AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 363

A company's network engineer needs to evaluate and monitor DNS traffic. The company uses Amazon Route 53 as the DNS service for its public hosted zone. All
DNS queries must be captured for future analysis.
What should the network engineer do to meet these requirements?

Answer options

• A. Use AWS WAF to log information to Amazon CloudWatch Logs about the queries that Route 53 receives.
• B. Use VPC Flow Logs to log information to Amazon CloudWatch Logs Insights about the queries that Route 53 receives.
• C. Use Route 53 query logging to log information to Amazon CloudWatch Logs about the queries that Route 53 receives.
• D. Use AWS CloudTrail to log information to Amazon CloudWatch Logs insights about the queries that Route 53 receives.

Correct answer: C

Explanation

Route 53 query logging is specifically designed to capture details about DNS queries received by Route 53, such as the domain name, query type, and client IP, and deliver them to Amazon CloudWatch Logs. AWS WAF does not integrate directly with Route 53 public hosted zones to log DNS queries, while VPC Flow Logs and AWS CloudTrail do not capture the actual application-layer DNS query details handled by Route 53's public authoritative servers.