Which solution will meet these requirements?
Use VPC Traffic Mirroring. Configure all relevant elastic network interfaces as the traffic source, include amazon-dns in the mirror filter, and set Amazon CloudWatch Logs as the mirror target. Use CloudWatch Insights on the mirror session logs to run queries on the source IP address and DNS name.
Configure VPC flow logs on all relevant VPCs. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.
Configure Route 53 Resolver query logging on all relevant VPCs. Send the logs to Amazon CloudWatch Logs. Use CloudWatch Insights to run queries on the source IP address and DNS name.
Modify the Route 53 Resolver rules on the authoritative domains that forward to the on-premises DNS servers. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.
Explanations:
VPC Traffic Mirroring captures network traffic at the elastic network interface level but does not directly capture DNS query data or include DNS-specific logging features. CloudWatch Insights would not be able to analyze DNS queries properly.
VPC Flow Logs capture network traffic metadata, such as IP addresses and ports, but they do not capture DNS query details or content, like the DNS name being requested.
Route 53 Resolver query logging directly captures DNS queries, including the source IP address and DNS name, and allows querying via CloudWatch Insights, meeting the security mandate.
While Route 53 Resolver forwarding rules can be configured to log traffic, the solution described does not include the ability to log DNS query content or directly track DNS names with the forwarding rules alone.