AWS Route 53 Resolver – Hybrid DNS

Route 53 Resolver (also known as VPC Resolver) provides automatic DNS resolution within the VPC. It can help resolve DNS queries between VPCs and on-premises networks.

By default, Resolver answers DNS queries for VPC domain names such as domain names for EC2 instances or ELB load balancers.
Route 53 Resolver performs recursive lookups against public name servers for all other domain names.

However, on-premises instances cannot resolve Route 53 DNS entries and Route 53 cannot resolve on-premises DNS entries.
DNS resolution between VPC and on-premises network can be configured over a Direct Connect or VPN connection.
Route 53 Resolver is regional.
To use inbound or outbound forwarding, create a Resolver endpoint in the VPC.

As part of the definition of an endpoint, specify the IP addresses to forward inbound DNS queries to or the IP addresses that outbound queries originate from. For each IP address specified, Resolver automatically creates a VPC elastic network interface.
Resolver endpoints support DNS over UDP (Do53) and DNS-over-HTTPS (DoH) protocols for encrypted DNS queries.
Resolver endpoints support Server Name Indication (SNI) validation for DoH connections, enabling verification of the server’s identity.

Resolver rules and DNS Firewall rule groups can be shared across accounts using AWS Resource Access Manager (RAM).

Inbound Endpoint – Forward DNS queries from resolvers on your network to AWS

DNS resolvers on the on-premises networks can forward DNS queries to Resolver in a specified VPC.
This enables DNS resolvers to easily resolve domain names for AWS resources such as EC2 instances or records in a Route 53 private hosted zone.

Inbound endpoints support Do53 and DoH protocols.
Inbound endpoints can be used for DNS delegation, allowing subdomain authority to be delegated between on-premises and cloud infrastructure.

Outbound Endpoint – Conditionally forward queries from a VPC to resolvers on your network

Route 53 Resolver can be configured to forward queries that it receives from EC2 instances in the VPCs to DNS resolvers on the on-premises networks.
To forward selected queries, Resolver rules can be created that specify the domain names for the DNS queries that you want to forward (such as example.com), and the IP addresses of the DNS resolvers on the on-premises network that you want to forward the queries to.

If a query matches multiple rules (example.com, acme.example.com), Resolver chooses the rule with the most specific match (acme.example.com) and forwards the query to the IP addresses that you specified in that rule.
Outbound endpoints support Do53 and DoH protocols for encrypting forwarded DNS traffic.

Resolver Rules

Resolver rules control which DNS queries are forwarded to on-premises resolvers and which are resolved locally.

Forward rules – Forward DNS queries for a specified domain name to the IP addresses of on-premises DNS resolvers.
System rules – Selectively override the behavior defined in a forward rule. A system rule causes Resolver to resolve the query locally (within the VPC).
Auto-defined system rules – Automatically created rules for AWS-specific domain names and reverse DNS queries.

If a “.” (dot) or “com” forward rule is created, it is recommended to also create a system rule for amazonaws.com to ensure AWS service resolution works correctly.
Resolver rules can be shared across AWS accounts using AWS RAM, enabling centralized DNS forwarding management.

Resolver Query Logging

Resolver query logging allows logging of all DNS queries made by resources within VPCs.

Logs can be sent to Amazon CloudWatch Logs, Amazon S3, or Amazon Data Firehose.
Query logs include information such as the domain name queried, source IP, response code, and the Route 53 Resolver endpoint or firewall rule that processed the query.
Query logging configurations can be shared across AWS accounts.
Only unique queries are logged; queries answered from the Resolver cache are not logged.

DNSSEC Validation

Route 53 Resolver supports DNSSEC validation, which verifies that DNS responses have not been tampered with in transit.
When DNSSEC validation is enabled, Resolver validates the authenticity and integrity of DNS responses from public nameservers for DNSSEC-signed domains.
DNSSEC validation provides protection against DNS spoofing and cache poisoning attacks.

DNSSEC validation can be enabled per VPC.

Resolver Endpoint Metrics

Route 53 Resolver provides detailed CloudWatch metrics for monitoring endpoint health and performance.
Capacity Utilization metric – Helps monitor whether the endpoint is approaching query capacity limits. (Launched June 2025)
Detailed metrics – Include P90 response latency, SERVFAIL/NXDOMAIN/REFUSED/FORMERR response tracking, and target name server availability for outbound endpoints. (Launched December 2025)

Metrics are available at the Resolver Network Interface and Target Name Server levels.

