Amazon Route 53 Interview Questions
1. What is Amazon Route 53?
Amazon Route 53 is a Domain Name System (DNS) service that enables developers and businesses to route internet traffic to their applications. It provides a variety of features, including domain registration, health checking, traffic routing, and DNS failover, to help ensure the availability and scalability of applications.
2. What are the benefits of using Amazon Router 53?
Here are some benefits of using Amazon Route 53:
- Reliability: Route 53 is designed to be highly available and reliable, with multiple layers of redundancy to ensure that it is always online and able to route traffic to your applications.
- Scalability: Route 53 can handle millions of requests per second, making it suitable for applications of any size.
- Cost-effectiveness: Route 53 is a pay-as-you-go service, so you only pay for what you use. There are no upfront costs or long-term contracts required.
- Flexibility: Route 53 provides a variety of routing policies, including simple round-robin routing, failover routing, and geolocation routing, that you can use to customize how traffic is routed to your application.
- Integration with other AWS services: Route 53 integrates seamlessly with other AWS services, such as Amazon EC2, Amazon S3, and Amazon CloudFront, making it easy to route traffic to your applications running on these services.
- Domain registration: Route 53 allows you to register domain names and manage DNS records for those domain names, making it a one-stop shop for all of your DNS needs.
- Advanced features: Route 53 also provides advanced features, such as health checking and traffic flow, that can help you monitor the health of your application and optimize traffic routing to improve the performance and availability of your applications.
3. What are three services available on Route 53?
Amazon Route 53 offers the following three services:
- Domain Name Registration: Route 53 allows you to register domain names and manage DNS records for those domain names.
- Domain Name System (DNS) Management: Route 53 provides a scalable and reliable DNS service that enables you to route internet traffic to your applications.
- Health Checking: Route 53 can periodically send requests to your application to verify that it is functioning correctly. If it determines that the application is not responding, it can automatically route traffic away from the unhealthy endpoints to healthy ones. This helps ensure the availability of your application.
4. Who can we use Route 53 to route users?
You can use Amazon Route 53 to route users to any internet application, including web applications, mobile applications, and APIs. Route 53 enables you to route traffic based on a variety of factors, such as the geographical location of the user, the health of your application, and the routing policy that you specify.
5. What are the actions performed by Route 53?
Amazon Route 53 performs the following actions:
- Domain name registration: Route 53 allows you to register domain names and manage DNS records for those domain names.
- DNS record management: Route 53 enables you to create, update, and delete DNS records that specify how internet traffic is routed to your application.
- Traffic routing: Route 53 provides a variety of routing policies that you can use to specify how traffic is routed to your application. These policies include simple round-robin routing, failover routing, and geolocation routing.
- Health checking: Route 53 can periodically send requests to your application to verify that it is functioning correctly. If it determines that the application is not responding, it can automatically route traffic away from the unhealthy endpoints to healthy ones.
- DNS failover: Route 53 can automatically detect when an endpoint becomes unavailable and route traffic to alternate endpoints to provide high availability for your application.
Overall, Route 53 is a powerful and flexible service that enables you to manage your DNS needs in a reliable, scalable, and cost-effective way.
6. Does Amazon Route 53 support NS records?
Yes, Amazon Route 53 supports Name Service (NS) records
7. Why it is called Route 53?
The name AWS Route 53 is derived from Port 53, which handles DNS for both TCP and UDP traffic requests; the phrase Route could relate to routing or a common highway naming convention.
8. What is a DNS name or alias?
The human-readable record we want to link to an endpoint in Route 53 is called a DNS name
For instance, if someone types into their web browser’s address bar, Route 53 will provide the IP address corresponding to that domain name.
9. Does Route 53 Do load balancing?
Route 53 is a DNS service that handles global server load balancing by routing requests to the AWS region closest to the requester’s location.
10. Can you explain the main features of Amazon Route 53?
Amazon Route 53 is a scalable and highly available Domain Name System (DNS) service. Route 53 provides a reliable and cost-effective way to route end users to Internet applications by translating human-readable names into numeric IP addresses like 192.0.2.1 that computers use to connect to each other.
Route 53 is designed to give developers and businesses an extremely reliable and flexible way to route Internet traffic to applications and resources. Route 53 effectively connects user requests to infrastructure running in AWS, such as Amazon EC2 instances, Elastic Load Balancing load balancers or Amazon S3 buckets. Route 53 can also be used to route users to non-AWS infrastructure outside of AWS.
11. What is a resource record?
A resource record is a DNS entry name and a value such as 22.214.171.124 that you want to link to a name server in a hosted zone. These are sometimes referred to as record sets in AWS Route 53.
12. What is AWS Route 53 traffic flow?
Amazon Route 53 Traffic Flow is a domain name system service that lets an Amazon Web Services customer utilize a visual interface to define how end-user traffic is routed to application endpoints via the drag-and-drop graphical user interface to ease traffic management.
Create a DNS entry to connect to an endpoint or a traffic control rule to launch the Route 53 Traffic Flow service. Route 53 Traffic Flow follows a set of principles to determine how traffic should be routed. Weighted, failover, geolocation, and latency are the four types of rules.
- Percentages of traffic are directed to specific endpoints using weighted rules.
- When the primary server is unavailable, Failover enables a developer to set a fallback endpoint.
- A developer can use geolocation to divert traffic based on its geolocation origin.
- Traffic is routed to the locations with the lowest latency according to latency criteria.
All rules can be directed to health checks, which determine if a server is suitable for traffic hosting.
13. How does Amazon Route 53 work?
Amazon Route 53 is a scalable and highly available Domain Name System (DNS) service. It is designed to give developers and businesses an extremely reliable and cost-effective way to route end users to Internet applications by translating human readable names into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other. Amazon Route 53 is fully compliant with IPv6 as well.
14.How do Amazon Route 53 Resolver 53 DNS Firewall and AWS Network Firewall differ in protection against malicious DNS query threats?
Amazon Route 53 Resolver DNS Firewall and AWS Network Firewall both offer protection against outbound DNS query threats but for different deployment models. Amazon Route 53 Resolver DNS Firewall is designed to deliver granular control to block DNS requests to malicious or compromised domains if you are using Amazon Route 53 Resolver for DNS resolution. AWS Network Firewall offers similar capabilities to filter/block outbound DNS queries to known malicious domains if you are using an external DNS service to resolve DNS requests.
15. How can we add a load balancer to Route 53?
To add a load balancer to Amazon Route 53, you can follow these steps:
- Create a load balancer: First, create a load balancer using the AWS Management Console, the AWS CLI, or the AWS SDKs. You can choose from a variety of load balancer types, including Application Load Balancer, Network Load Balancer, and Classic Load Balancer.
