AWS Route 53

How Route 53 Routes Traffic

AWS Route 53

  • Route 53 is a highly available and scalable Domain Name System (DNS) web service.
  • Route 53 provides three main functions:
    • Domain registration
      • allows domain names registration
      • supports registration and management of 34+ new top-level domains (TLDs) including .app, .dev, .art, .forum, .health, and .realty
    • Domain Name System (DNS) service
      • translates friendly domains names like www.example.com into IP addresses like 192.0.2.1
      • responds to DNS queries using a global network of authoritative DNS servers, which reduces latency
      • can route Internet traffic to CloudFront, Elastic Beanstalk, ELB, or S3. There’s no charge for DNS queries to these resources
    • Health Checking
      • can monitor the health of resources such as web and email servers.
      • sends automated requests over the Internet to the application to verify that it’s reachable, available, and functional
      • CloudWatch alarms can be configured for the health checks to send notifications when a resource becomes unavailable.
      • can be configured to route Internet traffic away from resources that are unavailable
    • Security
      • supports both DNSSEC for domain registration and DNSSEC signing
      • supports AWS PrivateLink for API requests, allowing workloads to manage DNS infrastructure without using the public internet (announced Nov 2025)

How Route 53 Routes Traffic

Supported DNS Resource Record Types

  • A (Address) Format
    • is an IPv4 address in dotted decimal notation for e.g. 192.0.2.1
  • AAAA Format
    • is an IPv6 address in colon-separated hexadecimal format
  • CNAME Format
    • is the same format as a domain name
    • DNS protocol does not allow creation of a CNAME record for the top node of a DNS namespace, also known as the zone apex for e.g. the DNS name example.com registration, the zone apex is example.com, a CNAME record for example.com cannot be created, but CNAME records can be created for www.example.com, newproduct.example.com etc.
    • If a CNAME record is created for a subdomain, any other resource record sets for that subdomain cannot be created for e.g. if a CNAME created for www.example.com, no other resource record sets for which the value of the Name field is www.example.com can be created
  • MX (Mail Xchange) Format
    • contains a decimal number that represents the priority of the MX record, and the domain name of an email server
  • NS (Name Server) Format
    • An NS record identifies the name servers for the hosted zone. The value for an NS record is the domain name of a name server.
  • PTR Format
    • A PTR record Value element is the same format as a domain name.
  • SOA (Start of Authority) Format
    • SOA record provides information about a domain and the corresponding Amazon Route 53 hosted zone
  • SPF (Sender Policy Framework) Format
    • SPF records were formerly used to verify the identity of the sender of email messages, however is not recommended
    • Instead of an SPF record, a TXT record that contains the applicable value is recommended
  • SRV Format
    • An SRV record Value element consists of four space-separated values. The first three values are decimal numbers representing priority, weight, and port. The fourth value is a domain name for e.g. 10 5 80 hostname.example.com
  • TXT (Text) Format
    • A TXT record contains a space-separated list of double-quoted strings. A single string include a maximum of 255 characters. In addition to the characters that are permitted unescaped in domain names, space is allowed in TXT strings
  • HTTPS Format (New – Oct 2024)
    • HTTPS records are specific for use with the HTTP protocol and allow application owners to bind endpoint-specific information into the DNS reply.
    • Enables clients to discover the optimal HTTP protocol version (HTTP/2, HTTP/3) during the initial DNS resolution phase rather than in a subsequent connection step, reducing latency.
    • Supports two modes: AliasMode (aliases a DNS name to another DNS name) and ServiceMode (passes parameters like ALPN, port, ECH, and IP hints).
    • Supported for both public and private hosted zones.
  • SVCB (Service Binding) Format (New – Oct 2024)
    • SVCB records allow application owners to bind endpoint-specific information for any service, irrespective of protocol.
    • Similar to HTTPS records but the record name includes the port and protocol.
    • Supports AliasMode and ServiceMode with parameters like TLS ALPN, port number, ECH configuration, and IP hints.
    • Supported for both public and private hosted zones.
  • TLSA Format (New – Oct 2024)
    • TLSA records allow administrators to specify a public key fingerprint of the TLS certificate in DNS (DNS-based Authentication of Named Entities – DANE).
    • Enables a TLS client to verify using DNS that the certificate presented by a server is expected.
    • Helps prevent man-in-the-middle attacks and downgrade attacks, particularly useful for SMTP over TLS.
    • Requires DNSSEC to be enabled on the hosted zone.
    • Supported only for public hosted zones.
  • SSHFP (Secure Shell Fingerprint) Format (New – Oct 2024)
    • SSHFP records allow DNS servers to answer SSH client requests for SSH fingerprints with DNSSEC-signed records.
    • SSH client validates the fingerprint a server presents with those provided by the DNS server, mitigating man-in-the-middle attacks.
    • Requires DNSSEC to be enabled on the hosted zone and DNSSEC validation on the client.
    • Supported only for public hosted zones.

