At AWS Community GameDay 2026, a DNS data exfiltration challenge revealed a critical blind spot: VPC Flow Logs cannot capture DNS traffic because queries to the VPC resolver at 169.254.169.253 are intercepted by the AWS hypervisor before reaching the network interface. Route 53 Resolver Query Logs are the only AWS-native tool that captures this traffic and should be enabled by default across all VPCs.

Testing showed that GuardDuty, while useful, has detection thresholds that allowed one complete exfiltration run to go undetected entirely. Resolver Query Logs captured every query across all runs without exception. Route 53 DNS Firewall successfully blocked exfiltration at the resolver level, though it can be bypassed if an instance sends DNS queries directly to an external IP, which would then appear in VPC Flow Logs as anomalous UDP port 53 traffic.

The key lesson is that these tools are complementary, not interchangeable, and building deterministic alerts directly on Resolver Query Logs provides more reliable coverage than depending solely on GuardDuty.