- Configure the load balancer: Next, configure the settings for your load balancer, such as the listeners, security groups, and target groups. You can also specify any additional settings, such as sticky sessions or health checks.
- Create a hosted zone: In Route 53, create a hosted zone for your domain. This is a container for your DNS records and specifies the name servers that you will use to manage your domain’s DNS records.
- Create a record set: In the hosted zone, create a record set for your load balancer. This specifies the DNS name that you will use to route traffic to your load balancer, as well as the IP address or addresses of the load balancer.
- Test your configuration: Finally, test your configuration by accessing your load balancer’s DNS name using a web browser or other client. This will ensure that traffic is routed to your load balancer as expected.
Overall, adding a load balancer to Route 53 is a straightforward process that can help you improve the performance and availability of your application.
16. Is it possible to integrate Amazon Route 53 with other AWS services like CloudFront and S3? If yes, then how?
Yes, it is possible to integrate Amazon Route 53 with other AWS services like CloudFront and S3. You can do this by creating an Amazon Route 53 alias record that points to your CloudFront distribution or S3 bucket.
17. What’s the difference between a public-hosted zone and a private-hosted zone on Amazon Route 53?
A public hosted zone is a container for your public DNS records, and it specifies the name servers that you use to manage those records. A public hosted zone is used to route traffic to resources on the internet, such as web servers or load balancers.
A private hosted zone is a container for your private DNS records, and it specifies the name servers that you use to manage those records. A private hosted zone is used to route traffic to resources within your VPC (Virtual Private Cloud) or within your on-premises data center.
The main difference between a public-hosted zone and a private-hosted zone is the scope of the traffic that they can route. A public-hosted zone is used to route traffic from the internet to your resources, while a private-hosted zone is used to route traffic within your VPC or data center.
18. Do all queries sent through Amazon Route 53 get routed through Amazon’s DNS servers?
No, not all queries sent through Amazon Route 53 get routed through Amazon’s DNS servers. If you are using Amazon Route 53 as your DNS service, you can choose to have some of your queries routed through Amazon’s DNS servers and some routed through another DNS service, such as Google DNS or Cloudflare DN
19. What are some common use cases for Amazon Route 53?
Amazon Route 53 is a highly scalable and available Domain Name System (DNS) web service. Route 53 is designed to give developers and businesses an extremely reliable and cost-effective way to route end users to Internet applications by translating human readable names into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other. Route 53 is fully compliant with IPv6 as well.
20. Are there any limits to the number of queries we can send through Amazon Route 53?
There are no limits to the number of queries that you can send through Amazon Route 53. However, keep in mind that there are limits to the amount of traffic that your DNS servers can handle. If you are sending a large number of queries, you may need to increase the number of DNS servers that you are using
21. Does Amazon Route 53 offer redundancy options?
Yes, Amazon Route 53 offers a number of redundancy options to help keep your website or application up and running even if an Amazon data center goes offline. One option is to use Amazon Route 53’s Latency-Based Routing, which automatically routes traffic to the fastest data center. Another option is to use Amazon Route 53’s Geo DNS, which lets you route traffic to different data centers based on the geographic location of your users.
22. What is the best way to migrate an existing domain name to AWS without losing data?
The best way to migrate an existing domain name to AWS is to use Amazon Route 53. Route 53 is a highly scalable and reliable DNS service that can help you with migrating your domain name to AWS.
23. What is the default TTL setting for records created in Amazon Route 53?
The default TTL setting for records created in Amazon Route 53 is 1 houre
24. What are “MX” and “TEXT”?
MX – This is a resource record set. It can help you set up an email with Route 53. If someone else manages your email, use it to ensure it is up-to-date.
TXT – This resource record set is used when you want Route 53 to store arbitrary text data (up to 156 bytes) in a DNS “TXT” record. For example, this can be helpful if you need to provide information about an endpoint that isn’t supported by existing types of records.
25. How we can add Cname to Route 53?
A CNAME record cannot be created for the Parent or Apex domains. An alias record can be used with Route 53 to point the parent domain to other supported alias targets.
26. How do users view content stored in S3 buckets when they use Amazon Route 53?
Amazon Route 53 uses what is called an alias resource record set to map a user-friendly DNS name, to the Amazon S3 bucket that stores the website content. This allows users to view the content stored in the S3 bucket by simply typing the DNS name into their web browser
27. What are some alternatives to Amazon Route 53?
Here are some alternatives to Amazon Route 53:
- Cloudflare: Cloudflare is a cloud-based DNS provider that offers a variety of features, including DDoS protection, content delivery, and website performance optimization.
- Google Cloud DNS: Google Cloud DNS is a high-performance, resilient, and scalable DNS service that is built on the same infrastructure as Google Search and YouTube.
- Azure DNS: Azure DNS is a cloud-based DNS service that enables you to host your DNS domains and manage DNS records using the Azure portal.
- Rackspace Cloud DNS: Rackspace Cloud DNS is a fully-managed DNS service that enables you to create, delete, and update DNS records using the Rackspace Cloud Control Panel.
- Dyn: Dyn is a cloud-based DNS provider that offers a variety of features, including traffic management, security, and analytics.
Overall, there are many alternatives to Amazon Route 53 that offer a variety of features and pricing models. It’s important to evaluate the specific needs of your application and choose a DNS provider that meets those needs.
28. Is it possible to route traffic based on user location using Amazon Route 53? If yes, then how?
Yes, it is possible to route traffic based on user location using Amazon Route 53. You can do this by creating a geolocation resource record set. This will allow you to specify a location, such as a country or continent, and then route traffic to a specific resource, such as an Amazon S3 bucket or an Amazon EC2 instance, based on that location.
29. What happens if an application has more than one IP address that can be used to serve requests from multiple locations?
If an application has more than one IP address that can be used to serve requests from multiple locations, then Amazon Route 53 will route traffic to the closest IP address. This will help to ensure that users get the best possible experience by having their requests served by the closest possible server.
30. Why would I use Amazon Route 53 instead of Google Domains or GoDaddy?
Amazon Route 53 is a reliable and cost-effective way to route end users to Internet applications by translating human-readable names into numeric IP addresses like 192.0.2.1 that computers use to connect to each other. Amazon Route 53 is also scalable, so it can grow with your website or application. Additionally, Amazon Route 53 integrates with other AWS services, so you can use it to route end users to your Amazon EC2 instances, Amazon S3 buckets, and other AWS resources.
31. What’s the impact of health checks on the overall cost of operations?
Health checks come at a small additional cost to the overall cost of operations for Amazon Route 53. This is because Route 53 needs to periodically check the health of your resources and make sure that they are up and running. However, this cost is generally outweighed by the benefits of having health checks in place, as they can help to avoid downtime and ensure that your website or application is always available to users.