Alias Resource Record Sets

  • Route 53 supports alias resource record sets, which enables routing of queries to a CloudFront distribution, Elastic Beanstalk, ELB, an S3 bucket configured as a static website, or another Route 53 resource record set
  • Alias records are not standard for DNS RFC and are a Route 53 extension to DNS functionality
  • Alias record is similar to a CNAME record and is always of type A or AAAA
  • Alias record can be created both for the root domain or apex zone, such as example.com, and for subdomains, such as www.example.com. CNAME records can be used only for subdomains.
  • Route 53 automatically recognizes changes in the resource record sets that the alias resource record set refers to for e.g. for a site pointing to a load balancer, if the IP of the load balancer changes, it will reflect those changes automatically in the DNS answers without any changes to the hosted zone that contains resource record sets
  • Alias resource record set does not support TTL or Time to Live if it points to a CloudFront distribution, an ELB, or an S3 bucket. Underlying CloudFront, load balancer, or S3 TTLs are used.
  • Alias records are free to query and do not incur any charges.
  • Alias record supported targets
  • Alias records are not supported for
    • EC2 DNS
    • RDS endpoints.

Route 53 Alias vs CNAME

Refer to blog post @ Route 53 Alias vs CNAME

Route 53 CNAME vs Alias Records

Route 53 Hosted Zone

  • Hosted Zone is a container for records, which include information about how to route traffic for a domain (such as example.com) and all of its subdomains (such as www.example.com, retail.example.com, and seattle.accounting.example.com).
  • A hosted zone has the same name as the corresponding domain.
  • Routing Traffic to the Resources
    • Create a hosted zone with either a public hosted zone or a private hosted zone:
      • Public Hosted Zone – for routing internet traffic to the resources for a specific domain and its subdomains
      • Private hosted zone – for routing traffic within a VPC
    • Create records in the hosted zone
      • Records define where to route traffic for each domain name or subdomain name.
      • Name of each record in a hosted zone must end with the name of the hosted zone.
  • For public/private and private Hosted Zones that have overlapping namespaces, Route 53 Resolvers routes traffic to the most specific match.
  • IAM permissions apply only at the Hosted Zone level
  • Accelerated Recovery (New – Nov 2025)
    • Accelerated recovery for public hosted zones targets a 60-minute Recovery Time Objective (RTO) for DNS record changes during service disruptions in the US East (N. Virginia) Region.
    • Provides built-in failover of the Route 53 control plane to the Oregon Region (us-west-2).
    • When enabled, allows making changes to DNS records in public hosted zones even when the us-east-1 Region is unavailable.
    • Enhances business continuity for mission-critical applications that rely on DNS changes for failover.

Route 53 Health Checks

  • Route 53 health checks monitor the health and performance of the underlying resources.
  • Health check types
    • Health checks that monitor an endpoint, such as a web server.
      • Health checkers are located in locations around the world.
      • The health checker location and interval can be specified.
      • Health checker evaluates the health of the endpoint based
        • Response time
        • Specified failure threshold – Whether the endpoint responds to a number of consecutive health checks
      • The endpoint is considered healthy if more than 18% of health checkers report that an endpoint is healthy.
      • Health check is considered healthy if
        • HTTP and HTTPS health checks
          • TCP connection can be established within four seconds.
          • Returns 2xx or 3xx within two seconds after connecting.
        • TCP health checks
          • TCP connection can be established within ten seconds.
        • HTTP and HTTPS health checks with string matching
          • TCP connection can be established within four seconds.
          • Returns 2xx or 3xx within two seconds after connecting.
          • Route 53 searches the response body for the specified string which must appear entirely in the first 5,120 bytes of the response body or the endpoint fails the health check.
    • Calculated health checks – Health checks that monitor the status of other health checks.
      • Health check that does the monitoring is the parent health check, and the health checks that are monitored are child health checks.
      • One parent health check can monitor the health of up to 255 child health checks
    • Health checks that monitor the status of a CloudWatch alarm.
      • Route 53 monitors the data stream for the corresponding alarm instead of monitoring the alarm state.
  • Route 53 checks the health of an endpoint by sending an HTTP, HTTPS, or TCP request to the specified IP address and port.
  • For a health check to succeed, the router and firewall rules must allow inbound traffic from the IP addresses that the health checkers use.

