A company is using Amazon Route 53 Resolver for its hybrid DNS infrastructure. The company has set up Route 53 Resolver forwarding rules for authoritative domains that are hosted on on-premises DNS servers. A new security mandate requires the company to implement a solution to log and query DNS traffic that goes to the on-premises DNS servers. The logs must show details of the source IP address of the instance from which the query originated. The logs also must show the DNS name that was requested in Route 53 Resolver.
Which solution will meet these requirements?
A. Use VPC Traffic Mirroring. Configure all relevant elastic network interfaces as the traffic source, include amazon-dns in the mirror filter, and set Amazon CloudWatch Logs as the mirror target. Use CloudWatch Insights on the mirror session logs to run queries on the source IP address and DNS name.
B. Configure VPC flow logs on all relevant VPCs. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.
C. Configure Route 53 Resolver query logging on all relevant VPCs. Send the logs to Amazon CloudWatch Logs. Use CloudWatch Insights to run queries on the source IP address and DNS name.
D. Modify the Route 53 Resolver rules on the authoritative domains that forward to the on-premises DNS servers. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.
C
一家公司正在为其混合DNS基础设施使用Amazon Route 53 Resolver。该公司已为托管在本地DNS服务器上的权威域设置了Route 53 Resolver转发规则。一项新的安全要求公司实施一个解决方案,以记录和查询流向本地DNS服务器的DNS流量。日志必须显示发起查询的实例的源IP地址的详细信息。日志还必须显示在Route 53 Resolver中请求的DNS名称。
如何记录并查询流向本地DNS服务器的DNS流量,同时获取源IP地址和请求的DNS名称?
技巧:排除明显错误选项,在没有明显错误的选项中选择最合理的选项。
A. 不正确。使用VPC流量镜像。将所有相关弹性网络接口配置为流量源,在镜像过滤器中包含amazon-dns,并将Amazon CloudWatch Logs设置为镜像目标。使用CloudWatch Insights对镜像会话日志运行关于源IP地址和DNS名称的查询。VPC流量镜像主要用于捕获网络层流量,而非专门的DNS查询。虽然可以配置过滤器捕获DNS流量,但操作复杂且不如专用DNS日志记录服务高效。
B. 不正确。在所有相关VPC上配置VPC流量日志。将日志发送到Amazon S3存储桶。使用Amazon Athena对源IP地址和DNS名称运行SQL查询。VPC流量日志记录网络层流量,不包含详细的DNS查询信息(如请求的DNS名称),因此无法满足要求。
C. 正确。在所有相关VPC上配置Route 53 Resolver查询日志记录。将日志发送到Amazon CloudWatch Logs。使用CloudWatch Insights对源IP地址和DNS名称运行查询。Route 53 Resolver查询日志记录专门捕获DNS查询信息,包括源IP地址和请求的DNS名称。日志存储在CloudWatch Logs中,可使用CloudWatch Insights快速查询,完全满足要求。
D. 不正确。修改转发到本地DNS服务器的权威域的Route 53 Resolver规则。将日志发送到Amazon S3存储桶。使用Amazon Athena对源IP地址和DNS名称运行SQL查询。Route 53 Resolver规则本身不支持日志记录功能。需使用Route 53 Resolver查询日志记录服务来捕获DNS查询,而非修改转发规则。
DNS流量日志记录:需使用支持DNS查询日志记录的服务,如Route 53 Resolver Query Logging,以捕获详细的DNS查询信息。日志需包含源IP地址和请求的DNS名称,以满足安全审计要求。
日志存储与查询:日志应存储在可扩展且支持快速查询的服务中,如Amazon CloudWatch Logs或Amazon S3。需使用支持结构化查询的工具,如CloudWatch Insights或Amazon Athena,以分析日志数据。
流量监控与捕获:VPC Traffic Mirroring和VPC Flow Logs可用于捕获网络流量,但它们主要针对网络层流量,而非专门的DNS查询。
对于DNS查询,专用日志记录服务(如Route 53 Resolver Query Logging)更为合适。