Revisit Amazon Web Services re:Invent 2024’s biggest moments and watch keynotes and innovation talks on demand
Getting Started
Q. What is a Domain Name System (DNS) Service?
DNS is a globally distributed service that translates human readable names like www.example.com into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other. The Internet’s DNS system works much like a phone book by managing the mapping between names and numbers. For DNS, the names are domain names (www.example.com) that are easy for people to remember and the numbers are IP addresses (192.0.2.1) that specify the location of computers on the Internet. DNS servers translate requests for names into IP addresses, controlling which server an end user will reach when they type a domain name into their web browser. These requests are called "queries."
Q. What is Amazon Route 53?
Amazon Route 53 provides highly available and scalable Domain Name System (DNS) and health-checking web services. It is designed to give developers and businesses an extremely reliable and cost effective way to route end users to Internet applications by translating names like example.com into the numeric IP addresses, such as 192.0.2.1, that computers use to connect to each other. You can combine your DNS with health-checking services to route traffic to healthy endpoints or to independently monitor and/or alarm on endpoints. Route 53 effectively connects user requests to infrastructure running in Amazon Web Services – such as Amazon EC2 instances, Elastic Load Balancing load balancers, or Amazon S3 buckets – and can also be used to route users to infrastructure outside of Amazon Web Services.
Q. What can I do with Amazon Route 53?
With Amazon Route 53, you can create and manage your public DNS records. Like a phone book, Route 53 lets you manage the IP addresses listed for your domain names in the Internet’s DNS phone book. Route 53 also answers requests to translate specific domain names like into their corresponding IP addresses like 192.0.2.1. You can use Route 53 to create DNS records for a new domain (registered with your registrar) or transfer DNS records for an existing domain. The simple, standards-based REST API for Route 53 allows you to easily create, update and manage DNS records. Route 53 additionally offers health checks to monitor the health and performance of your application as well as your web servers and other resources.
Q. How do I get started with Amazon Route 53?
Amazon Route 53 has a simple web service interface that lets you get started in minutes. Your DNS records are organized into “hosted zones” that you configure with the Amazon Management Console or Route 53’s API. To use Route 53, you simply:
• Subscribe to the service by clicking on the sign-up button on the service page.
• Use the Amazon Management Console or the CreateHostedZone API to create a hosted zone that can store DNS records for your domain. Upon creating the hosted zone, you receive four Route 53 name servers across four different Top-Level Domains (TLDs) to help ensure a high level of availability.
• Your hosted zone will be initially populated with a basic set of DNS records, including four virtual name servers that will answer queries for your domain. You can add, delete or change records in this set by using the Amazon Management Console or by calling the ChangeResourceRecordSet API. A list of supported DNS records is available on this page.
• Since your domain name is not managed by Route 53, you will need to inform the registrar with whom you registered your domain name to update the name servers for your domain to the ones associated with your hosted zone.
Q. How does Amazon Route 53 provide high availability and low latency?
Route 53 is built using Amazon Web Services highly available and reliable infrastructure. The distributed nature of our DNS servers helps ensure a consistent ability to route your end users to your application by circumventing any internet or network related issues. Route 53 is designed to provide the level of dependability required by important applications. using a Network of DNS servers, Route 53 is designed to automatically answer queries from the optimal location depending on network conditions. As a result, the service offers low query latency for your end users.
Q. What are the DNS server names for the Amazon Route 53 service?
To provide you with a highly available service, each Amazon Route 53 hosted zone is served by its own set of virtual DNS servers. The DNS server names for each hosted zone are thus assigned by the system when that hosted zone is created.
Q. What is the difference between a Domain and a Hosted Zone?
A domain is a general DNS concept. Domain names are easily recognizable names for numerically addressed Internet resources. For example, amazon.com is a domain. A hosted zone is an Amazon Route 53 concept. A hosted zone is analogous to a traditional DNS zone file; it represents a collection of records that can be managed together, belonging to a single parent domain name. All resource record sets within a hosted zone must have the hosted zone’s domain name as a suffix. For example, the amazon.com hosted zone may contain records named www.amazon.com, and www.aws.amazon.com, but not a record named www.amazon.cn. You can use the Route 53 Management Console or API to create, inspect, modify, and delete hosted zones.
Q. What is the price of Amazon Route 53?
Amazon Route 53 charges are based on actual usage of the service for Hosted Zones, Queries, Health Checks. For full details, see the Amazon Route 53 pricing page.
You pay only for what you use. There are no minimum fees, no minimum usage commitments, and no overage charges.
Q. What types of access controls can I set for the management of my Domains on Amazon Route 53?
You can control management access to your Amazon Route 53 hosted zone by using the Amazon Identity and Access Management (IAM) service. Amazon IAM allows you to control who in your organization can make changes to your DNS records by creating multiple users and managing the permissions for each of these users within your Amazon Web Services Account. Learn more about Amazon IAM here.