Route 53 Routing Policies

Refer Blog post @ Route 53 Routing Policies

Route 53 Resolver

Refer Blog post @ Route 53 Resolver

Route 53 Global Resolver (New – GA March 2026)

  • Route 53 Global Resolver is an internet-reachable anycast DNS resolver that delivers easy, secure, and reliable DNS resolution for authorized clients from anywhere.
  • Provides DNS resolution for authenticated clients in on-premises data centers, branch offices, and remote locations through globally distributed anycast IP addresses.
  • Resolves both public internet domains and Route 53 private hosted zones, eliminating the need for separate split-DNS forwarding infrastructure.
  • Supports multiple DNS protocols including DNS over UDP (Do53), DNS-over-HTTPS (DoH), and DNS-over-TLS (DoT).
  • Includes built-in security controls:
    • DNS traffic filtering to block potentially malicious domains
    • Support for encrypted DNS queries
    • Centralized logging for auditing and compliance
    • Integration with Route 53 Resolver DNS Firewall rules (threat categories, content categories, and advanced DNS threat protection)
  • Anycast architecture automatically routes each query to the closest healthy AWS Region, providing built-in failover without client-side changes.
  • Deployed across multiple AWS Regions simultaneously (minimum two).
  • Supports adding and removing AWS Regions for flexible control over where DNS queries are resolved.
  • Available across 30+ AWS Regions with support for both IPv4 and IPv6 DNS query traffic.

Route 53 Profiles (New – April 2024)

  • Route 53 Profiles allows defining a standard DNS configuration and applying it to multiple VPCs in the same AWS Region.
  • A Profile can include:
    • Route 53 private hosted zone (PHZ) associations
    • Route 53 Resolver forwarding rules
    • Route 53 Resolver DNS Firewall rule groups
    • VPC endpoint associations
  • Profiles can be shared across AWS accounts using AWS Resource Access Manager (RAM).
  • Eliminates the need for per-VPC PHZ associations by allowing DNS configurations to be managed centrally.
  • Simplifies DNS management in multi-account environments by reducing operational complexity.
  • Supports consistent DNS Query Logging configuration at the Profile level with automatic propagation to all associated VPCs.
  • Supports granular IAM permissions for resource and VPC associations.
  • Supports AWS PrivateLink for private access to manage Profiles without going through the public internet.

Route 53 Split-view (Split-horizon) DNS

  • Route 53 Split-view (Split-horizon) DNS helps access an internal version of the website using the same domain name that is used publicly.
  • Both a private and public hosted zone can be maintained with the same domain name for split-view DNS.
  • Ensure that DNS resolution and DNS hostnames are enabled on the source VPC.
  • DNS queries will respond with answers based on the source of the request.
  • From within the VPC, answers will come from the private hosted zone, while public queries will return answers from the public hosted zone.

Route 53 DNSSEC

  • DNSSEC – Domain Name System Security Extensions, a protocol for securing DNS traffic, helps protect a domain from DNS spoofing man-in-the-middle attacks.
  • DNSSEC works only for public hosted zones.
  • Route 53 supports DNSSEC signing as well as DNSSEC for domain registration.
  • With DNSSEC enabled for a domain, the DNS resolver establishes a chain of trust for responses from intermediate resolvers.
  • The chain of trust begins with the TLD registry for the domain (your domain’s parent zone) and ends with the authoritative name servers at your DNS service provider.
  • With DNSSEC enabled, Route 53 creates a key-signing key (KSK) using customer managed key in AWS KMS that supports DNSSEC. The customer-managed key must meet the following requirements:
    • must be in the US East (N. Virginia) Region
    • must be an asymmetric customer managed key with an ECC_NIST_P256 key spec.

