At AWS Community GameDay 2026, a DNS data exfiltration challenge revealed a critical blind spot in AWS network monitoring. While instinct points to VPC Flow Logs for network investigations, DNS queries to the VPC resolver at 169.254.169.253 are handled by the hypervisor before reaching the ENI, making them completely invisible to Flow Logs.

Route 53 Resolver Query Logs are the essential tool for DNS visibility, capturing every query deterministically. GuardDuty can detect exfiltration patterns but has thresholds that allowed one test run of 25 queries to go entirely undetected, while Resolver Query Logs captured it completely.

Route 53 DNS Firewall provides effective prevention by blocking queries at the resolver level, though it can be bypassed if an instance queries an external DNS server directly, which would then appear in Flow Logs as anomalous UDP port 53 traffic.

The key lesson is that VPC Flow Logs and Resolver Query Logs are complementary, not overlapping, and both are necessary for comprehensive visibility.