Q. I have subscribed for Amazon Route 53 but when I try to use the service it says "The Amazon Web Services Access Key ID needs a subscription for the service.
When you sign up for a new Amazon Web Services service, it can take up to 24 hours in some cases to complete activation, during which time you cannot sign up for the service again. If you've been waiting longer than 24 hours without receiving an email confirming activation, this could indicate a problem with your account or the authorization of your payment details. Please contact Amazon Web Services Customer Support for help.
Q. When is my hosted zone charged?
Hosted zones are billed once when they are created and then on the first day of each month.
Q. Why do I see two charges for the same hosted zone in the same month?
Hosted zones have a grace period of 12 hours--if you delete a hosted zone within 12 hours after you create it, we don't charge you for the hosted zone. After the grace period ends, we immediately charge the standard monthly fee for a hosted zone. If you create a hosted zone on the last day of the month (for example, January 31st), the charge for January might appear on the February invoice, along with the charge for February.
Domain Name Systems (DNS)
Q. Is there a limit to the number of hosted zones I can manage using Amazon Route 53?
Each Amazon Route 53 account is limited to a maximum of 500 hosted zones and 10,000 resource record sets per hosted zone. Complete our request for a higher limit and we will respond to your request within three business days.
Q. Can I create multiple hosted zones for the same domain name?
Yes. Creating multiple hosted zones allows you to verify your DNS setting in a “test” environment, and then replicate those settings on a “production” hosted zone. For example, hosted zone Z1234 might be your test version of example.com, hosted on name servers ns-1, ns-2, ns-3, ns-4, ns-5, ns-6. Similarly, hosted zone Z5678 might be your production version of example.com, hosted on ns-7, ns-8, ns-9, ns-10, ns-11 and ns-12. Since each hosted zone has a virtual set of name servers associated with that zone, Route 53 will answer DNS queries for example.com differently depending on which name server you send the DNS query to.
Q. Which DNS record types does Amazon Route 53 support?
Amazon Route 53 currently supports the following DNS record types:
• A (address record)
• AAAA (IPv6 address record)
• CNAME (canonical name record)
• CAA (certification authority authorization)
• MX (mail exchange record)
• NAPTR (name authority pointer record)
• NS (name server record)
• PTR (pointer record)
• SOA (start of authority record)
• SPF (sender policy framework)
• SRV (service locator)
• TXT (text record)
• Amazon Route 53 also offers alias records, which are an Amazon Route 53-specific extension to DNS. You can create alias records to route traffic to selected Amazon Web Services resources, including Amazon Elastic Load Balancing load balancers, Amazon CloudFront distributions, VPC interface endpoints. Alias record typically have a type of A or AAAA, but they work like a CNAME record. Using an alias record, you can map your record name (example.com) to the DNS name for an Amazon Web Services resource. Resolvers see the A or AAAA record and the IP address of the Amazon Web Services resource.
We anticipate adding additional record types in the future.
Q. Does Amazon Route 53 support wildcard entries? If so, what record types support them?
Yes. To make it even easier for you to configure DNS settings for your domain, Amazon Route 53 supports wildcard entries for all record types, except NS records. A wildcard entry is a record in a DNS zone that will match requests for any domain name based on the configuration you set. For example, a wildcard DNS record such as *.example.com will match queries for www.example.com and subdomain.example.com.
Q. What is the default TTL for the various record types and can I change these values?
The time for which a DNS resolver caches a response is set by a value called the time to live (TTL) associated with every record. Amazon Route 53 does not have a default TTL for any record type. You must always specify a TTL for each record so that caching DNS resolvers can cache your DNS records to the length of time specified through the TTL.
Q. Can I use 'Alias' records with my sub-domains?
Yes. You can also use Alias records to map your sub-domains (www.example.com, pictures.example.com, etc.) to your ELB load balancers, CloudFront distributions
Q. Are changes to resource record sets transactional?
Yes. A transactional change helps ensure that the change is consistent, reliable, and independent of other changes. Amazon Route 53 has been designed so that changes complete entirely on any individual DNS server, or not at all. This helps ensure your DNS queries are always answered consistently, which is important when making changes such as flipping between destination servers. When using the API, each call to ChangeResourceRecordSets returns an identifier that can be used to track the status of the change. Once the status is reported as INSYNC, your change has been performed on all of the Route 53 DNS servers.
Q. Can I associate multiple IP addresses with a single record?
Yes. Associating multiple IP addresses with a single record is often used for balancing the load of geographically-distributed web servers. Amazon Route 53 allows you to list multiple IP addresses for an A record and responds to DNS requests with the list of all configured IP addresses.