Route 53 Resolver DNS Firewall

  • Route 53 Resolver DNS Firewall provides protection for outbound DNS requests from the VPCs and can monitor and control the domains that the applications can query.
  • DNS Firewall can filter and regulate outbound DNS traffic for the VPC.
  • Reusable collections of filtering rules can be created in DNS Firewall rule groups and be associated with the VPC, with the activity monitored in DNS Firewall logs and metrics.
  • A primary use of DNS Firewall protections is to help prevent DNS exfiltration of the data. DNS exfiltration can happen when a bad actor compromises an application instance in the VPC and then uses DNS lookup to send data out of the VPC to a domain that they control.
  • DNS Firewall can be configured to
    • deny access to the domains that you know to be bad and allow all other queries to pass through OR
    • deny access to all domains except for the ones that you explicitly trust.
  • DNS Firewall is a feature of Route 53 Resolver and doesn’t require any additional Resolver setup to use.
  • Firewall Manager can be used to centrally configure and manage the DNS Firewall rule group associations for the VPCs across the accounts in an Organization. Firewall Manager automatically adds associations for VPCs that come into the scope of the Firewall Manager DNS Firewall policy.
  • DNS Firewall Advanced (New – Nov 2024)
    • DNS Firewall Advanced provides intelligent, real-time protection against advanced DNS threats.
    • Detects DNS tunneling attacks by inspecting DNS payload characteristics including request timestamps, frequency, query string length, and response sizes.
    • Identifies Domain Generation Algorithm (DGA) based threats, including dictionary-based DGAs used by attackers to evade detection in malware command-and-control communications.
    • Supports threat domain categories (e.g., Malware, Spam, Phishing) for DNS query blocking based on DNS threat types.
    • Supports content domain categories (e.g., Adult Content, Gambling, Not-safe-for-work domains) for granular content filtering.
    • Works alongside existing DNS Firewall domain list rules for comprehensive defense-in-depth.

Route 53 Application Recovery Controller (ARC)

  • Route 53 Application Recovery Controller helps manage and coordinate recovery for applications across AWS Regions and Availability Zones.
  • Zonal Shift
    • Zonal shift allows shifting traffic for a supported resource away from an impaired Availability Zone to healthy AZs in the same Region.
    • All zonal shifts are temporary and must be set initially to expire within three days (72 hours), but can be updated to set a new expiration.
  • Zonal Autoshift
    • Zonal autoshift allows AWS to automatically shift traffic away from an AZ when AWS detects a potential failure there.
    • Operates on the principle of static stability, where the application is pre-scaled across multiple AZs to handle the complete loss of capacity in any single zone.
    • Practice runs are initiated to ensure that shifting traffic during an autoshift is safe for the application.
  • Routing Control
    • Routing controls are simple on/off switches that allow failover of traffic from one replica to another.
    • Enables highly available data plane operations for multi-Region failover.

Route 53 Logging

  • DNS Query Logging
    • DNS Query logs contain information like
      • Domain or subdomain that was requested
      • Date and time of the request
      • DNS record type (such as A or AAAA)
      • Route 53 edge location that responded to the DNS query
      • DNS response code, such as NoError or ServFail
    • Route 53 will send DNS Query logs to CloudWatch Logs.
    • DNS Query Logging is only available for public hosted zones. Use Resolver Query logging for private hosted zones.
    • Query logs contain only the queries that DNS resolvers forward to Route 53 and do not include the entries cached by DNS resolvers.
  • Resolver Query Logging
    • Resolver Query logging logs the following queries
      • Queries that originate in specified VPCs, as well as the responses to those DNS queries.
      • Queries from on-premises resources that use an inbound Resolver endpoint.
      • Queries that use an outbound Resolver endpoint for recursive DNS resolution.
      • Queries that use Route 53 Resolver DNS Firewall rules to block, allow, or monitor domain lists.
    • Resolver query logging logs only unique queries, not queries that Resolver is able to respond to from the cache.
    • Resolver query logs include values such as the following:
      • AWS Region where the VPC was created
      • The ID of the VPC that the query originated from
      • The IP address of the instance that the query originated from
      • The instance ID of the resource that the query originated from
      • The date and time that the query was first made
      • The DNS name requested (such as prod.example.com)
      • The DNS record type (such as A or AAAA)
      • The DNS response code, such as NoError or ServFail
      • The DNS response data, such as the IP address that is returned in response to the DNS query
      • A response to a DNS Firewall rule action
    • Route 53 will send Resolver Query logs to

Route 53 Resolver Endpoints – DNS Delegation (New – June 2025)