32. Suppose my company wants to launch its website globally over the next few months but doesn’t want to invest in web hosting infrastructure right away. Can Amazon Route 53 help us achieve this?
Yes, Amazon Route 53 can help you launch your website globally without investing in web hosting infrastructure right away. Amazon Route 53 provides a global network of DNS servers that can route traffic to your website no matter where it is hosted. This means that you can launch your website in any region without having to set up web hosting infrastructure there first.
33. Does Route53 supports MX records?
Yes, Amazon Route 53 supports MX (Mail Exchange) records. MX records are used to specify the mail servers that should be used to handle email for a domain. You can create MX records in Route 53 to route email for your domain to an email provider, such as Google Workspace or Microsoft Office 365. MX records are a key component of any email infrastructure, and Route 53 makes it easy to manage them along with your other DNS records.
34. Which Route53 routing policy is best, keeping in mind the response time?
Latency: This routing policy enables you to route traffic to the endpoint that provides the lowest latency (i.e., the shortest delay) for the user. This can help improve the response time of your application for users located in different regions.
35. What is the default limit of the domain supported by Route 53?
The default limit for the number of domain names that you can register with Amazon Route 53 is 50 per AWS account. This means that you can register up to 50 domain names with Route 53, and manage DNS records for those domain names, using a single AWS account.
36. What are the advantages of using Aliases over Cname in Route53?
- Supports naked domain names
- Any change in ELB IP is automatically updated in Route53.
37. Difference between Route53 aliases and cname ?
Here is a comparison of Amazon Route 53 aliases and CNAME records:
|Alias Record||CNAME Record|
|Purpose||To map a domain name or subdomain to another AWS resource or to an external resource||To map a domain name or subdomain to another domain name|
|Supported resource types||AWS resources (e.g., ELB, CloudFront distributions, S3 buckets) and external resources (e.g., non-AWS resources with a public IP address or a domain name)||Any domain name|
|Cost||No additional charge||Standard Route 53 charges apply|
|Availability||Highly available||Depends on the availability of the target domain|
|Latency||Low||Depends on the latency of the target domain|
|DNS propagation time||Low||Depends on the TTL of the target domain|
|Support for weighted routing||Yes||No|
|Support for failover routing||Yes||No|
Overall, aliases and CNAME records are similar in that they both enable you to map a domain name or subdomain to another resource. However, aliases are more flexible and offer a number of additional benefits, such as lower latency, higher availability, and support for weighted and failover routing.
38. Why has AWS named the DNS service Route 53?
Amazon Web Services (AWS) named its Domain Name System (DNS) service Route 53 because DNS runs on port 53. Port 53 is the port that is used by DNS servers to receive and respond to DNS queries. By naming the service Route 53, AWS highlights the fact that it is a DNS service and also pays tribute to the fundamental role that port 53 plays in the operation of DNS.
Overall, the name Route 53 reflects the fact that the service is a powerful and reliable tool for managing DNS for internet applications, and highlights its close connection to the core DNS protocol.
39. What are the different Route53 routing policies?
Amazon Route 53 provides the following routing policies:
- Simple routing: This is the default routing policy. It enables you to route traffic to one or more resources in a single record set. You can use simple routing to route traffic to a single resource, such as an EC2 instance or an S3 bucket, or to multiple resources using a round-robin approach.
- Weighted routing: This routing policy enables you to distribute traffic across multiple resources in proportion to the weights that you specify. You can use weighted routing to send more traffic to resources that are able to handle a higher load, or to evenly distribute traffic across multiple resources.
- Latency-based routing: This routing policy enables you to route traffic to the resource that provides the lowest latency (i.e., the shortest delay) for the user. You can use latency-based routing to improve the performance of your application for users located in different regions.
- Failover routing: This routing policy enables you to specify a primary resource and one or more secondary resources. Route 53 will route traffic to the primary resource unless it becomes unavailable, in which case it will route traffic to the secondary resource. You can use failover routing to provide high availability for your application.
- Geolocation routing: This routing policy enables you to route traffic based on the geographical location of the user. You can specify a region or a specific location, and Route 53 will route traffic to the closest available resource. You can use geolocation routing to improve the performance of your application for users located in different regions.
- Multivalue answer routing: This routing policy enables you to return multiple values (e.g., IP addresses) in response to a DNS query. Route 53 will randomly select a value from the list and return it to the client. You can use multivalue answer routing to distribute traffic across multiple resources using a round-robin approach.
Overall, Route 53 provides a variety of routing policies that you can use to customize how traffic is routed to your application. The best routing policy for your needs will depend on the specific requirements of your application and the performance characteristics of your resources.
40. What can I do with Amazon Route 53?
With Amazon Route 53, you can create and manage your public DNS records. Like a phone book, Route 53 lets you manage the IP addresses listed for your domain names in the Internet’s DNS phone book. Route 53 also answers requests to translate specific domain names into their corresponding IP addresses like 192.0.2.1.
You can use Route 53 to create DNS records for a new domain or transfer DNS records for an existing domain. The simple, standards-based REST API for Route 53 allows you to easily create, update and manage DNS records. Route 53 additionally offers health checks to monitor the health and performance of your application as well as your web servers and other resources. You can also register new domain names or transfer existing domain names to be managed by Route 53.
41. What are the DNS server names for the Amazon Route 53 service?
To provide you with a highly available service, each Amazon Route 53 hosted zone is served by its own set of virtual DNS servers. The DNS server names for each hosted zone are thus assigned by the system when that hosted zone is created.
42. What is the price of Amazon Route 53?
Amazon Route 53 charges are based on actual usage of the service for Hosted Zones, Queries, Health Checks, and Domain Names. For full details, see the Amazon Route 53
You pay only for what you use. There are no minimum fees, no minimum usage commitments, and no overage charges. You can estimate your monthly bill using the AWS Pricing Calculator.
43. What types of access controls can I set for the management of my Domains on Amazon Route 53?
You can control management access to your Amazon Route 53 hosted zone and individual resource record sets by using the AWS Identity and Access Management (IAM) service. AWS IAM allows you to control who in your organization can make changes to your DNS records by creating multiple users and managing the permissions for each of these users within your AWS Account
44. I have subscribed to Amazon Route 53 but when I try to use the service it says “The AWS Access Key ID needs a subscription for the service.”?
When you sign up for a new AWS service, it can take up to 24 hours in some cases to complete activation, during which time you cannot sign up for the service again. If you’ve been waiting longer than 24 hours without receiving an email confirming activation, this could indicate a problem with your account or the authorization of your payment details.
45. How do I get started with Amazon Route 53?
Amazon Route 53 has a simple web service interface that lets you get started in minutes. Your DNS records are organized into “hosted zones” that you configure with the AWS Management Console or Route 53’s API to use Route 53.