Q. How quickly will changes I make to my DNS settings on Amazon Route 53 propagate?
Amazon Route 53 is designed to propagate updates you make to your DNS records to its network of authoritative DNS servers within 60 seconds under normal conditions. A change is successfully propagated across the Amazon Web Services China regions when the API call returns an INSYNC status listing.
Note that caching DNS resolvers are outside the control of the Amazon Route 53 service and will cache your resource record sets according to their time to live (TTL). The INSYNC or PENDING status of a change refers only to the state of Route 53’s authoritative DNS servers.
Q. Does Amazon Route 53 support DNSSEC?
Amazon Route 53 does not support DNSSEC for DNS at this time.
Q. Does Amazon Route 53 support IPv6?
Yes. Amazon Route 53 supports both forward (AAAA) and reverse (PTR) IPv6 records. Amazon Route 53 health checks also support monitoring of endpoints using the IPv6 protocol.
Q. Can I point my zone apex (example.com versus www.example.com) at my Elastic Load Balancer?
Yes. Amazon Route 53 offers a special type of record called an 'Alias' record that lets you map your zone apex (example.com) DNS name to the DNS name for your ELB load balancer (such as my-loadbalancer-1234567890.cn-northwest-1.elb.amazonaws.com). IP addresses associated with load balancers can change at any time due to scaling up, scaling down, or software updates. Route 53 responds to each request for an Alias record with one or more IP addresses for the load balancer. Route 53 supports alias records for three types of load balancers: Application Load Balancers, Network Load Balancers, and Classic Load Balancers. There is no additional charge for queries to Alias records that are mapped to Amazon ELB load balancers. These queries are listed as “Intra-Amazon Web Services-DNS-Queries” on the Amazon Route 53 usage report.
Q. Can I point my zone apex (example.com versus www.example.com) at my Amazon CloudFront distribution?
Yes. Amazon Route 53 offers a special type of record called an ‘Alias’ record that lets you map your zone apex (example.com) DNS name to your Amazon CloudFront distribution (for example, d123.cloudfront.net). IP addresses associated with Amazon CloudFront endpoints vary based on your end user’s location (in order to direct the end user to the nearest CloudFront edge location) and can change at any time due to scaling up, scaling down, or software updates. Route 53 responds to each request for an Alias record with the IP address(es) for the distribution. Route 53 doesn't charge for queries to Alias records that are mapped to a CloudFront distribution.
Q. Can I point my zone apex (example.com versus www.example.com) at my Amazon VPC endpoint?
Yes. Amazon Route 53 offers a special type of record called an ‘Alias’ record that lets you map your zone apex (example.com) DNS name to your Amazon VPC Endpoint DNS name (i.e. vpce-svc-03d5ebb7d9579a2b3.cn-northwest-1.vpce.amazonaws.com). IP addresses associated with Amazon VPC Endpoints can change at any time due to scaling up, scaling down, or software updates. Route 53 responds to each request for an Alias record with one or more IP addresses for the VPC endpoint. There is no additional charge for queries to Alias records that are mapped to Amazon VPC endpoints. These queries are listed as “Intra-Amazon Web Services-DNS-Queries” on the Amazon Route 53 usage report.
DNS Routing Policies
Q. Does Amazon Route 53 support Weighted Round Robin (WRR)?
Yes. Weighted Round Robin allows you to assign weights to resource record sets in order to specify the frequency with which different responses are served. You may want to use this capability to do A/B testing, sending a small portion of traffic to a server on which you’ve made a software change. For instance, suppose you have two record sets associated with one DNS name—one with weight 3 and one with weight 1. In this case, 75% of the time Route 53 will return the record set with weight 3 and 25% of the time Route 53 will return the record set with weight 1. Weights can be any number between 0 and 255.
Q. What is Amazon Route 53's Latency Based Routing (LBR) feature?
LBR (Latency Based Routing) is a feature for Amazon Route 53 that helps you improve your application’s performance. You can run applications in multiple Amazon Web Services China regions and Amazon Route 53 will route end users to the Amazon Web Services China regions that provides the lowest latency.
Q. How do I get started using Amazon Route 53's Latency Based Routing (LBR) feature?
You can start using Amazon Route 53’s new LBR feature quickly and easily by using either the Amazon Management Console or a simple API. You simply create a record set that includes the IP addresses or ELB names of various Amazon Web Services endpoints and mark that record set as an LBR-enabled Record Set, much like you mark a record set as a Weighted Record Set. Amazon Route 53 takes care of the rest - determining the best endpoint for each request and routing end users accordingly, much like Amazon CloudFront, Amazon’s global content delivery service, does. You can learn more about how to use Latency Based Routing in the Amazon Route 53 Developer Guide.