  • Route 53 Resolver endpoints now support DNS delegation for private hosted zones.
  • Allows delegating the authority for a subdomain from on-premises infrastructure to the Route 53 Resolver cloud service and vice versa.
  • Uses standard name server (NS) records for delegation, eliminating the need for conditional forwarding rules across the organization.
  • Simplifies hybrid DNS management by providing a cloud-native experience across namespaces in AWS and on-premises infrastructure.
  • Supports Resolver endpoints with DNS64 on inbound endpoints and IPv6 forwarding through IGW on outbound endpoints for IPv4/IPv6 hybrid network management.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. What does Amazon Route53 provide?
    1. A global Content Delivery Network.
    2. None of these.
    3. A scalable Domain Name System
    4. An SSH endpoint for Amazon EC2.
  2. Does Amazon Route 53 support NS Records?
    1. Yes, it supports Name Service records.
    2. No
    3. It supports only MX records.
    4. Yes, it supports Name Server records.
  3. Does Route 53 support MX Records?
    1. Yes
    2. It supports CNAME records, but not MX records.
    3. No
    4. Only Primary MX records. Secondary MX records are not supported.
  4. Which of the following statements are true about Amazon Route 53 resource records? Choose 2 answers
    1. An Alias record can map one DNS name to another Amazon Route 53 DNS name.
    2. A CNAME record can be created for your zone apex.
    3. An Amazon Route 53 CNAME record can point to any DNS record hosted anywhere.
    4. TTL can be set for an Alias record in Amazon Route 53.
    5. An Amazon Route 53 Alias record can point to any DNS record hosted anywhere.
  5. Which statements are true about Amazon Route 53? (Choose 2 answers)
    1. Amazon Route 53 is a region-level service
    2. You can register your domain name
    3. Amazon Route 53 can perform health checks and failovers to a backup site in the event of the primary site failure
    4. Amazon Route 53 only supports Latency-based routing
  6. A customer is hosting their company website on a cluster of web servers that are behind a public-facing load balancer. The customer also uses Amazon Route 53 to manage their public DNS. How should the customer configure the DNS zone apex record to point to the load balancer?
    1. Create an A record pointing to the IP address of the load balancer
    2. Create a CNAME record pointing to the load balancer DNS name.
    3. Create a CNAME record aliased to the load balancer DNS name.
    4. Create an A record aliased to the load balancer DNS name
  7. A user has configured ELB with three instances. The user wants to achieve High Availability as well as redundancy with ELB. Which of the below mentioned AWS services helps the user achieve this for ELB?
    1. Route 53
    2. AWS Mechanical Turk
    3. Auto Scaling
    4. AWS EMR
  8. How can the domain’s zone apex for example “myzoneapexdomain.com” be pointed towards an Elastic Load Balancer?
    1. By using an AAAA record
    2. By using an A record
    3. By using an Amazon Route 53 CNAME record
    4. By using an Amazon Route 53 Alias record
  9. You need to create a simple, holistic check for your system’s general availability and uptime. Your system presents itself as an HTTP-speaking API. What is the simplest tool on AWS to achieve this with?
    1. Route53 Health Checks (Refer link)
    2. CloudWatch Health Checks
    3. AWS ELB Health Checks
    4. EC2 Health Checks
  10. Your organization’s corporate website must be available on www.acme.com and acme.com. How should you configure Amazon Route 53 to meet this requirement?
    1. Configure acme.com with an ALIAS record targeting the ELB. www.acme.com with an ALIAS record targeting the ELB.
    2. Configure acme.com with an A record targeting the ELB. www.acme.com with a CNAME record targeting the acme.com record.
    3. Configure acme.com with a CNAME record targeting the ELB. www.acme.com with a CNAME record targeting the acme.com record.
    4. Configure acme.com using a second ALIAS record with the ELB target. www.acme.com using a PTR record with the acme.com record target.
  11. A company wants to prevent DNS exfiltration from their VPCs. They need to block DNS queries to known malicious domains and detect DNS tunneling attempts. Which Route 53 feature should they use? (New)
    1. Route 53 Health Checks with CloudWatch Alarms
    2. Route 53 Resolver DNS Firewall with DNS Firewall Advanced
    3. Route 53 DNSSEC Signing
    4. Route 53 Traffic Flow policies
  12. An organization manages DNS configurations across 200+ VPCs in multiple AWS accounts. They need to standardize private hosted zone associations, Resolver forwarding rules, and DNS Firewall rule groups across all VPCs. Which feature simplifies this? (New)
    1. Route 53 Traffic Flow
    2. AWS Organizations Service Control Policies
    3. Route 53 Profiles
    4. Route 53 Resolver Rules shared via RAM individually
  13. A company wants to improve the security of SMTP email between their mail servers. They need DNS to provide TLS certificate fingerprints so sending servers can verify the receiving server’s identity. Which DNS record type should they use? (New)
    1. SSHFP record
    2. HTTPS record
    3. SVCB record
    4. TLSA record
  14. A company has remote offices and on-premises data centers that need secure DNS resolution for both public internet domains and Route 53 private hosted zones without deploying Route 53 Resolver endpoints in each location. Which service should they use? (New)
    1. Route 53 Resolver with outbound endpoints in every Region
    2. A self-managed recursive DNS resolver
    3. Route 53 Global Resolver
    4. Route 53 Profiles with AWS PrivateLink
  15. A company wants to ensure they can continue making DNS record changes during a regional outage in us-east-1. Which Route 53 feature should they enable? (New)
    1. Route 53 Multi-Value Answer routing
    2. Route 53 Application Recovery Controller
    3. Route 53 Accelerated Recovery for public hosted zones
    4. Route 53 Health Checks with Failover routing