- If you already have a domain name:
- Use the AWS Management Console or the CreateHostedZone API to create a hosted zone that can store DNS records for your domain. Upon creating the hosted zone, you receive four Route 53 name servers across four different Top-Level Domains (TLDs) to help ensure a high level of availability.
- Additionally, you can transfer your domain name to Route 53’s management via either the AWS Management Console or the API.
- If you don’t already have a domain name:
- Use the AWS Management Console or the API to register your new domain name.
- Route 53 automatically creates a hosted zone that stores DNS records for your domain. You also receive four Route 53 name servers across four different Top-Level Domains (TLDs) to help ensure a high level of availability.
- Your hosted zone will be initially populated with a basic set of DNS records, including four virtual name servers that will answer queries for your domain. You can add, delete or change records in this set by using the AWS Management Console or by calling the ChangeResourceRecordSet API. A list of supported DNS records is available here.
- If your domain name is not managed by Route 53, you will need to inform the registrar with whom you registered your domain name to update the name servers for your domain to the ones associated with your hosted zone. If your domain name is managed by Route 53 already, your domain name will be automatically associated with the name servers hosting your zone.
46. Does Amazon Route 53 provide query logging capability?
You can configure Amazon Route 53 to log information about the queries that Amazon Route 53 receives including date-time stamp, domain name, query type, location, etc. When you configure query logging, Amazon Route 53 starts to send logs to CloudWatch Logs. You use CloudWatch Logs tools to access the query logs
47. How does Amazon Route 53 provide high availability and low latency?
Route 53 is built using AWS’s highly available and reliable infrastructure. The globally distributed nature of our DNS servers helps ensure a consistent ability to route your end users to your application by circumventing any internet or network-related issues. Route 53 is designed to provide the level of dependability required by important applications. Using a global anycast network of DNS servers around the world, Route 53 is designed to automatically answer queries from the optimal location depending on network conditions. As a result, the service offers low query latency for your end users.
48. Does Amazon Route 53 offer a Service Level Agreement (SLA)?
Yes. Both the Amazon Route 53 authoritative service and the Amazon Route 53 Resolver Endpoints service provide service credit if a customer’s monthly uptime percentage is below our service commitment in any billing cycle.
Questions on Route 53 Domain Name Systems (DNS)
49. Does Amazon Route 53 use an anycast network?
Yes. Anycast is a networking and routing technology that helps your end users’ DNS queries get answered from the optimal Route 53 location given network conditions. As a result, your users get high availability and improved performance with Route 53
50. Is there a limit to the number of hosted zones I can manage using Amazon Route 53?
Each Amazon Route 53 account is limited to a maximum of 500 hosted zones and 10,000 resource record sets per hosted zone.
51. Does Amazon Route 53 also provide website hosting?
No. Amazon Route 53 is an authoritative DNS service and does not provide website hosting. However, you can use Amazon Simple Storage Service (Amazon S3) to host a static website. To host a dynamic website or other web applications, you can use Amazon Elastic Compute Cloud (Amazon EC2), which provides flexibility, control, and significant cost savings over traditional web hosting solutions.
52. Can I associate multiple IP addresses with a single record?
Yes. Associating multiple IP addresses with a single record is often used for balancing the load of geographically-distributed web servers. Amazon Route 53 allows you to list multiple IP addresses for an A record and responds to DNS requests with the list of all configured IP addresses.
53. How quickly will changes I make to my DNS settings on Amazon Route 53 propagate globally?
Amazon Route 53 is designed to propagate updates you make to your DNS records to its worldwide network of authoritative DNS servers within 60 seconds under normal conditions. A change is successfully propagated worldwide when the API call returns an INSYNC status listing.
Note that caching DNS resolvers are outside the control of the Amazon Route 53 service and will cache your resource record sets according to their time to live (TTL). The INSYNC or PENDING status of a change refers only to the state of Route 53’s authoritative DNS servers.
54. Can I see a history of my changes and other operations on my Route 53 resources?
Yes, via AWS CloudTrail you can record and log the API call history for Route 53.
55. Does Amazon Route 53 support DNSSEC?
Yes. You can enable DNSSEC signing for existing and new public hosted zones, as well as DNSSEC validation for Amazon Route 53 Resolver. Additionally, Amazon Route 53 allows DNSSEC on domain registration.
56. Does Amazon Route 53 support IPv6?
Yes. Amazon Route 53 supports both forward (AAAA) and reverse (PTR) IPv6 records. The Amazon Route 53 service itself is also available over IPv6. Recursive DNS resolvers on IPv6 networks can use either IPv4 or IPv6 transport in order to submit DNS queries to Amazon Route 53. Amazon Route 53 health checks also support monitoring of endpoints using the IPv6 protocol
57. How can I use Amazon Route 53 with Amazon Simple Storage Service (Amazon S3) and Amazon CloudFront?
For websites delivered via Amazon CloudFront or static websites hosted on Amazon S3, you can use the Amazon Route 53 service to create an Alias record for your domain which points to the CloudFront distribution or S3 website bucket. For S3 buckets not configured to host static websites, you can create a CNAME record for your domain and the S3 bucket name. In all cases, note that you will also need to configure your S3 bucket or your CloudFront distribution respectively with the alternate domain name entry to completely establish the alias between your domain name and the AWS domain name for your bucket or distribution.
For CloudFront distributions and S3 buckets configured to host static websites, we recommend creating an ‘Alias’ record that maps to your CloudFront distribution or S3 website bucket, instead of using CNAMEs. Alias records have two advantages: first, unlike CNAMEs, you can create an Alias record for your zone apex.
Questions on Route 53 DNS Routing Policies
58. Does Amazon Route 53 support Weight Round Robin (WRR)?
Yes. Weighted Round Robin allows you to assign weights to resource record sets in order to specify the frequency with which different responses are served. You may want to use this capability to do A/B testing, sending a small portion of traffic to a server on which you’ve made a software change. For instance, suppose you have two record sets associated with one DNS name—one with weight 3 and one with weight 1. In this case, 75% of the time Route 53 will return the record set with weight 3, and 25% of the time Route 53 will return the record set with weight 1. Weights can be any number between 0 and 255.
59. What is Amazon Route 53’s Latency Based Routing (LBR) feature?
LBR (Latency Based Routing) is a new feature for Amazon Route 53 that helps you improve your application’s performance for a global audience. You can run applications in multiple AWS regions and Amazon Route 53, using dozens of edge locations worldwide, will route end users to the AWS region that provides the lowest latency.
60. How do I get started using Amazon Route 53’s Latency Based Routing (LBR) feature?
You can start using Amazon Route 53’s new LBR feature quickly and easily by using either the AWS Management Console or a simple API. You simply create a record set that includes the IP addresses or ELB names of various AWS endpoints and mark that record set as an LBR-enabled Record Set, much like you mark a record set as a Weighted Record Set. Amazon Route 53 takes care of the rest – determining the best endpoint for each request and routing end users accordingly, much like Amazon CloudFront, Amazon’s global content delivery service, does.
