I want to view the traffic that passes through an Amazon Route 53 resolver outbound endpoint.
Resolution
Configure network connectivity
Complete the following steps:
- Confirm that the outbound endpoint network interface subset is configured for outgoing traffic for the Amazon Elastic Cloud Compute (Amazon EC2) instance on UDP port 4789. The subset configuration includes network access control list (network ACL), security groups, and routing tables.
- Confirm the target EC2 instance's security group and network ACL allow incoming traffic on UDP port 4789 from the outbound endpoint elastic network interface (ENI).
- Confirm that the target instance has connectivity to the outbound endpoint's network interface subnet.
Set up Amazon VPC Traffic Mirroring
Complete the following steps:
-
Use the target instance ENI to create a traffic mirror target.
-
Create a mirror filter to identify the DNS traffic that passes from the outbound endpoint ENI to the mirror target.
Note: The following is an example mirror filter for Route 53. VPC A is associated with Route 53 resolve rule to forward *.test.com domain DNS queries to on-premise network. An on-premises network hosts domain *.test.com.
| | |
---|
Value | Inbound Rule | Outbound Rule |
Rule number | Rule priority | Rule priority |
Rule Action | Accept | Accept |
Protocol | UDP and TCP | UDP and TCP |
Source port range | 53 | 1024-65535 |
Destination port range | 1024-65535 | 53 |
Source CIDR block | On-premises CIDR | VPC A CIDR |
Destination CIDR block | VPC A CIDR | On-premises CIDR |
-
Create a mirror session for each outbound endpoint ENI to the mirror target instance. Use the following values:
Mirror source: ENI of the outbound endpoint
Mirror target: traffic mirror target that you created previously
Session number: 1
Filter: mirror filter that you created previously
View mirrored traffic
Linux
To view mirrored traffic with a Linux operating system, complete the following steps:
-
To view the captured traffic logs, run the following command:
sudo tcpdump -w file -i interface port 4789
Note: Replace file with the file path and name where you want to store the captured packets. Replace interface with the Ethernet port that maps to the ENI in the mirror target destination.
-
To transfer the PCAP files from the instance to your home directory on your local computer, use secure copy protocol (SCP).
The following is an example command.
scp -i identity_file ec2-user@<EC2 IP or domain name>:file ~/
Note: Replace identity_file with the key pair you use to log in to the instance. Replace file with the file path and name where you want to store the captured packets.
-
Open the PCAP file with Wireshark and view the DNS packets.
Windows
Complete the following steps:
- Open the Wireshark tool. For more information, see the Wireshark website.
- Use the IP address of the outbound endpoint to Filter packets.
Related information
Resolving DNS queries between VPCs and your network