Route 53 Resolver DNS Firewall

Route 53 Resolver DNS Firewall lets you control access to sites and block DNS-level threats for DNS queries going out from your VPC through the Route 53 VPC Resolver.
DNS Firewall allows you to define domain name filtering rules in rule groups that you associate with your VPCs.

You can specify lists of domain names to allow or block, and customize responses for blocked queries (NXDOMAIN, NODATA, or specific DNS responses).
DNS Firewall only filters on the domain name; it does not resolve that name to an IP address to be blocked.
DNS Firewall filters DNS traffic only; it does not filter other application layer protocols (HTTPS, SSH, TLS, FTP, etc.).

DNS Firewall is a feature of Route 53 VPC Resolver and doesn’t require any additional Resolver setup.
DNS Firewall rule groups can be shared across accounts using AWS RAM, managed centrally with AWS Firewall Manager, and applied via Route 53 Profiles.

AWS Managed Domain Lists

AWS provides managed domain lists for known threats, including malware, botnet command and control, and newly registered domains.

Threat categories – malware, phishing, spam, botnets, spyware, command and control.
Content categories – adult/mature content, gambling, social media, gaming, and other web content types. (Added May 2026)

DNS Firewall Advanced

DNS Firewall Advanced provides intelligent, real-time protection against sophisticated DNS-based threats beyond static domain lists. (Launched November 2024)

DNS Tunneling Detection – Identifies and blocks attempts to use DNS as a covert channel for data exfiltration or command-and-control communication.
Domain Generation Algorithm (DGA) Detection – Identifies and blocks queries to domains created by DGAs commonly used by malware.
Dictionary-based DGA Detection – Detects sophisticated DGA variants that use dictionary words to create more legitimate-looking domains. (Added November 2025)

DNS Firewall Advanced works by inspecting DNS payload characteristics including timestamps, request frequency, query strings, and query length/type/size.
Palo Alto Networks Advanced DNS Security integration (Preview) – Enables enforcement of third-party threat intelligence categories including fast-flux protection, DNS tunneling, DNS rebinding, and DGA detection directly within DNS Firewall rules. (June 2026)

Route 53 Profiles

Route 53 Profiles allow you to define a standard DNS configuration and apply it to multiple VPCs in the same AWS Region. (Launched April 2024)

A Profile can include Route 53 private hosted zone (PHZ) associations, Resolver forwarding rules, and DNS Firewall rule groups.
When you update a Profile, its settings are propagated to all associated VPCs automatically.
Profiles can be shared across AWS accounts using AWS RAM for centralized DNS management.

Profiles simplify multi-account DNS management by eliminating the need to manage individual resource associations per VPC.
Route 53 Profiles is a regional service.

Route 53 Global Resolver

Route 53 Global Resolver is a managed anycast DNS resolver accessible from anywhere over the internet. (Preview November 2025, GA March 2026)
Provides DNS resolution for both public internet domains and Route 53 private hosted zones from on-premises, branch offices, and remote clients.

Uses globally distributed anycast IP addresses that route queries to the nearest available AWS Region.
Supports multiple DNS protocols: DNS over UDP (Do53), DNS-over-HTTPS (DoH), and DNS-over-TLS (DoT).
Requires client authentication via token-based authentication (DoH/DoT) or ACL-based IP/CIDR allowlisting (Do53/DoT/DoH).

Includes built-in DNS traffic filtering using the same DNS Firewall rule capabilities (managed domain lists, custom lists, and advanced protections).
Provides centralized query logging to CloudWatch, S3, or Data Firehose.
Supports DNSSEC validation for public domains.
Must be deployed in a minimum of two AWS Regions for high availability with automatic failover.

Allows adding and removing AWS Regions dynamically for flexible geographic coverage. (May 2026)
Available across 30 AWS Regions with IPv4 and IPv6 support.
Protected against DDoS threats using AWS Shield.

Global Resolver vs VPC Resolver

Global Resolver – Internet-reachable via anycast IPs, designed for on-premises/remote clients, supports Do53/DoH/DoT, requires client authentication.