61. What is the price for Amazon Route 53’s Latency Based Routing (LBR) feature?
Like all AWS services, there are no upfront fees or long-term commitments to use Amazon Route 53 and LBR. Customers simply pay for the hosted zones and queries they actually use.
62. What is Amazon Route 53’s Geo DNS feature?
Route 53 Geo DNS lets you balance load by directing requests to specific endpoints based on the geographic location from which the request originates. Geo DNS makes it possible to customize localized content, such as presenting detail pages in the right language or restricting the distribution of content to only the markets you have licensed. Geo DNS also lets you balance load across endpoints in a predictable, easy-to-manage way, ensuring that each end-user location is consistently routed to the same endpoint.
Geo DNS provides three levels of geographic granularity: continent, country, and state, and Geo DNS also provides a global record that is served in cases where an end user’s location doesn’t match any of the specific Geo DNS records you have created. You can also combine Geo DNS with other routing types, such as Latency-Based Routing and DNS Failover, to enable a variety of low-latency and fault-tolerant architectures.
63. How do I get started using Amazon Route 53’s Geo DNS feature?
You can start using Amazon Route 53’s Geo DNS feature quickly and easily by using either the AWS Management Console or the Route 53 API. You simply create a record set and specify the applicable values for that type of record set, mark that record set as a Geo DNS-enabled Record Set, and select the geographic region (global, continent, country, or state) that you want the record to apply to.
64. When using Geo DNS, do I need a “global” record? When would Route 53 return this record?
Yes, we strongly recommend that you configure a global record, to ensure that Route 53 can provide a response to DNS queries from all possible locations—even if you have created specific records for each continent, country, or state where you expect your end users will be located. Route 53 will return the value contained in your global record in the following cases:
The DNS query comes from an IP address not recognized by Route 53’s Geo IP database.
The DNS query comes from a location not included in any of the specific Geo DNS records you have created.
65. Can I have a Geo DNS record for a continent and different Geo DNS records for countries within that continent? Or a Geo DNS record for a country and Geo DNS records for states within that country?
Yes, you can have Geo DNS records for overlapping geographic regions (e.g., a continent and countries within that continent, or a country and states within that country). For each end user’s location, Route 53 will return the most specific Geo DNS record that includes that location. In other words, for a given end user’s location, Route 53 will first return a state record; if no state record is found, Route 53 will return a country record; if no country record is found, Route 53 will return a continent record; and finally, if no continent record is found, Route 53 will return the global record.
66. What is the price for Route 53’s Geo DNS feature?
Like all AWS services, there are no upfront fees or long-term commitments to use Amazon Route 53 and Geo DNS. Customers simply pay for the hosted zones and queries they actually use.
67. What is the difference between Latency Based Routing and Geo DNS?
Geo DNS bases routing decisions on the geographic location of the requests. In some cases, geography is a good proxy for latency; but there are certain situations where it is not. LatencyBased Routing utilizes latency measurements between viewer networks and AWS data centers. These measurements are used to determine which endpoint to direct users toward.
If your goal is to minimize end-user latency, we recommend using Latency Based Routing. If you have compliance, localization requirements, or other use cases that require stable routing from a specific geography to a specific endpoint, we recommend using Geo DNS.
68. Does Amazon Route 53 support multiple values in response to DNS queries?
Route 53 now supports multivalue answers in response to DNS queries. While not a substitute for a load balancer, the ability to return multiple health-checkable IP addresses in response to DNS queries is a way to use DNS to improve availability and load balancing. If you want to route traffic randomly to multiple resources, such as web servers, you can create one multivalue answer record for each resource and, optionally, associate an Amazon Route 53 health check with each record. Amazon Route 53 supports up to eight healthy records in response to each DNS query.
Questions on Route 53 Traffic Flow
69. What is Amazon Route 53 Traffic Flow?
Amazon Route 53 Traffic Flow is an easy-to-use and cost-effective global traffic management service. With Amazon Route 53 Traffic Flow, you can improve the performance and availability of your application for your end users by running multiple endpoints around the world, using Amazon Route 53 Traffic Flow to connect your users to the best endpoint based on latency, geography, and endpoint health.
Amazon Route 53 Traffic Flow makes it easy for developers to create policies that route traffic based on the constraints they care most about, including latency, endpoint health, load, geo proximity, and geography. Customers can customize these templates or build policies from scratch using a simple visual policy builder in the AWS Management Console.
70. Can I create an Alias record pointing to a DNS name that is managed by a traffic policy?
Yes, it is possible to create an Alias record pointing to a DNS name that is being managed by a traffic policy.
71. How am I billed for using Amazon Route 53 Traffic Flow?
You are billed per policy record. A policy record represents the application of a Traffic Flow policy to a specific DNS name in order to use the traffic policy to manage how requests for that DNS name are answered. Billing is monthly and is prorated for partial months. There is no charge for traffic policies that are not associated with a DNS name via a policy record.
72. What are the advanced query types supported in Amazon Route 53 Traffic Flow?
Traffic Flow supports all Amazon Route 53 DNS Routing policies including latency, endpoint health, multivalue; answers, weighted round-robin, and geo. In addition to these, Traffic Flow also supports geoproximity based routing with traffic biasing.
73. How does the geoproximity bias value of an endpoint affect DNS traffic routing to other endpoints?
Changing the geoproximity bias value on an endpoint either expands or shrinks the area from which Route 53 routes traffic to a resource. The geoproximity bias can’t accurately predict the load factor, though, because a small shift in the size of geographic areas might include or exclude major metropolitan areas that generate large numbers of queries.
Questions on Route53 Private DNS
74. What is Private DNS?
Private DNS is a Route 53 feature that lets you have authoritative DNS within your VPCs without exposing your DNS records (including the name of the resource and its IP address(es) to the Internet.
75. Can I use Amazon Route 53 to manage my organization’s private IP addresses?
Yes, you can manage private IP addresses within Virtual Private Clouds (VPCs) using Amazon Route 53’s Private DNS feature. With Private DNS, you can create a private hosted zone, and Route 53 will only return these records when queried from within the VPC(s) that you have associated with your private hosted zone.
76. How do I set up Private DNS?
To set up private DNS in Amazon Web Services (AWS), you can follow these steps:
- Create a VPC: First, create a Virtual Private Cloud (VPC) in which you want to enable private DNS. You can do this using the AWS Management Console, the AWS CLI, or the AWS SDKs.
- Enable DNS support: Next, enable DNS support for your VPC. This will create a private hosted zone in Route 53 for your VPC, and enable you to create DNS records that are private to your VPC.
