[AWS] 7. AWS Route 53, DNS (Domain Name System), Routing Policies
Published: (January 14, 2026 at 10:21 PM EST)
7 min read
Source: Dev.to
Source: Dev.to
What is DNS?
- Domain Name System – translates human‑friendly hostnames into machine IP addresses.
www.google.com → 172.217.18.36 - The backbone of the Internet.
- Uses a hierarchical naming structure (e.g.,
.com,example.com,www.example.com,api.example.com). - Domain Registrar – services that sell domain names (e.g., Amazon Route 53, GoDaddy).
- DNS Records – A, AAAA, CNAME, NS, …
- Zone File – contains the DNS records for a domain.
- Name Server – resolves DNS queries (authoritative or non‑authoritative).
- Top‑Level Domain (TLD) –
.com,.us,.in,.gov,.org, … - Second‑Level Domain (SLD) –
amazon.com,google.com, …
Amazon Route 53 Overview
- Highly available, scalable, fully‑managed, authoritative DNS service.
- Authoritative – you (the customer) can update the DNS records.
- Also acts as a domain registrar.
- Can check the health of your resources.
- The only AWS service that offers a 100 % Availability SLA.
- The name “53” refers to the traditional DNS port (53/TCP).
Routing Traffic for a Domain
Each DNS record contains:
| Field | Description |
|---|---|
| Domain / Subdomain Name | e.g., example.com |
| Record Type | e.g., A, AAAA, CNAME |
| Value | e.g., 12.34.56.78 |
| Routing Policy | How Route 53 responds to queries |
| TTL | Time‑to‑live (how long the record is cached by resolvers) |
DNS Record Types Supported by Route 53
| Category | Record Types |
|---|---|
| Must‑know | A, AAAA, CNAME, NS |
| Advanced | CAA, DS, MX, NAPTR, PTR, SOA, TXT, SPF, SRV |
- A – maps a hostname to an IPv4 address.
- AAAA – maps a hostname to an IPv6 address.
- CNAME – maps a hostname to another hostname.
- The target must have an
AorAAAArecord. - Cannot be used at the zone apex (e.g., you cannot create a CNAME for
example.com, but you can forwww.example.com).
- The target must have an
Name Server (NS) Records
- Define the authoritative name servers for a hosted zone.
Hosted Zones
| Type | Description | Example |
|---|---|---|
| Public Hosted Zone | Records that route traffic on the Internet (public domain names). | application1.mypublicdomain.com |
| Private Hosted Zone | Records that route traffic within one or more VPCs (private domain names). | application1.company.internal |
- Cost: $0.50 per month per hosted zone.
TTL (Time‑to‑Live)
| TTL Setting | Effect |
|---|---|
| High TTL (e.g., 24 h) | Fewer queries to Route 53, but records may stay outdated longer. |
| Low TTL (e.g., 60 s) | More queries (higher cost) but changes propagate quickly. |
Note: Except for Alias records, TTL is mandatory for every DNS record.
CNAME vs. Alias Records
| Feature | CNAME | Alias |
|---|---|---|
| Points to | Any hostname | AWS resource (ELB, CloudFront, etc.) |
| Root domain (zone apex) support | ❌ Not allowed | ✅ Allowed |
| Cost | Standard DNS query cost | Free (no extra charge) |
| Health checks | No native health checks | Integrated health checks |
| TTL | User‑defined | Not set (Route 53 manages it) |
| Record type | CNAME | Internally stored as A/AAAA (for the AWS resource) |
| Supported resources | Any hostname | ELB, CloudFront, API Gateway, Elastic Beanstalk, S3 static website, VPC Interface Endpoint, Global Accelerator, another Route 53 record in the same zone |
| Cannot alias | — | EC2 public DNS name (e.g., ec2-xx-xx-xx-xx.compute-1.amazonaws.com) |
Example – Mapping an AWS load balancer to a friendly name:
myapp.mydomain.com → lb-1234.us-east-2.elb.amazonaws.com (Alias)Routing Policies (How Route 53 Responds to DNS Queries)
Important: DNS routing is not the same as traffic routing performed by a load balancer. DNS only returns IP addresses or aliases; the client then contacts the returned endpoint.
| Policy | Description | Key Points |
|---|---|---|
| Simple | Returns a single value (or a random value if multiple are present). | No health checks; only one AWS resource when using Alias. |
| Weighted | Distributes traffic based on assigned weights. | All records must share the same name & type; can be health‑checked; weight 0 disables a record. |
| Latency‑based | Returns the endpoint with the lowest latency to the requester. | Uses latency measurements between the client’s location and AWS Regions; can be health‑checked (failover). |
| Failover (Active‑Passive) | Routes traffic to a primary resource; switches to secondary if primary fails. | Requires health checks. |
| Geolocation | Returns different records based on the requester’s geographic location. | Useful for compliance or regional content. |
| Geoproximity (Traffic Flow) | Routes based on geographic distance, with optional bias. | Configured via Route 53 Traffic Flow. |
| Multi‑Value Answer | Returns up to eight healthy records; client picks one. | Built‑in health checking; no need for separate health checks. |
Health Checks
- Purpose: Monitor the health of endpoints (applications, servers, AWS resources) and enable automated DNS failover.
- Types of health checks:
- Endpoint health checks – HTTP, HTTPS, or TCP probes.
- Calculated health checks – Combine results of multiple health checks.
- CloudWatch‑based health checks – Use CloudWatch alarms (e.g., DynamoDB throttling, RDS alarms, custom metrics).