Q. What is the price for Amazon Route 53's Latency Based Routing (LBR) feature?
Like all Amazon Web Services services, there are no upfront fees or long term commitments to use Amazon Route 53 and LBR. Customers simply pay for the hosted zones and queries they actually use. Please visit the Amazon Route 53 pricing page for details on pricing for Latency Based Routing queries.
Q. What is Amazon Route 53's Geo DNS (also called Geolocation) feature?
Route 53 Geo DNS lets you balance load by directing requests to specific endpoints based on the geographic location from which the request originates. Geo DNS makes it possible to customize localized content, such as presenting detail pages in the right language or restricting distribution of content to only the markets you have licensed. Geo DNS also lets you balance load across endpoints in a predictable, easy-to-manage way, ensuring that each end-user location is consistently routed to the same endpoint. You can combine Geo DNS with other routing types, such as Latency Based Routing and DNS Failover, to enable a variety of low-latency and fault-tolerant architectures. For information on how to configure various routing types, please see the Amazon Route 53 documentation.
Q. How do I get started using Amazon Route 53's Geo DNS feature?
You can start using Amazon Route 53’s Geo DNS feature quickly and easily by using either the Amazon Management Console or the Route 53 API. You simply create a record set and specify the applicable values for that type of record set, mark that record set as a Geo DNS-enabled Record Set, and select the geographic region (global, continent, country, or state) that you want the record to apply to. You can learn more about how to use Geo DNS in the Amazon Route 53 Developer Guide.
Q. When using Geo DNS, do I need a "global" record? When would Route 53 return this record?
Yes, we strongly recommend that you configure a global record, to ensure that Route 53 can provide a response to DNS queries from all possible locations—even if you have created specific records for each continent, country, or state where you expect your end users will be located. Route 53 will return the value contained in your global record in the following cases:
The DNS query comes from an IP address not recognized by Route 53’s Geo IP database.
The DNS query comes from a location not included in any of the specific Geo DNS records you have created.
Q. Can I have a Geo DNS record for a continent and different Geo DNS records for countries within that continent? Or a Geo DNS record for a country and Geo DNS records for states within that country?
Yes, you can have Geo DNS records for overlapping geographic regions (e.g., a continent and countries within that continent, or a country and states within that country). For each end user’s location, Route 53 will return the most specific Geo DNS record that includes that location. In other words, for a given end user’s location, Route 53 will first return a state record; if no state record is found, Route 53 will return a country record; if no country record is found, Route 53 will return a continent record; and finally, if no continent record is found, Route 53 will return the global record.
Q. What is the price for Route 53's Geo DNS feature?
Like all Amazon Web Services services, there are no upfront fees or long term commitments to use Amazon Route 53 and Geo DNS. Customers simply pay for the hosted zones and queries they actually use. Please visit the Amazon Route 53 pricing page for details on pricing for Geo DNS queries.
Q. What is the difference between Latency Based Routing and Geo DNS?
Geo DNS bases routing decisions on the geographic location of the requests. In some cases, geography is a good proxy for latency; but there are certainly situations where it is not. LatencyBased Routing utilizes latency measurements between viewer networks and Amazon Web Services datacenters. These measurements are used to determine which endpoint to direct users toward.
If your goal is to minimize end-user latency, we recommend using Latency Based Routing. If you have compliance, localization requirements, or other use cases that require stable routing from a specific geography to a specific endpoint, we recommend using Geo DNS.
Q. Does Amazon Route 53 support multiple values in response to DNS queries?
Route 53 now supports multivalue answers in response to DNS queries. While not a substitute for a load balancer, the ability to return multiple health-checkable IP addresses in response to DNS queries is a way to use DNS to improve availability and load balancing. If you want to route traffic randomly to multiple resources, such as web servers, you can create one multivalue answer record for each resource and, optionally, associate an Amazon Route 53 health check with each record. Amazon Route 53 supports up to eight healthy records in response to each DNS query.
Private DNS
Q. What is Private DNS?
Private DNS is a Route 53 feature that lets you have authoritative DNS within your VPCs without exposing your DNS records (including the name of the resource and its IP address(es) to the Internet.
Q. Can I use Amazon Route 53 to manage my organization’s private IP addresses?
Yes, you can manage private IP addresses within Virtual Private Clouds (VPCs) using Amazon Route 53’s Private DNS feature. With Private DNS, you can create a private hosted zone, and Route 53 will only return these records when queried from within the VPC(s) that you have associated with your private hosted zone. For more details, see the Amazon Route 53 Documentation.
Q. How do I set up Private DNS?
You can set up Private DNS by creating a hosted zone in Route 53, selecting the option to make the hosted zone “private”, and associating the hosted zone with one of your VPCs. After creating the hosted zone, you can associate it with additional VPCs.
Q. Do I need connectivity to the outside Internet in order to use Private DNS?
You can resolve internal DNS names from resources within your VPC that do not have Internet connectivity. However, to update the configuration for your Private DNS hosted zone, you need Internet connectivity to access the Route 53 API endpoint, which is outside of VPC.