Further Reading

AWS Route 53 Resolver – Hybrid DNS

AWS Route 53 Resolver – Hybrid DNS

  • Route 53 Resolver (also known as VPC Resolver) provides automatic DNS resolution within the VPC. It can help resolve DNS queries between VPCs and on-premises networks.
  • By default, Resolver answers DNS queries for VPC domain names such as domain names for EC2 instances or ELB load balancers.
  • Route 53 Resolver performs recursive lookups against public name servers for all other domain names.
  • However, on-premises instances cannot resolve Route 53 DNS entries and Route 53 cannot resolve on-premises DNS entries.
  • DNS resolution between VPC and on-premises network can be configured over a Direct Connect or VPN connection.
  • Route 53 Resolver is regional.
  • To use inbound or outbound forwarding, create a Resolver endpoint in the VPC.
  • As part of the definition of an endpoint, specify the IP addresses to forward inbound DNS queries to or the IP addresses that outbound queries originate from. For each IP address specified, Resolver automatically creates a VPC elastic network interface.
  • Resolver endpoints support DNS over UDP (Do53) and DNS-over-HTTPS (DoH) protocols for encrypted DNS queries.
  • Resolver endpoints support Server Name Indication (SNI) validation for DoH connections, enabling verification of the server’s identity.
  • Resolver rules and DNS Firewall rule groups can be shared across accounts using AWS Resource Access Manager (RAM).

Inbound Endpoint – Forward DNS queries from resolvers on your network to AWS

Route 53 Resolver Inbound Endpoint
  • DNS resolvers on the on-premises networks can forward DNS queries to Resolver in a specified VPC.
  • This enables DNS resolvers to easily resolve domain names for AWS resources such as EC2 instances or records in a Route 53 private hosted zone.
  • Inbound endpoints support Do53 and DoH protocols.
  • Inbound endpoints can be used for DNS delegation, allowing subdomain authority to be delegated between on-premises and cloud infrastructure.

Outbound Endpoint – Conditionally forward queries from a VPC to resolvers on your network

Route 53 Resolver Outbound Endpoint
  • Route 53 Resolver can be configured to forward queries that it receives from EC2 instances in the VPCs to DNS resolvers on the on-premises networks.
  • To forward selected queries, Resolver rules can be created that specify the domain names for the DNS queries that you want to forward (such as example.com), and the IP addresses of the DNS resolvers on the on-premises network that you want to forward the queries to.
  • If a query matches multiple rules (example.com, acme.example.com), Resolver chooses the rule with the most specific match (acme.example.com) and forwards the query to the IP addresses that you specified in that rule.
  • Outbound endpoints support Do53 and DoH protocols for encrypting forwarded DNS traffic.

Resolver Rules

  • Resolver rules control which DNS queries are forwarded to on-premises resolvers and which are resolved locally.
  • Forward rules – Forward DNS queries for a specified domain name to the IP addresses of on-premises DNS resolvers.
  • System rules – Selectively override the behavior defined in a forward rule. A system rule causes Resolver to resolve the query locally (within the VPC).
  • Auto-defined system rules – Automatically created rules for AWS-specific domain names and reverse DNS queries.
  • If a “.” (dot) or “com” forward rule is created, it is recommended to also create a system rule for amazonaws.com to ensure AWS service resolution works correctly.
  • Resolver rules can be shared across AWS accounts using AWS RAM, enabling centralized DNS forwarding management.

Resolver Query Logging

  • Resolver query logging allows logging of all DNS queries made by resources within VPCs.
  • Logs can be sent to Amazon CloudWatch Logs, Amazon S3, or Amazon Data Firehose.
  • Query logs include information such as the domain name queried, source IP, response code, and the Route 53 Resolver endpoint or firewall rule that processed the query.
  • Query logging configurations can be shared across AWS accounts.
  • Only unique queries are logged; queries answered from the Resolver cache are not logged.

DNSSEC Validation

  • Route 53 Resolver supports DNSSEC validation, which verifies that DNS responses have not been tampered with in transit.
  • When DNSSEC validation is enabled, Resolver validates the authenticity and integrity of DNS responses from public nameservers for DNSSEC-signed domains.
  • DNSSEC validation provides protection against DNS spoofing and cache poisoning attacks.
  • DNSSEC validation can be enabled per VPC.

