Which solution will meet these requirements?
Install the Amazon CloudWatch agent on each EC2 instance in the VPC. Use the CloudWatch agent to stream the DNS query logs to an Amazon CloudWatch Logs log group. Use CloudWatch metric filters to automatically generate metrics that list the most common DNS queries.
Install a BIND DNS server in the VPC. Create a bash script to list the DNS request number of common DNS queries from the BIND logs.
Create VPC flow logs for all subnets in the VPStream the flow logs to an Amazon CloudWatch Logs log group. Use CloudWatch Logs Insights to list the most common DNS queries for the log group in a custom dashboard.
Configure Amazon Route 53 Resolver query logging. Add an Amazon CloudWatch Logs log group as the destination. Use Amazon CloudWatch Contributor Insights to analyze the data and create time series that display the most common DNS queries.
Explanations:
While installing the CloudWatch agent can collect various logs, it does not specifically target DNS queries made by the EC2 instances. The agent would not automatically capture DNS logs unless explicitly configured to do so, which could be cumbersome and inefficient for the requirement of logging all DNS queries across the VPC.
Setting up a BIND DNS server would involve significant overhead and complexity. It requires maintenance and management of the DNS server, which may not be necessary since AWS provides built-in solutions for DNS query logging. Additionally, manually scripting to list common queries is not as efficient or scalable compared to a managed solution.
VPC flow logs provide information about IP traffic to and from network interfaces in the VPC but do not log DNS queries specifically. Flow logs capture metadata about the traffic but do not contain the actual DNS query data, making them unsuitable for meeting the requirement of logging DNS queries.
Configuring Amazon Route 53 Resolver query logging directly captures DNS queries made within the VPC. By sending the logs to an Amazon CloudWatch Logs log group, the security engineer can utilize Amazon CloudWatch Contributor Insights to analyze the logs and create time series data for the most common DNS queries over time, directly addressing both requirements efficiently.