Core Settings
| Setting | Default / Typical Value |
|---|---|
| Healthy/Unhealthy Threshold | 3 |
| Interval | 30 s (can be reduced to 10 s at higher cost) |
| Supported Protocols | HTTP, HTTPS, TCP |
| Success Criteria | ≥ 18 % of global health checkers must report healthy for the endpoint to be considered healthy. |
| Status Codes Considered Healthy | 2xx and 3xx responses. |
| Content‑Based Checks | Optional – pass/fail based on text within the first 5 120 bytes of the response. |
| Global Health Checkers | ~15 distributed locations worldwide. |
Health Check Integration
- Health checks can be attached to records using Weighted, Latency‑based, Failover, and Multi‑Value Answer policies.
- HTTP health checks are only for public resources.
- Private resources can be monitored via Calculated or CloudWatch‑based health checks.
Tip: Ensure your firewall or security groups allow inbound traffic from the Route 53 health‑checking IP ranges.
Quick Reference Cheat‑Sheet
| Concept | Key Takeaway |
|---|---|
| DNS | Translates names → IPs; hierarchical (TLD → SLD → subdomain). |
| Route 53 | Managed, authoritative DNS with health checking and 100 % SLA. |
| Record Types | A/AAAA (IP), CNAME (hostname), NS (name servers), plus many advanced types. |
| Alias Record | AWS‑specific “CNAME‑like” record that works at the zone apex; free, health‑checked. |
| TTL | Controls cache duration; low = fast changes, high = fewer queries. |
| Routing Policies | Simple, Weighted, Latency, Failover, Geolocation, Geoproximity, Multi‑Value. |
| Health Checks | Monitor endpoints; trigger failover; can be endpoint‑, calculated‑, or CloudWatch‑based. |
| Hosted Zones | Public (Internet) vs. Private (VPC) – $0.50/month per zone. |
Health Checkers
- Combine results of multiple health checks into a single health check.
- Logical operators: OR, AND, NOT.
- Maximum children: 256 child health checks.
- Pass‑criteria: Specify how many of the child checks must pass for the parent to be considered healthy.
- Typical use‑case: Perform maintenance on a website without causing all health checks to fail.
Note: Route 53 health checkers run outside the VPC, so they cannot reach private endpoints (private VPC resources or on‑premises servers).
To monitor private resources, you can:
- Create a CloudWatch metric that reflects the health of the private endpoint.
- Attach a CloudWatch alarm to that metric.
- Create a Route 53 health check that monitors the alarm itself.
Failover (Active‑Passive)
Standard Route 53 failover routing where one resource is primary (active) and another is standby (passive).
Geolocation Routing
- Purpose: Route traffic based on the user’s location (different from latency‑based routing).
- Location granularity: Continent, Country, US State (most precise match wins when regions overlap).
- Default record: Always create a “Default” record to catch requests that don’t match any location rule.
- Use cases:
- Website localization
- Content restriction by region
- Load balancing across regions
- Health checks: Can be associated with health checks to ensure only healthy endpoints receive traffic.
Geoproximity Routing
- Goal: Shift traffic toward or away from resources based on geographic bias.
- Supported resources:
- AWS resources – specify the AWS region.
- Non‑AWS resources – specify latitude & longitude.
- Implementation: Requires Route 53 Traffic Flow (advanced).
- Bias values:
- Positive bias (1 – 99): Expands the geographic region → more traffic to the resource.
- Negative bias (‑1 – ‑99): Shrinks the region → less traffic to the resource.
IP‑Based Routing (CIDR Mapping)
- How it works: Route traffic based on the client’s IP address.
- Configuration: Provide a list of CIDR blocks and map each block to a specific endpoint/location (user‑IP‑to‑endpoint mapping).
- Use cases:
- Optimize performance by sending users to the nearest endpoint.
- Reduce network costs.
- Example: Direct users from a particular ISP to a dedicated endpoint.
Multi‑Value Answer Routing
- When to use: You have multiple resources that can serve the same request.
- Behavior: Route 53 returns up to 8 healthy records for each query.
- Health checks: Can be attached; only healthy records are returned.
- Important: This is not a replacement for an Elastic Load Balancer (ELB).
Domain Registration vs. DNS Service
| Concept | Description |
|---|---|
| Domain Registrar | Entity where you purchase a domain name (e.g., GoDaddy, Amazon Registrar). Usually provides a basic DNS service. |
| DNS Service | The system that hosts and resolves your DNS records (e.g., Route 53). You can use a DNS service different from your registrar. |
Typical workflow:
- Buy a domain from any registrar (including third‑party registrars).
- Create a Hosted Zone in Route 53.
- Update the NS records at the registrar to point to the Route 53 name servers.
Key takeaway: Domain registrar ≠ DNS service. Even though many registrars bundle DNS, you are free to use any DNS provider you prefer.
Route 53 Resolver (Hybrid DNS)
By default, the Resolver automatically answers DNS queries for:
- Local domain names of EC2 instances.
- Records in Private Hosted Zones.
- Records in Public Name Servers.
Network Types it Can Connect To
- VPC (including peered VPCs).
- On‑premises networks (via AWS Direct Connect or AWS VPN).
Endpoints
| Endpoint Type | Function |
|---|---|
| Inbound Endpoint | Allows your on‑premises DNS resolvers to resolve domain names for AWS resources (e.g., EC2 instances) and private hosted‑zone records. |
| Outbound Endpoint | Enables the Route 53 Resolver to forward DNS queries from the VPC to your on‑premises DNS resolvers. |
These endpoints make it possible to build a hybrid DNS architecture, seamlessly resolving names across AWS and external networks.