Q. Can I still use Private DNS if I’m not using VPC?
No. Route 53 Private DNS uses VPC to manage visibility and provide DNS resolution for private DNS hosted zones. To take advantage of Route 53 Private DNS, you must configure a VPC and migrate your resources into it.
Q. Can I use the same private Route 53 hosted zone for multiple VPCs?
Yes, you can associate multiple VPCs with a single hosted zone.
Q. Can I associate VPCs and private hosted zones that I created under different Amazon Web Services accounts?
Yes, you can associate VPCs belonging to different accounts with a single hosted zone. You can see more details here.
Q. Will Private DNS work across Amazon Web Services regions?
Yes. DNS answers will be available within every VPC that you associate with the private hosted zone. Note that you will need to ensure that the VPCs in each region have connectivity with each other in order for resources in one China region to be able to reach resources in another China region.
Q. Can I configure DNS Failover for Private DNS hosted zones?
Yes, it is possible to configure DNS Failover by associating health checks with resource record sets within a Private DNS hosted zone. If your endpoints are within a Virtual Private Cloud (VPC), you have several options to configure health checks against these endpoints. If the endpoints have public IP addresses, then you can create a standard health check against the public IP address of each endpoint. If your endpoints only have private IP addresses, then you cannot create standard health checks against these endpoints. However, you can create metric based health checks, which function like standard Amazon Route 53 health checks except that they use an existing Amazon CloudWatch metric as the source of endpoint health information instead of making requests against the endpoint from external locations.
Q. Can I use Private DNS to block domains and DNS names that I don’t want to be reached from within my VPC?
Yes, you can block domains and specific DNS names by creating these names in one or more Private DNS hosted zones and pointing these names to your own server (or another location that you manage).
Health Checks & DNS Failover
Q. What is DNS Failover?
DNS Failover consists of two components: health checks and failover. Health checks are automated requests sent over the Internet to your application to verify that your application is reachable, available, and functional. You can configure the health checks to be similar to the typical requests made by your users, such as requesting a web page from a specific URL. With DNS failover, Route 53 only returns answers for resources that are healthy and reachable from the outside world, so that your end users are routed away from a failed or unhealthy part of your application.
Q. How do I get started with DNS Failover?
Visit the Amazon Route 53 Developer Guide for details on getting started. You can also configure DNS Failover from within the Route 53 Console.
Q. Does DNS Failover support Elastic Load Balancers (ELBs) as endpoints?
Yes, you can configure DNS Failover for Elastic Load Balancers (ELBs). To enable DNS Failover for an ELB endpoint, create an Alias record pointing to the ELB and set the “Evaluate Target Health” parameter to true. Route 53 creates and manages the health checks for your ELB automatically. You do not need to create your own Route 53 health check of the ELB. You also do not need to associate your resource record set for the ELB with your own health check, because Route 53 automatically associates it with the health checks that Route 53 manages on your behalf. The ELB health check will also inherit the health of your backend instances behind that ELB.
Q. Can I configure a backup site to be used only when a health check fails?
Yes, you can use DNS Failover to maintain a backup site (for example, a static site running on an Amazon S3 website bucket) and fail over to this site in the event that your primary site becomes unreachable.
Q. What DNS record types can I associate with Route 53 health checks?
You can associate any record type supported by Route 53 except SOA and NS records.
Q. Can I health check an endpoint if I don’t know its IP address?
Yes. You can configure DNS Failover for Elastic Load Balancers via the Amazon Route 53 Console without needing to create a health check of your own. For these endpoint types, Route 53 automatically creates and manages health checks on your behalf which are used when you create an Alias record pointing to the ELB and enable the "Evaluate Target Health" parameter on the Alias record.
For all other endpoints, you can specify either the DNS name (e.g. www.example.com) or the IP address of the endpoint when you create a health check for that endpoint.
Q. One of my endpoints is outside Amazon Web Services. Can I set up DNS Failover on this endpoint?
Yes. Just like you can create a Route 53 resource record that points to an address outside Amazon Web Services, you can set up health checks for parts of your application running outside Amazon Web Services, and you can fail over to any endpoint that you choose, regardless of location. For example, you may have a legacy application running in a datacenter outside Amazon Web Services and a backup instance of that application running within Amazon Web Services. You can set up health checks of your legacy application running outside Amazon Web Services, and if the application fails the health checks, you can fail over automatically to the backup instance in Amazon Web Services.
Q. If failover occurs and I have multiple healthy endpoints remaining, will Route 53 consider the load on my healthy endpoints when determining where to send traffic from the failed endpoint?
No, Route 53 does not make routing decisions based on the load or available traffic capacity of your endpoints. You will need to ensure that you have available capacity at your other endpoints, or the ability to scale at those endpoints, in order to handle the traffic that had been flowing to your failed endpoint.