VPC Resolver – Default VPC recursive resolver, accessible by VPC-hosted clients or via VPN/Direct Connect through Resolver endpoints, DNS encryption available only for hybrid queries over endpoints.

AWS Certification Exam Practice Questions

Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).

AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.

AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated

Open to further feedback, discussion and correction.

A company wants to install a new private intranet service using Amazon EC2 instances inside a Virtual Private Cloud (VPC). The VPC is connected to the company’s on-premises network using an AWS Site-to-Site VPN. The new service must communicate with the on-premises services already in place. On-premises services are accessed using company-owned hostnames. for instance, a DNS zone. This DNS zone is entirely on-premises and accessible only via the company’s private network. To connect the new service with current services, a solutions architect must guarantee that the new service can resolve hostnames on the company’s example domain. Which solution satisfies these criteria?
1. Create an empty private zone in Route 53 for company.example. Add an additional NS record to the company’s on-premises company.example zone that points to the authoritative name servers for the new private zone in Route 53.
2. Turn on DNS hostnames for the VPC. Configure a new outbound endpoint with Route 53 Resolver. Create a Resolver rule to forward requests for company.example to the on-premises name servers.
3. Turn on DNS hostnames for the VPC. Configure a new inbound resolver endpoint with Route 53 Resolver. Configure the on-premises DNS server to forward requests for company.example to the new resolver.
4. Use AWS Systems Manager to configure a run document that will install a hosts file that contains any required hostnames. Use an Amazon EventBridge rule to run the document when an instance is entering the running state.

A company operates in a hybrid environment with multiple VPCs and on-premises data centers. The security team requires all DNS traffic from VPCs to be inspected for data exfiltration attempts and queries to known malicious domains must be blocked. Which solution provides the most comprehensive protection?
1. Create Network ACLs to block DNS traffic to known malicious IP addresses.
2. Configure security groups to restrict DNS traffic to specific DNS resolvers only.
3. Configure Route 53 Resolver DNS Firewall with AWS managed domain lists for known threats and DNS Firewall Advanced rules for DNS tunneling and DGA detection, then associate the rule groups with all VPCs.
4. Deploy third-party DNS security appliances in each VPC and route all DNS traffic through them.
A multinational organization needs to provide secure DNS resolution for remote employees and branch offices accessing both public internet domains and internal applications hosted in AWS. The solution must encrypt DNS traffic and support centralized security policies. Which approach is most appropriate?
1. Deploy Route 53 Resolver inbound endpoints in every AWS Region and configure on-premises DNS forwarders to send queries over VPN tunnels.
2. Configure Route 53 Global Resolver with token-based authentication for remote clients and DNS Firewall rules to filter queries, using DoH or DoT for encryption.
3. Set up a fleet of EC2 instances running BIND DNS servers with custom filtering and forward all client traffic through a VPN.
4. Use Route 53 VPC Resolver with outbound endpoints and share Resolver rules across accounts using RAM.
A company has 50 AWS accounts within an AWS Organization. They want to apply consistent DNS configurations—including private hosted zone associations, Resolver forwarding rules, and DNS Firewall rule groups—to all VPCs across accounts in the same Region. What is the most operationally efficient solution?
1. Manually associate each private hosted zone, Resolver rule, and DNS Firewall rule group to each VPC individually.
2. Use AWS RAM to share all DNS resources to each account and write automation scripts to associate them.
3. Create a Route 53 Profile containing the DNS configuration, share it across accounts using AWS RAM, and associate it with all VPCs.
4. Deploy CloudFormation StackSets to create identical DNS configurations in each account.

A solutions architect wants to monitor the health and performance of Route 53 Resolver outbound endpoints that forward DNS queries to on-premises servers. They need to detect when target name servers become unavailable and when response latency increases. Which approach provides the required visibility?
1. Enable VPC Flow Logs and filter for DNS traffic on port 53.
2. Configure Resolver query logging and parse logs for timeout patterns.
3. Enable detailed CloudWatch metrics for the Resolver endpoints to monitor P90 response latency, error responses (SERVFAIL, REFUSED), and target name server availability.
4. Create a Lambda function that periodically sends test DNS queries and measures response times.