Resolver Endpoint Metrics

  • Route 53 Resolver provides detailed CloudWatch metrics for monitoring endpoint health and performance.
  • Capacity Utilization metric – Helps monitor whether the endpoint is approaching query capacity limits. (Launched June 2025)
  • Detailed metrics – Include P90 response latency, SERVFAIL/NXDOMAIN/REFUSED/FORMERR response tracking, and target name server availability for outbound endpoints. (Launched December 2025)
  • Metrics are available at the Resolver Network Interface and Target Name Server levels.

Route 53 Resolver DNS Firewall

  • Route 53 Resolver DNS Firewall lets you control access to sites and block DNS-level threats for DNS queries going out from your VPC through the Route 53 VPC Resolver.
  • DNS Firewall allows you to define domain name filtering rules in rule groups that you associate with your VPCs.
  • You can specify lists of domain names to allow or block, and customize responses for blocked queries (NXDOMAIN, NODATA, or specific DNS responses).
  • DNS Firewall only filters on the domain name; it does not resolve that name to an IP address to be blocked.
  • DNS Firewall filters DNS traffic only; it does not filter other application layer protocols (HTTPS, SSH, TLS, FTP, etc.).
  • DNS Firewall is a feature of Route 53 VPC Resolver and doesn’t require any additional Resolver setup.
  • DNS Firewall rule groups can be shared across accounts using AWS RAM, managed centrally with AWS Firewall Manager, and applied via Route 53 Profiles.

AWS Managed Domain Lists

  • AWS provides managed domain lists for known threats, including malware, botnet command and control, and newly registered domains.
  • Threat categories – malware, phishing, spam, botnets, spyware, command and control.
  • Content categories – adult/mature content, gambling, social media, gaming, and other web content types. (Added May 2026)

DNS Firewall Advanced

  • DNS Firewall Advanced provides intelligent, real-time protection against sophisticated DNS-based threats beyond static domain lists. (Launched November 2024)
  • DNS Tunneling Detection – Identifies and blocks attempts to use DNS as a covert channel for data exfiltration or command-and-control communication.
  • Domain Generation Algorithm (DGA) Detection – Identifies and blocks queries to domains created by DGAs commonly used by malware.
  • Dictionary-based DGA Detection – Detects sophisticated DGA variants that use dictionary words to create more legitimate-looking domains. (Added November 2025)
  • DNS Firewall Advanced works by inspecting DNS payload characteristics including timestamps, request frequency, query strings, and query length/type/size.
  • Palo Alto Networks Advanced DNS Security integration (Preview) – Enables enforcement of third-party threat intelligence categories including fast-flux protection, DNS tunneling, DNS rebinding, and DGA detection directly within DNS Firewall rules. (June 2026)

Route 53 Profiles

  • Route 53 Profiles allow you to define a standard DNS configuration and apply it to multiple VPCs in the same AWS Region. (Launched April 2024)
  • A Profile can include Route 53 private hosted zone (PHZ) associations, Resolver forwarding rules, and DNS Firewall rule groups.
  • When you update a Profile, its settings are propagated to all associated VPCs automatically.
  • Profiles can be shared across AWS accounts using AWS RAM for centralized DNS management.
  • Profiles simplify multi-account DNS management by eliminating the need to manage individual resource associations per VPC.
  • Route 53 Profiles is a regional service.

Route 53 Global Resolver

  • Route 53 Global Resolver is a managed anycast DNS resolver accessible from anywhere over the internet. (Preview November 2025, GA March 2026)
  • Provides DNS resolution for both public internet domains and Route 53 private hosted zones from on-premises, branch offices, and remote clients.
  • Uses globally distributed anycast IP addresses that route queries to the nearest available AWS Region.
  • Supports multiple DNS protocols: DNS over UDP (Do53), DNS-over-HTTPS (DoH), and DNS-over-TLS (DoT).
  • Requires client authentication via token-based authentication (DoH/DoT) or ACL-based IP/CIDR allowlisting (Do53/DoT/DoH).
  • Includes built-in DNS traffic filtering using the same DNS Firewall rule capabilities (managed domain lists, custom lists, and advanced protections).
  • Provides centralized query logging to CloudWatch, S3, or Data Firehose.
  • Supports DNSSEC validation for public domains.
  • Must be deployed in a minimum of two AWS Regions for high availability with automatic failover.
  • Allows adding and removing AWS Regions dynamically for flexible geographic coverage. (May 2026)
  • Available across 30 AWS Regions with IPv4 and IPv6 support.
  • Protected against DDoS threats using AWS Shield.