- Create DNS records: In the private hosted zone for your VPC, create DNS records to map domain names to your resources within the VPC. You can create A records to map domain names to private IP addresses, or CNAME records to map domain names to other domain names.
- Configure VPC settings: In the VPC settings, enable the “Enable DNS hostnames” option. This will enable DNS hostnames for your instances, allowing them to be resolved using their private DNS names.
- Associate domain names: If you want to use a domain name that you own (e.g., example.com) with your VPC, you can create a CNAME record in the public hosted zone for your domain that points to the private DNS name of your VPC. This will enable you to use your own domain name with your VPC resources.
Overall, setting up private DNS in AWS is a straightforward process that can help you improve the security and manageability of your applications.
77. Do I need connectivity to the outside Internet in order to use Private DNS?
You can resolve internal DNS names from resources within your VPC that do not have Internet connectivity. However, to update the configuration for your Private DNS-hosted zone, you need Internet connectivity to access the Route 53 API endpoint, which is outside of VPC.
78. Can I still use Private DNS if I’m not using VPC?
No. Route 53 Private DNS uses VPC to manage visibility and provide DNS resolution for private DNS-hosted zones. To take advantage of Route 53 Private DNS, you must configure a VPC and migrate your resources into it.
79. Can I use the same private Route 53 hosted zone for multiple VPCs?
Yes, you can use the same private Amazon Route 53 hosted zone for multiple Virtual Private Clouds (VPCs). This can be useful if you have multiple VPCs that need to communicate with each other and you want to use a consistent set of DNS names to refer to the resources in those VPCs.
Questions on Route 53 Health Checks & DNS Failover
80. What is DNS Failover?
DNS Failover consists of two components: health checks and failover. Health checks are automated requests sent over the Internet to your application to verify that your application is reachable, available, and functional. You can configure the health checks to be similar to the typical requests made by your users, such as requesting a web page from a specific URL. With DNS failover, Route 53 only returns answers for resources that are healthy and reachable from the outside world, so that your end users are routed away from a failed or unhealthy part of your application.
81. Does DNS Failover support Elastic Load Balancers (ELBs) as endpoints?
Yes, you can configure DNS Failover for Elastic Load Balancers (ELBs). To enable DNS Failover for an ELB endpoint, create an Alias record pointing to the ELB and set the “Evaluate Target Health” parameter to true. Route 53 creates and manages the health checks for your ELB automatically.
You do not need to create your own Route 53 health check of the ELB. You also do not need to associate your resource record set for the ELB with your own health check, because Route 53 automatically associates it with the health checks that Route 53 manages on your behalf. The ELB health check will also inherit the health of your backend instances behind that ELB. For more details on using DNS Failover with ELB endpoints.
82. What DNS record types can I associate with Route 53 health checks?
You can associate any record type supported by Route 53 except SOA and NS records.
83. Can I health check an endpoint if I don’t know its IP address?
Yes. You can configure DNS Failover for Elastic Load Balancers and Amazon S3 website buckets via the Amazon Route 53 Console without needing to create a health check of your own. For these endpoint types, Route 53 automatically creates and manages health checks on your behalf which are used when you create an Alias record pointing to the ELB or S3 website bucket and enable the “Evaluate Target Health” parameter on the Alias record.
For all other endpoints, you can specify either the DNS name or the IP address of the endpoint when you create a health check for that endpoint.
84. One of my endpoints is outside AWS. Can I set up DNS Failover on this endpoint?
Yes. Just like you can create a Route 53 resource record that points to an address outside AWS, you can set up health checks for parts of your application running outside AWS, and you can fail over to any endpoint that you choose, regardless of location. For example, you may have a legacy application running in a data center outside AWS and a backup instance of that application running within AWS. You can set up health checks of your legacy application running outside AWS, and if the application fails the health checks, you can fail over automatically to the backup instance in AWS.
85. If failover occurs and I have multiple healthy endpoints remaining, will Route 53 consider the load on my healthy endpoints when determining where to send traffic from the failed endpoint?
No, Route 53 does not make routing decisions based on the load or available traffic capacity of your endpoints. You will need to ensure that you have available capacity at your other endpoints, or the ability to scale at those endpoints, in order to handle the traffic that had been flowing to your failed endpoint.
86. When my failed endpoint becomes healthy again, how is the DNS failover reversed?
After a failed endpoint passes the number of consecutive health check observations that you specify when creating the health check (the default threshold is three observations), Route 53 will restore its DNS records automatically, and traffic to that endpoint will resume with no action required on your part.
87. What is the interval between health check observations?
By default, health check observations are conducted at an interval of 30 seconds. You can optionally select a fast interval of 10 seconds between observations.
By checking three times more often, fast interval health checks enable Route 53 to confirm more quickly that an endpoint has failed, shortening the time required for DNS failover to redirect traffic in response to the endpoint’s failure.
Fast interval health checks also generate three times the number of requests to your endpoint, which may be a consideration if your endpoint has a limited capacity to serve web traffic.
88. Do Route 53 health checks follow HTTP redirects?
No. Route 53 health checks consider an HTTP 3xx code to be a successful response, so they don’t follow the redirect. This may cause unexpected results for string-matching health checks. The health check searches for the specified string in the body of the redirect. Because the health check doesn’t follow the redirect, it never sends a request to the location that the redirect points to and never gets a response from that location. For string-matching health checks, we recommend that you avoid pointing the health check at a location that returns an HTTP redirect.
89. What is the sequence of events when failover happens?
In simplest terms, the following events will take place if a health check fails and failover occurs:
Route 53 conducts a health check of your application. In this example, your application fails three consecutive health checks, triggering the following events.
Route 53 disables the resource records for the failed endpoint and no longer serves these records. This is the failover step, which causes traffic to begin being routed to your healthy endpoint(s) instead of your failed endpoint.
90. What happens if all of my endpoints are unhealthy?
Route 53 can only fail over to an endpoint that is healthy. If there are no healthy endpoints remaining in a resource record set, Route 53 will behave as if all health checks are passing.
91. Can I use DNS Failover without using Latency Based Routing (LBR)?
Yes. You can configure DNS Failover without using LBR. In particular, you can use DNS failover to configure a simple failover scenario where Route 53 monitors your primary website and fails over to a backup site in the event that your primary site is unavailable.
92. Can I configure a health check on a site accessible only via HTTPS?
Yes. Route 53 supports health checks over HTTPS, HTTP, or TCP.
93. How can I use health checks to verify that my web server is returning the correct content?
You can use Route 53 health checks to check for the presence of a designated string in a server response by selecting the “Enable String Matching” option. This option can be used to check a web server to verify that the HTML it serves contains an expected string. Or, you can create a dedicated status page and use it to check the health of the server from an internal or operational perspective.