Q. How many consecutive health check observations does an endpoint need to fail to be considered “failed”?
The default is a threshold of three health check observations: when an endpoint has failed three consecutive observations, Route 53 will consider it failed. However, Route 53 will continue to perform health check observations on the endpoint and will resume sending traffic to it once it passes three consecutive observations. You can change this threshold to any value between 1 and 10 observations.
Q. When my failed endpoint becomes healthy again, how is the DNS failover reversed?
After a failed endpoint passes the number of consecutive health check observations that you specify when creating the health check (the default threshold is three observations), Route 53 will restore its DNS records automatically, and traffic to that endpoint will resume with no action required on your part.
Q. What is the interval between health check observations?
By default, health check observations are conducted at an interval of 30 seconds. You can optionally select a fast interval of 10 seconds between observations.
By checking three times more often, fast interval health checks enable Route 53 to confirm more quickly that an endpoint has failed, shortening the time required for DNS failover to redirect traffic in response to the endpoint’s failure.
Fast interval health checks also generate three times the number of requests to your endpoint, which may be a consideration if your endpoint has a limited capacity to serve web traffic. Visit the Route 53 pricing page for details on pricing for fast interval health checks and other optional health check features.
Q. How much load should I expect a health check to generate on my endpoint (for example, a web server)?
Each health check is conducted from two locations in China. Each location checks the endpoint independently at the interval that you select: the default interval of 30 seconds, or an optional fast interval of 10 seconds. Based on the current default number of health checking locations, you should expect your endpoint to receive one request every 2-3 seconds on average for standard interval health checks and one or more requests per second for fast-interval health checks.
Q. Do Route 53 health checks follow HTTP redirects?
No. Route 53 health checks consider an HTTP 3xx code to be a successful response, so they don’t follow the redirect. This may cause unexpected results for string-matching health checks. The health check searches for the specified string in the body of the redirect. Because the health check doesn’t follow the redirect, it never sends a request to the location that the redirect points to and never gets a response from that location. For string matching health checks, we recommend that you avoid pointing the health check at a location that returns an HTTP redirect.
Q. What is the sequence of events when failover happens?
In simplest terms, the following events will take place if a health check fails and failover occurs:
Route 53 conducts a health check of your application. In this example, your application fails three consecutive health checks, triggering the following events.
Route 53 disables the resource records for the failed endpoint and no longer serves these records. This is the failover step, which causes traffic to begin being routed to your healthy endpoint(s) instead of your failed endpoint.
Q. Do I need to adjust the TTL for my records in order to use DNS Failover?
The time for which a DNS resolver caches a response is set by a value called the time to live (TTL) associated with every record. We recommend a TTL of 60 seconds or less when using DNS Failover, to minimize the amount of time it takes for traffic to stop being routed to your failed endpoint. In order to configure DNS Failover for ELB, you need to use Alias records which have fixed TTL of 60 seconds; for these endpoint types, you do not need to adjust TTLs in order to use DNS Failover.
Q. What happens if all of my endpoints are unhealthy?
Route 53 can only fail over to an endpoint that is healthy. If there are no healthy endpoints remaining in a resource record set, Route 53 will behave as if all health checks are passing.
Q. Can I use DNS Failover without using Latency Based Routing (LBR)?
Yes. You can configure DNS Failover without using LBR. In particular, you can use DNS failover to configure a simple failover scenario where Route 53 monitors your primary website and fails over to a backup site in the event that your primary site is unavailable.
Q. Can I configure a health check on a site accessible only via HTTPS?
Yes. Route 53 supports health checks over HTTPS, HTTP or TCP.
Q. Do HTTPS health checks validate the endpoint’s SSL certificate?
No, HTTPS health checks test whether it’s possible to connect with the endpoint over SSL and whether the endpoint returns a valid HTTP response code. However, they do not validate the SSL certificate returned by the endpoint.
Q. Do HTTPS health checks support Server Name Indication (SNI)?
Yes, HTTPS health checks support SNI.
Q. How can I use health checks to verify that my web server is returning the correct content?
You can use Route 53 health checks to check for the presence of a designated string in a server response by selecting the “Enable String Matching” option. This option can be used to check a web server to verify that the HTML it serves contains an expected string. Or, you can create a dedicated status page and use it to check the health of the server from an internal or operational perspective.
Q. How do I see the status of a health check that I’ve created?
You can view the current status of a health check, as well as details on why it has failed, in the Amazon Route 53 console and via the Route 53 API.
Additionally, each health check’s results are published as Amazon CloudWatch metrics showing the endpoint’s health and, optionally, the latency of the endpoint’s response. You can view a graph of the Amazon CloudWatch metric in the health checks tab of the Amazon Route 53 console to see the current and historical status of the health check. You can also create Amazon CloudWatch alarms on the metric in order to send notifications if the status of the health check changes.