Global Resolver vs VPC Resolver

  • Global Resolver – Internet-reachable via anycast IPs, designed for on-premises/remote clients, supports Do53/DoH/DoT, requires client authentication.
  • VPC Resolver – Default VPC recursive resolver, accessible by VPC-hosted clients or via VPN/Direct Connect through Resolver endpoints, DNS encryption available only for hybrid queries over endpoints.

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A company wants to install a new private intranet service using Amazon EC2 instances inside a Virtual Private Cloud (VPC). The VPC is connected to the company’s on-premises network using an AWS Site-to-Site VPN. The new service must communicate with the on-premises services already in place. On-premises services are accessed using company-owned hostnames. for instance, a DNS zone. This DNS zone is entirely on-premises and accessible only via the company’s private network. To connect the new service with current services, a solutions architect must guarantee that the new service can resolve hostnames on the company’s example domain. Which solution satisfies these criteria?
    1. Create an empty private zone in Route 53 for company.example. Add an additional NS record to the company’s on-premises company.example zone that points to the authoritative name servers for the new private zone in Route 53.
    2. Turn on DNS hostnames for the VPC. Configure a new outbound endpoint with Route 53 Resolver. Create a Resolver rule to forward requests for company.example to the on-premises name servers.
    3. Turn on DNS hostnames for the VPC. Configure a new inbound resolver endpoint with Route 53 Resolver. Configure the on-premises DNS server to forward requests for company.example to the new resolver.
    4. Use AWS Systems Manager to configure a run document that will install a hosts file that contains any required hostnames. Use an Amazon EventBridge rule to run the document when an instance is entering the running state.
  2. A company operates in a hybrid environment with multiple VPCs and on-premises data centers. The security team requires all DNS traffic from VPCs to be inspected for data exfiltration attempts and queries to known malicious domains must be blocked. Which solution provides the most comprehensive protection?
    1. Create Network ACLs to block DNS traffic to known malicious IP addresses.
    2. Configure security groups to restrict DNS traffic to specific DNS resolvers only.
    3. Configure Route 53 Resolver DNS Firewall with AWS managed domain lists for known threats and DNS Firewall Advanced rules for DNS tunneling and DGA detection, then associate the rule groups with all VPCs.
    4. Deploy third-party DNS security appliances in each VPC and route all DNS traffic through them.
  3. A multinational organization needs to provide secure DNS resolution for remote employees and branch offices accessing both public internet domains and internal applications hosted in AWS. The solution must encrypt DNS traffic and support centralized security policies. Which approach is most appropriate?
    1. Deploy Route 53 Resolver inbound endpoints in every AWS Region and configure on-premises DNS forwarders to send queries over VPN tunnels.
    2. Configure Route 53 Global Resolver with token-based authentication for remote clients and DNS Firewall rules to filter queries, using DoH or DoT for encryption.
    3. Set up a fleet of EC2 instances running BIND DNS servers with custom filtering and forward all client traffic through a VPN.
    4. Use Route 53 VPC Resolver with outbound endpoints and share Resolver rules across accounts using RAM.
  4. A company has 50 AWS accounts within an AWS Organization. They want to apply consistent DNS configurations—including private hosted zone associations, Resolver forwarding rules, and DNS Firewall rule groups—to all VPCs across accounts in the same Region. What is the most operationally efficient solution?
    1. Manually associate each private hosted zone, Resolver rule, and DNS Firewall rule group to each VPC individually.
    2. Use AWS RAM to share all DNS resources to each account and write automation scripts to associate them.
    3. Create a Route 53 Profile containing the DNS configuration, share it across accounts using AWS RAM, and associate it with all VPCs.
    4. Deploy CloudFormation StackSets to create identical DNS configurations in each account.
  5. A solutions architect wants to monitor the health and performance of Route 53 Resolver outbound endpoints that forward DNS queries to on-premises servers. They need to detect when target name servers become unavailable and when response latency increases. Which approach provides the required visibility?
    1. Enable VPC Flow Logs and filter for DNS traffic on port 53.
    2. Configure Resolver query logging and parse logs for timeout patterns.
    3. Enable detailed CloudWatch metrics for the Resolver endpoints to monitor P90 response latency, error responses (SERVFAIL, REFUSED), and target name server availability.
    4. Create a Lambda function that periodically sends test DNS queries and measures response times.

References