Skip to main content
emnode / learn
Compliance High severity

AWS Security Hub · Route53

Route53.2: DNS query logging is off

Written and reviewed by Emnode · Last reviewed

What does AWS Security Hub Route53.2 check?

Route53.2 checks whether a Route 53 public hosted zone logs DNS queries to CloudWatch Logs. It reports FAILED on any public hosted zone that has no active query logging configuration, so the queries Route 53 answers for that zone are served and forgotten.

Why does Route53.2 matter?

DNS is the canary for almost every category of intrusion — data exfiltration to attacker domains, command-and-control beaconing, and reconnaissance all show up in resolution patterns first. Query logs capture the domain queried, the record type, the edge POP (approximating requester geography), the response code, and a microsecond timestamp. You can't investigate logs you never wrote down, which is why it's rated High.

How do I fix Route53.2?

  1. Inventory every public hosted zone.
  2. Create the CloudWatch log group in us-east-1 and attach a query logging configuration to each zone.
  3. Lifecycle high-volume zones' logs to S3 to control cost.
  4. Add a Config rule so new zones can't be created without query logging.

Remediation script · bash

# Load balancer: enable access logs to a dedicated, log-delivery-permissioned bucket.
aws elbv2 modify-load-balancer-attributes \
  --load-balancer-arn "$LB_ARN" \
  --attributes \
      Key=access_logs.s3.enabled,Value=true \
      Key=access_logs.s3.bucket,Value=acme-elb-logs-eu-west-1 \
      Key=access_logs.s3.prefix,Value=prod-api

# WAF web ACL: attach logging (Firehose/log-group name must start with aws-waf-logs-),
# redact credentials, and keep only blocked requests to cap volume.
aws wafv2 put-logging-configuration --logging-configuration \
  ResourceArn="$WEBACL_ARN",LogDestinationConfigs="arn:aws:firehose:us-east-1:111122223333:deliverystream/aws-waf-logs-prod",RedactedFields=[{SingleHeader={Name=authorization}}]

# Network Firewall: enable ALERT logs to CloudWatch and FLOW logs to S3.
aws network-firewall update-logging-configuration --firewall-name prod-egress-fw \
  --logging-configuration 'LogDestinationConfigs=[{LogType=ALERT,LogDestinationType=CloudWatchLogs,LogDestination={logGroup=/netfw/prod-egress-fw/alert}}]'

# Route 53: log group MUST be in us-east-1, then attach the query logging config.
aws logs create-log-group --log-group-name /aws/route53/customer-portal --region us-east-1
aws route53 create-query-logging-config --hosted-zone-id Z0J1K4M2X8N9A1 \
  --cloud-watch-logs-log-group-arn arn:aws:logs:us-east-1:123456789012:log-group:/aws/route53/customer-portal

Full walkthrough (console steps, edge cases and verification) in the lesson Enable network and edge logging (LB, WAF, firewall, DNS).

Is Route53.2 a false positive?

Query logging for Route 53 public zones must use a log group in us-east-1 — creating it in another Region means the configuration won't attach, so the zone stays FAILED despite the apparent setup.

Full lesson Enable network and edge logging (LB, WAF, firewall, DNS) Step-by-step remediation with CLI, code and persona-specific context.
AWS documentation for Route53 controls ↗ Check your own account for Route53.2 →
Part of the learning path See what's happening