789 from the outbound endpoint elastic network interface (ENI).
  3. Confirm that the target instance has connectivity to the outbound endpoint's network interface subnet.

Set up Amazon VPC Traffic Mirroring

Complete the following steps:

  1. Use the target instance ENI to create a traffic mirror target.

  2. Create a mirror filter to identify the DNS traffic that passes from the outbound endpoint ENI to the mirror target.
    Note: The following is an example mirror filter for Route 53. VPC A is associated with Route 53 resolve rule to forward *.test.com domain DNS queries to on-premise network. An on-premises network hosts domain *.test.com.

    ValueInbound RuleOutbound Rule
    Rule numberRule priorityRule priority
    Rule ActionAcceptAccept
    ProtocolUDP and TCPUDP and TCP
    Source port range531024-65535
    Destination port range1024-6553553
    Source CIDR blockOn-premises CIDRVPC A CIDR
    Destination CIDR blockVPC A CIDROn-premises CIDR
  3. Create a mirror session for each outbound endpoint ENI to the mirror target instance. Use the following values:
    Mirror source: ENI of the outbound endpoint
    Mirror target: traffic mirror target that you created previously
    Session number: 1
    Filter: mirror filter that you created previously

View mirrored traffic

Linux

To view mirrored traffic with a Linux operating system, complete the following steps:

  1. To view the captured traffic logs, run the following command:

    sudo tcpdump -w file -i interface port 4789

    Note: Replace file with the file path and name where you want to store the captured packets. Replace interface with the Ethernet port that maps to the ENI in the mirror target destination.

  2. To transfer the PCAP files from the instance to your home directory on your local computer, use secure copy protocol (SCP).
    The following is an example command.

    scp -i identity_file ec2-user@<EC2 IP or domain name>:file ~/

    Note: Replace identity_file with the key pair you use to log in to the instance. Replace file with the file path and name where you want to store the captured packets.

  3. Open the PCAP file with Wireshark and view the DNS packets.

Windows 

Complete the following steps:

  1. Open the Wireshark tool. For more information, see the Wireshark website.
  2. Use the IP address of the outbound endpoint to Filter packets.

Related information

Resolving DNS queries between VPCs and your network

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago