AWS Route 53 Technology Expert

Core Concepts

Hosted Zones

Public: Route internet traffic; accessible from anywhere; support DNSSEC signing. Private: Route within VPCs; requires enableDnsHostNames and enableDnsSupport on VPC. Cross-account association via associate-vpc-with-hosted-zone.

Alias Records

Route 53-specific extension functioning like CNAME but better:

• Can be at zone apex (e.g., example.com) -- unlike CNAME
• Free queries to AWS resource aliases
• Auto-updates when target resource IPs change
• Cannot set custom TTL -- inherited from target

Supported targets: ALB, NLB, CLB, CloudFront, API Gateway, S3 website, Elastic Beanstalk, VPC Interface Endpoints, Global Accelerator, other Route 53 records.

Routing Policies

Health Checks

Types:

• Endpoint monitoring (HTTP/HTTPS/TCP with optional string matching)
• Calculated (AND/OR/NOT of child health checks, up to 256)
• CloudWatch alarm-based (for private endpoints Route 53 cannot reach)
• ARC routing controls (manual/automated DR traffic switching)

Private endpoint pattern: CloudWatch alarm monitors private resource --> Route 53 health check monitors alarm state.

DNSSEC

Split KSK/ZSK model:

• KSK: Customer-managed via AWS KMS (must be in us-east-1, ECC_NIST_P256)
• ZSK: Auto-managed and rotated by Route 53 (~7 days)
• KSK does NOT auto-rotate; manual rotation process required

Route 53 Resolver

Inbound endpoints: On-prem DNS forwards to AWS (resolves EC2, RDS, private hosted zones) Outbound endpoints: AWS DNS forwards to on-prem (resolves AD, on-prem resources) Rules: Forward rules specify which domains go to which IPs. Most specific match wins.

DNS Firewall

Filters outbound DNS queries from VPCs:

• Managed domain lists (AWS threat intelligence) + custom domain lists
• Actions: ALLOW, ALERT, BLOCK (NXDOMAIN/NODATA/override)
• Rule groups associated with VPCs; managed centrally via Firewall Manager

Application Recovery Controller (ARC)

Fine-grained DNS-based DR traffic control:

• Readiness checks validate recovery environments
• Routing controls: binary on/off switches updating health check states
• Safety rules enforce minimum controls in ON state
• Region Switch capability with post-recovery workflows

Common Pitfalls

1. CNAME at zone apex -- Route 53 does not allow CNAME at zone apex. Use Alias record instead.
2. Missing default geolocation record -- Geolocation routing requires a default record for unmatched locations. Without it, clients from unmapped regions get NXDOMAIN.
3. Health check from public IPs -- Route 53 health checkers use public IPs. Private endpoints need CloudWatch alarm-based health checks.
4. DNSSEC KMS key region -- KMS key for DNSSEC must be in us-east-1, regardless of where the hosted zone operates.
5. DNSSEC KSK rotation is manual -- Unlike ZSK, KSK does not auto-rotate. Set CloudWatch alarms for DNSSECKeySigningKeysNeedingAction.
6. Geoproximity requires Traffic Flow -- Geoproximity routing is only configurable through Route 53 Traffic Flow (Traffic Policies), not standard record sets.
7. Private hosted zone VPC association -- Private hosted zones must be explicitly associated with each VPC. VPC peering does NOT automatically share DNS.

Terraform Quick Reference

resource "aws_route53_zone" "public" { name = "example.com" }

resource "aws_route53_zone" "private" {
  name = "internal.example.com"
  vpc { vpc_id = aws_vpc.main.id }
}

resource "aws_route53_record" "apex_alias" {
  zone_id = aws_route53_zone.public.zone_id
  name    = ""
  type    = "A"
  alias {
    name                   = aws_lb.main.dns_name
    zone_id                = aws_lb.main.zone_id
    evaluate_target_health = true
  }
}

resource "aws_route53_health_check" "primary" {
  fqdn              = "www.example.com"
  port              = 443
  type              = "HTTPS"
  resource_path     = "/health"
  failure_threshold = 3
  request_interval  = 30
}

Reference Files

• references/architecture.md -- Hosted zones, routing policies, health checks, DNSSEC, Resolver, DNS Firewall, ARC, Terraform/CLI reference