DNS Resolver
Domain Name System (DNS) serves as the cornerstone for managing and operating domain names on the Internet, storing and retrieving information about IP addresses and their associated domain names.
Upon creating an instance within a Virtual Private Cloud (VPC), it is automatically assigned a unique DNS host name by the DNS Resolver, and the IP address information associated with this host name is automatically stored. By assigning a public IP, instances can also communicate with external internet resources.
DNS Resolver fundamentals
DNS Resolver is a built-in DNS service automatically included in each Availability Zone (AZ) of a region. This service is accessible via the endpoint 169.254.169.253, providing private DNS hostnames for instances created in VPC Subnets.
For instance, a host possessing the IP address 10.0.16.53 would be assigned a hostname following this format:
host-10-0-16-53
- The DNS Resolver endpoint was changed to
169.254.169.253as of February 21, 2024. VPCs created before that date keep the previous DNS Resolver endpoint, which uses the VPC network IPv4 CIDR + 2 address, and will be migrated in stages. - The default security group settings permit DNS queries to and from the KakaoCloud DNS Resolver. Should you opt exclusively for custom security groups over the default, ensure to configure outbound policies that allow DNS queries to the DNS Resolver.
DNS resolver query logging
KakaoCloud allows logging of DNS resolver queries generated within a VPC. These logs can be used to monitor DNS traffic in the VPC, troubleshoot DNS-related issues, or enhance network security.
- DNS resolver query logging is provided for VPCs that use the
169.254.169.253DNS Resolver endpoint. - VPCs created before the DNS resolver query logging feature release, specifically before June 12, 2025, will be migrated in stages to support this feature. For inquiries, contact the Helpdesk.
Query log file
When DNS resolver query logging is enabled, query log files are saved to a specified Object Storage bucket at 30-minute intervals. Log files follow the naming format below:
{bucket-name}/KCLogs/{region-name}/{year=yyyy/month=mm/day=dd}/{az-name}_{project-id}_{vpc-id}_{logger-id}_{start-time}_{end-time}.log.gz
| Item | Description |
|---|---|
{bucket-name} | Name of the bucket to store query logs |
| KCLogs | Default prefix |
{region-name} | Name of the region where the VPC is located |
{year=yyyy/month=mm/day=dd} Date when the query logs are delivered | |
{az-name} | Availability zone where query logs are collected |
{project-id} | ID of the project associated with the VPC |
{vpc-id} | ID of the VPC where logs are collected |
{logger-id} | ID of the service object collecting the logs |
{start-time} | Start date and time of logging interval |
{end-time} | End date and time of logging interval |
- Log files can be stored in the bucket for as long as needed. You can also use the bucket’s lifecycle policy to set retention periods. For more details, see the Object Storage > Configure lifecycle document.
- There is no additional cost for enabling query logging, but standard storage charges apply while logs are stored in the bucket.
Process query log files
Query log files are stored in compressed format. To view their contents, download and decompress the files.
Query log fields
The following fields are collected in DNS resolver query logs, in the order listed. All fields are separated by a comma (``,`).
| Field | Description |
|---|---|
| version | Version of the query log |
| project_id | Project ID associated with the VPC |
| region | Region name of the VPC |
| vpc_id | VPC ID where logs are collected |
| timestamp | Time when the response to the query occurred |
| query_name | Domain, subdomain, or destination address queried |
| record_type | DNS record type |
| query_class | Class of the DNS query |
| response_code | DNS response code |
| response_time | Time taken to respond to the query |
| response_count | Number of responses to the query |
| response_size | Size of the response message |
| response_protocol | Transport layer protocol used for the response |
Bucket requirements
Logs collected via DNS resolver query logging must be stored in a designated Object Storage bucket. You must specify a bucket in Object Storage and ensure it meets the following requirements:
Requirements
- The bucket must be in the same region as the VPC.
- If the Object Storage bucket designated for storage is deleted, query logs will not be stored correctly. In that case, reconfigure the setting to use a different bucket.
- If account permissions change while DNS resolver query logging is enabled, logs may not be stored correctly. Ensure the account that enabled logging retains the necessary permissions.
Bucket encryption settings
When enabling DNS resolver query logging, you can choose whether to encrypt log files before storing them in the bucket. It is recommended to set encryption to Enabled for enhanced security.
S3 access key requirements
An S3 access key is required to enable DNS resolver query logging. Make sure to create the key beforehand. You can generate the key under Account settings > Credentials > S3 access key tab.