The Amazon CloudWatch metrics for all of your Amazon Route 53 health checks are also visible in the Amazon CloudWatch console. Each Amazon CloudWatch metric contains the Health Check ID (for example, 01beb6a3-e1c2-4a2b-a0b7-7031e9060a6a) which you can use to identify which health check the metric is tracking.
Q. How can I measure the performance of my application’s endpoints using Amazon Route 53?
Amazon Route 53 health checks include an optional latency measurement feature which provides data on how long it takes your endpoint to respond to a request. When you enable the latency measurement feature, the Amazon Route 53 health check will generate additional Amazon CloudWatch metrics showing the time required for Amazon Route 53’s health checkers to establish a connection and to begin receiving data. Amazon Route 53 provides a separate set of latency metrics for each Amazon Web Services region where Amazon Route 53 health checks are conducted.
Q. How can I be notified if one of my endpoints starts failing its health check?
Because each Route 53 health check publishes its results as a CloudWatch metric, you can configure the full range of CloudWatch notifications and automated actions which can be triggered when the health check value changes beyond a threshold that you specify. First, in either the Route 53 or CloudWatch console, configure a CloudWatch alarm on the health check metric. Then add a notification action and specify the email or SNS topic that you want to publish your notification to.
Q: I created an alarm for my health check, but I need to re-send the confirmation email for the alarm's SNS topic. How can I re-send this email?
Confirmation emails can be re-sent from the SNS console. To find the name of the SNS topic associated with the alarm, click the alarm name within the Route 53 console and looking in the box labeled "Send notification to."
Within the SNS console, expand the list of topics, and select the topic from your alarm. Open the "Create Subscription" box and select Email for protocol and enter the desired email address. Clicking "Subscribe" will re-send the confirmation email.
Q. I’m using DNS Failover with Elastic Load Balancers (ELBs) as endpoints. How can I see the status of these endpoints?
The recommended method for setting up DNS Failover with ELB endpoints is to use Alias records with the "Evaluate Target Health" option. Because you don't create your own health checks for ELB endpoints when using this option, there are no specific CloudWatch metrics generated by Route 53 for these endpoints.
You can get metrics on the health of your load balancer in two ways. First, Elastic Load Balancing publishes metrics that indicate the health of the load balancer and the number of healthy instances behind it. For details on CloudWatch metrics or setting up Cloudwatch alarm for ELB metric, consult the ELB developer guide. Second, you can create your own health check against the CNAME provided by the ELB. You won’t use this health check for DNS Failover itself (because the “Evaluate Target Health” option provides DNS Failover for you), but you can view the CloudWatch metrics for this health check and create alarms to be notified if the health check fails.
Q. What is the cost to use CloudWatch metrics for my Route 53 health checks?
CloudWatch metrics for Route 53 health checks are available free of charge.
Q. Can I configure DNS Failover based on internal health metrics, such as CPU load, network, or memory?
Yes. Amazon Route 53’s metric based health checks let you perform DNS failover based on any metric that is available within Amazon CloudWatch, including Amazon Web Services-provided metrics and custom metrics from your own application. When you create a metric based health check within Amazon Route 53, the health check becomes unhealthy whenever its associated Amazon CloudWatch metric enters an alarm state.
Metric based health checks are useful to enable DNS failover for endpoints that cannot be reached by a standard Amazon Route 53 health check, such as instances within a Virtual Private Cloud (VPC) that only have private IP addresses. Using Amazon Route 53’s calculated health check feature, you can also accomplish more sophisticated failover scenarios by combining the results of metric based health checks with the results of standard Amazon Route 53 health checks, which make requests against an endpoint from a network of checkers from the regions in China. For example, you can create a configuration which fails away from an endpoint if either its public-facing web page is unavailable, or if internal metrics such as CPU load, network in/out, or disk reads show that the server itself is unhealthy.
Q. If I specify a domain name as my health check target, will Amazon Route 53 check over IPv4 or IPv6?
If you specify a domain name as the endpoint of an Amazon Route 53 health check, Amazon Route 53 will look up the IPv4 address of that domain name and will connect to the endpoint using IPv4. Amazon Route 53 will not attempt to look up the IPv6 address for an endpoint that is specified by domain name. If you want to perform a health check over IPv6 instead of IPv4, select "IP address" instead of "domain name" as your endpoint type, and enter the IPv6 address in the “IP address” field.
Route 53 Resolver
Q. What is Amazon Route 53 Resolver?
Route 53 Resolver is a regional DNS service that provides recursive DNS lookups for names hosted in EC2 as well as public names on the internet. This functionality is available by default in every Amazon Virtual Private Cloud (VPC).