94. How do I see the status of a health check that I’ve created?
You can view the current status of a health check, as well as details on why it has failed, in the Amazon Route 53 console and via the Route 53 API.
Additionally, each health check’s results are published as Amazon CloudWatch metrics showing the endpoint’s health and, optionally, the latency of the endpoint’s response. You can view a graph of the Amazon CloudWatch metric in the health checks tab of the Amazon Route 53 console to see the current and historical status of the health check. You can also create Amazon CloudWatch alarms on the metric in order to send notifications if the status of the health check changes.
The Amazon CloudWatch metrics for all of your Amazon Route 53 health checks are also visible in the Amazon CloudWatch console. Each Amazon CloudWatch metric contains the Health Check ID, which you can use to identify which health check the metric is tracking.
95. How can I measure the performance of my application’s endpoints using Amazon Route 53?
Amazon Route 53 health checks include an optional latency measurement feature that provides data on how long it takes your endpoint to respond to a request. When you enable the latency measurement feature, the Amazon Route 53 health check will generate additional Amazon CloudWatch metrics showing the time required for Amazon Route 53’s health checkers to establish a connection and begin receiving data. Amazon Route 53 provides a separate set of latency metrics for each AWS region where Amazon Route 53 health checks are conducted.
96. How can I be notified if one of my endpoints starts failing its health check?
Because each Route 53 health check publishes its results as a CloudWatch metric, you can configure the full range of CloudWatch notifications and automated actions which can be triggered when the health check value changes beyond a threshold that you specify. First, in either the Route 53 or CloudWatch console, configure a CloudWatch alarm on the health check metric. Then add a notification action and specify the email or SNS topic that you want to publish your notification.
97: I created an alarm for my health check, but I need to re-send the confirmation email for the alarm’s SNS topic. How can I re-send this email?
Confirmation emails can be re-sent from the SNS console. To find the name of the SNS topic associated with the alarm, click the alarm name within the Route 53 console and look in the box labeled “Send notification to.”
Within the SNS console, expand the list of topics, and select the topic from your alarm. Open the “Create Subscription” box and select Email for protocol and enter the desired email address. Clicking “Subscribe” will re-send the confirmation email.
98. For Alias records pointing to Amazon S3 Website buckets, what is being health checked when I set Evaluate Target Health to “true”?
Amazon Route 53 performs health checks of the Amazon S3 service itself in each AWS region. When you enable Evaluate Target Health on an Alias record pointing to an Amazon S3 Website bucket, Amazon Route 53 will take into account the health of the Amazon S3 service in the AWS region where your bucket is located. Amazon Route 53 does not check whether a specific bucket exists or contains valid website content; Amazon Route 53 will only fail over to another location if the Amazon S3 service itself is unavailable in the AWS region where your bucket is located.
99. What is the cost to use CloudWatch metrics for my Route 53 health checks?
CloudWatch metrics for Route 53 health checks are available free of charge.
100. Can I configure DNS Failover based on internal health metrics, such as CPU load, network, or memory?
Yes. Amazon Route 53’s metric-based health checks let you perform DNS failover based on any metric that is available within Amazon CloudWatch, including AWS-provided metrics and custom metrics from your own application. When you create a metric-based health check within Amazon Route 53, the health check becomes unhealthy whenever its associated Amazon CloudWatch metric enters an alarm state.
Metric-based health checks are useful to enable DNS failover for endpoints that cannot be reached by a standard Amazon Route 53 health check, such as instances within a Virtual Private Cloud (VPC) that only have private IP addresses. Using Amazon Route 53’s calculated health check feature, you can also accomplish more sophisticated failover scenarios by combining the results of metric-based health checks with the results of standard Amazon Route 53 health checks, which make requests against an endpoint from a network of checkers around the world.
For example, you can create a configuration that fails away from an endpoint if either its public-facing web page is unavailable, or if internal metrics such as CPU load, network in/out, or disk reads show that the server itself is unhealthy.
101. If I specify a domain name as my health check target, will Amazon Route 53 check over IPv4 or IPv6?
If you specify a domain name as the endpoint of an Amazon Route 53 health check, Amazon Route 53 will look up the IPv4 address of that domain name and will connect to the endpoint using IPv4. Amazon Route 53 will not attempt to look up the IPv6 address for an endpoint that is specified by the domain name. If you want to perform a health check over IPv6 instead of IPv4, select “IP address” instead of “domain name” as your endpoint type, and enter the IPv6 address in the “IP address” field.
Questions on Route 53 Domain Name Registration
102. Can I register domain names with Amazon Route 53?
Yes. You can use the AWS Management Console or API to register new domain names with Route 53. You can also request to transfer existing domain names from other registrars to be managed by Route 53.
103. How can I register a domain name with Route 53?
To get started, log into your account and click on “Domains”. Then, click the big blue “Register Domain” button and complete the registration process.
104. How long is my domain name registered for?
The initial registration period is typically one year, although the registries for some top-level domains (TLDs) have longer registration periods. When you register a domain with Amazon Route 53 or transfer domain registration to Amazon Route 53, we configure the domain to renew automatically.
105. Does Route 53 offer privacy protection for domain names I have registered?
Yes, Route 53 provides privacy protection at no additional charge. Privacy protection hides your phone number, email address, and physical address. Your first and last name will be hidden if the TLD registry and registrar allow it. When you enable privacy protection, a Whois query for the domain will contain the registrar’s mailing address in place of your physical address, and the registrar’s name in place of your name (if allowed). Your email address will be a registrar-generated forwarding email address that third parties may use if they wish to contact you. Domain names registered by companies or organizations are eligible for privacy protection if the TLD registry and registrar allow it.
106. What name servers are used to register my domain name?
When your domain name is created we automatically associate your domain with four unique Route 53 name servers, known as a delegation set. You can view the delegation set for your domain in the Amazon Route 53 console. They’re listed in the hosted zone that we create for you automatically when you register a domain.
By default, Route 53 will assign a new, unique delegation set for each hosted zone you create. However, you can also use the Route 53 API to create a “reusable delegation set”, which you can then apply to multiple hosted zones that you create. For customers with large numbers of domain names, reusable delegation sets make migration to Route 53 simple, because you can instruct your domain name registrar to use the same delegation set for all your domains managed by Route 53.
This feature also makes it possible for you to create “white label” name server addresses such as ns1.example.com, ns2.example.com, etc., which you can point to your Route 53 name servers. You can then use your “white label” name server addresses as the authoritative name servers for as many of your domain names as desired.
107. Will I be charged for my name servers?
You will be charged for the hosted zone that Route 53 creates for your domain name, as well as for the DNS queries against this hosted zone that Route 53 serves on your behalf. If you do not wish to be charged for Route 53’s DNS service, you can delete your Route 53 hosted zone. Please note that some TLDs require you to have valid name servers as part of your domain name registration. For a domain name under one of these TLDs, you will need to procure DNS service from another provider and enter that provider’s name server addresses before you can safely delete your Route 53 hosted zone for that domain name.