Q. What is recursive DNS?
Amazon Route 53 is both an Authoritative DNS service and Recursive DNS service. Authoritative DNS contains the final answer to a DNS query, generally an IP address. Clients (such as mobile devices, applications running in the cloud, or servers in your datacenter) don’t actually talk directly to authoritative DNS services, except in very rare cases. Instead, clients talk to recursive DNS services (also known as DNS resolvers) which find the correct authoritative answer for any DNS query. Route 53 Resolver is a recursive DNS service.
When receiving a query, a recursive DNS service could be configured to automatically forward the query directly to a specific recursive DNS server, or it may recursively search beginning with the root of the domain and continuing until it finds the final answer. In either case, once an answer is found, the recursive DNS server may cache the answer for a period of time so it can answer subsequent queries for the same name more quickly in the future.
Q. What are conditional forwarding rules?
Conditional forwarding rules allow Resolver to forward queries for specified domains to the target IP address of your choice, typically an on-premises DNS resolver. Rules are applied at the VPC level and can be managed from one account and shared across multiple accounts.
Q. What are DNS endpoints?
A DNS endpoint includes one or more elastic network interfaces (ENI) that attach to your Amazon Virtual Private Cloud (VPC). Each ENI is assigned an IP address from the subnet space of the VPC where it is located. This IP address can then serve as a forwarding target for on-premises DNS servers to forward queries. Endpoints are required both for DNS query traffic that you're forwarding from VPCs to your network and from your network to your VPCs over Amazon Direct Connect.
Q. How do I share rules across accounts?
Route 53 Resolver is integrated with Amazon Resource Access Manager (RAM) which provides customers with a simple way to share their resources across Amazon Web Services accounts or within their Amazon Web Services Organization. Rules can be created in one primary account and then shared across multiple accounts using RAM. Once shared, the rules still need to be applied to VPCs in those accounts before they can take effect. For more information, see the Amazon Web Services RAM documentation.
Q. What happens if I decide to stop sharing rules with other accounts?
Those rules will no longer be usable by the accounts you previously shared them with. This means that if those rules were associated to VPCs in those accounts, they will be disassociated from those VPCs.
Route 53 Resolver DNS Firewall
Q. What is Amazon Route 53 Resolver DNS Firewall?
Amazon Route 53 Resolver DNS Firewall is a feature that allows you to quickly deploy DNS protections across all of your Amazon Virtual Private Clouds (VPCs). The Route 53 Resolver DNS Firewall allows you to block queries made for known malicious domains (i.e. create “denylists”) and to allow queries for trusted domains (create “allowlists”) when using the Route 53 Resolver for recursive DNS Resolution. You can also quickly get started with protections against common DNS threats by using Amazon Web Services Managed Domain Lists. Amazon Route 53 Resolver DNS Firewall works together with Amazon Firewall Manager so you can build policies based on DNS Firewall rules, and then centrally apply those policies across your VPCs and accounts.
Q. When should I use Route 53 Resolver DNS Firewall?
If you want to be able to filter the domain names that can be queried over DNS from within your VPCs, then DNS Firewall is for you. It gives you flexibility in choosing the configuration that works best for your organization’s security posture in two ways: (1) If you have strict DNS exfiltration requirements and want to deny all outbound DNS queries for domains that aren’t on your lists of approved domains, you can create such rules for a “walled-garden” approach to DNS security. (2) If your organization prefers to allow all outbound DNS lookups within your accounts by default and only requires the ability to block DNS requests for known malicious domains, you can use DNS Firewall to create denylists, which include all the malicious domain names your organization is aware of. DNS Firewall also comes with Amazon Web Services Managed Domain Lists that help you protect against suspicious domains and Command-and-Control (C&C) bots.
Q. How does Amazon Route 53 Resolver DNS Firewall differ from other firewall offerings on Amazon Web Services and the Amazon Web Services Marketplace?
Route 53 Resolver DNS Firewall complements existing network and application security services on Amazon Web Services by providing control and visibility to Route 53 Resolver DNS traffic (e.g. AmazonProvidedDNS) for your entire VPC. Depending on your use case, you may choose to implement DNS Firewall along your existing security controls, such as Amazon VPC Security Groups, Amazon Web Application Firewall rules, or Amazon Web Services Marketplace appliances.
Q. How much does Amazon Route 53 Resolver DNS Firewall cost?
Pricing is based on the number of domain names stored within your firewall and the number of DNS queries inspected. Please visit Amazon Route 53 Pricing for more information.
Q. Which Amazon Web Services tools can I use to log and monitor my Amazon Route 53 Resolver DNS Firewall activity?
You can log your DNS Firewall activity to an Amazon S3 bucket or Amazon CloudWatch log groups for further analysis and investigation. You can also use Amazon Kinesis Firehose to send your logs to a third-party provider.