108. How do I transfer my domain name to Route 53?
To get started, log into your account and click on “Domains”. Then, click the “Transfer Domain” button at the top of the screen and complete the transfer process. Please make sure before you start the transfer process, (1) your domain name is unlocked at your current registrar, (2) you have disabled privacy protection on your domain name (if applicable), and (3) that you have obtained the valid Authorization Code, or “authcode”, from your current registrar which you will need to enter as part of the transfer process.
109. How do I transfer my existing domain name registration to Amazon Route 53 without disrupting my existing web traffic?
First, you need to get a list of the DNS record data for your domain name, generally available in the form of a “zone file” that you can get from your existing DNS provider. With the DNS record data in hand, you can use Route 53’s Management Console or simple web-services interface to create a hosted zone that can store the DNS records for your domain name and follow its transfer process, which will include such steps as updating the name servers for your domain name to the ones associated with your hosted zone.
To complete the domain name transfer process, contact the registrar with whom you registered your domain name and follow its transfer process, which will include steps such as updating the name servers for your domain name to the ones associated with your hosted zone. As soon as your registrar propagates the new name server delegations, the DNS queries from your end users will start to get answered by the Route 53 DNS servers.
110. How do I transfer my domain name to a different registrar?
In order to move your domain name away from Route 53, you need to initiate a transfer request with your new registrar. They will request the domain name be moved to their management.
111. Is there a limit to the number of domains I can manage using Amazon Route 53?
Each new Amazon Route 53 account is limited to a maximum of 50 domains.
112. Does Amazon Route 53 DNS support DNSSEC?
Yes. You can enable DNSSEC signing for existing and new public-hosted zones.
Questions on Route 53 Resolver
113. What is Amazon Route 53 Resolver?
Route 53 Resolver is a regional DNS service that provides recursive DNS lookups for names hosted in EC2 as well as public names on the internet. This functionality is available by default in every Amazon Virtual Private Cloud (VPC). For hybrid cloud scenarios, you can configure conditional forwarding rules and DNS endpoints to enable DNS resolution across AWS Direct Connect and AWS Managed VPN.
114. What is recursive DNS?
Amazon Route 53 is both an Authoritative DNS service and a Recursive DNS service. Authoritative DNS contains the final answer to a DNS query, generally an IP address. Clients (such as mobile devices, applications running in the cloud, or servers in your data center) don’t actually talk directly to authoritative DNS services, except in very rare cases. Instead, clients talk to recursive DNS services (also known as DNS resolvers) which find the correct authoritative answer for any DNS query. Route 53 Resolver is a recursive DNS service.
When receiving a query, a recursive DNS service like Route 53 Resolver may either be configured to automatically forward the query directly to a specific recursive DNS server, or it may recursively search beginning with the root of the domain and continuing until it finds the final answer. In either case, once an answer is found, the recursive DNS server may cache the answer for a period of time so it can answer subsequent queries for the same name more quickly in the future.
115. How do I share rules across accounts?
Route 53 Resolver is integrated with AWS Resource Access Manager (RAM) which provides customers with a simple way to share their resources across AWS accounts or within their AWS Organization. Rules can be created in one primary account and then shared across multiple accounts using RAM. Once shared, the rules still need to be applied to VPCs in those accounts before they can take effect.
116. What happens if I decide to stop sharing rules with other accounts?
Those rules will no longer be usable by the accounts you previously shared them with. This means that if those rules were associated with VPCs in those accounts, they will be disassociated from those VPCs.
117. Does regional support for Route 53 Resolver mean that all of Amazon Route 53 is now regional?
No. Amazon Route 53 public and private DNS, traffic flow, health checks, and domain name registration are all global services.
118. How do I get started with Route 53 Resolver?
You can also configure Resolver from within the Amazon Route 53 console.
Questions on Route 53 Resolver DNS Firewall
119. What is Amazon Route 53 Resolver DNS Firewall?
Amazon Route 53 Resolver DNS Firewall is a feature that allows you to quickly deploy DNS protections across all of your Amazon Virtual Private Clouds (VPCs). The Route 53 Resolver DNS Firewall allows you to block queries made for known malicious domains (i.e. create “denylists”) and to allow queries for trusted domains (create “allowlists”) when using the Route 53 Resolver for recursive DNS Resolution. You can also quickly get started with protections against common DNS threats by using AWS Managed Domain Lists. Amazon Route 53 Resolver DNS Firewall works together with AWS Firewall Manager so you can build policies based on DNS Firewall rules, and then centrally apply those policies across your VPCs and accounts.
120. When should I use Route 53 Resolver DNS Firewall?
If you want to be able to filter the domain names that can be queried over DNS from within your VPCs, then DNS Firewall is for you.
It gives you flexibility in choosing the configuration that works best for your organization’s security posture in two ways:
(1) If you have strict DNS exfiltration requirements and want to deny all outbound DNS queries for domains that aren’t on your lists of approved domains, you can create such rules for a “walled-garden” approach to DNS security.
(2) If your organization prefers to allow all outbound DNS lookups within your accounts by default and only requires the ability to block DNS requests for known malicious domains, you can use DNS Firewall to create denylists, which include all the malicious domain names your organization is aware of. DNS Firewall also comes with AWS Managed Domain Lists that help you protect against suspicious domains and Command-and-Control (C&C) bots.
121. How does Amazon Route 53 Resolver DNS Firewall differ from other firewall offerings on AWS and the AWS Marketplace?
Route 53 Resolver DNS Firewall complements existing network and application security services on AWS by providing control and visibility to Route 53 Resolver DNS traffic (e.g. AmazonProvidedDNS) for your entire VPC. Depending on your use case, you may choose to implement DNS Firewall along with your existing security controls, such as AWS Network Firewall, Amazon VPC Security Groups, AWS Web Application Firewall rules, or AWS Marketplace appliances.
122. Can Amazon Route 53 Resolver DNS Firewall manage security across multiple AWS accounts?
Yes. Route 53 Resolver DNS Firewall is a regional feature and secures Route 53 Resolver DNS network traffic at an organization and account level. For maintaining policy and governance across multiple accounts.
123. How much does Amazon Route 53 Resolver DNS Firewall cost?
Pricing is based on the number of domain names stored within your firewall and the number of DNS queries inspected.
124. Which AWS tools can I use to log and monitor my Amazon Route 53 Resolver DNS Firewall activity?
You can log your DNS Firewall activity to an Amazon S3 bucket or Amazon CloudWatch log groups for further analysis and investigation. You can also use Amazon Kinesis Firehose to send your logs to a third-party provider.